Client tools
Note
The DigiCert ONE Clients app provides a centralized location to manage all of your DigiCert ONE client tools. It automates installation, configuration and, updates to reduce manual effort, minimize errors, and ensures seamless operations.
With built-in integrations for key management and policy enforcement, it's designed to support secure operations with DigiCert® Software Trust Manager.
Use the app to:
Access your client tools
Configure settings and manage updates
Troubleshoot installation or connectivity issues
To learn more, see DigiCert ONE Clients.
The recommended way to sign is using SMCTL, which is DigiCert® KeyLocker's command line interface (CLI) and supports multiple ways to sign software using keys stored in KeyLocker. Alternatively, you can continue using your existing third-party signing tools while your private key remains securely stored in KeyLocker.
Most users should start with simple signing. It requires fewer dependencies, is easier to configure, and is the recommended approach for most signing workflows.
To get started, choose a signing approach and identify the tools required for your workflow.
Step 1: Choose a signing approach
Your signing approach determines which signing tool you need. Use the following guidance to select the correct signing tool:
Simple signing uses SMCTL to sign files directly within DigiCert® KeyLocker without integrating external signing tools.
Pros and considerations
Pros
Fastest and simplest way to get started with signing
No third-party tools required
Consistent signing experience across supported file types
Supports signing multiple files in a single operation
Can optionally ignore files that are already signed
Considerations
Supports fewer file types, see Files supported for simple signing
Does not capture signing metadata such as timestamps, tools, or checksums
Client tools required
For simple signing, download SMCTL.
Traditional signing integrates SMCTL with third-party signing tools that are specific to your platform and file types you want to sign.
Pros and considerations
Pros
Supports a wider range of file types, see Files supported for traditional signing
Consistent signing experience across supported file types
Captures full signing metadata
Considerations
Requires configuration with third-party signing tools (for example, signtool, jarsigner, or osslsigncode)
Requires SMCTL and a cryptographic library
Client tools required
For traditional signing, install the following:
Third-party signing tools based on the file types you want to sign
A cryptographic library to integrate the signing tool with KeyLocker.
DigiCert® Click-to-sign is a desktop application that integrates with SMCTL and third-party signing tools and provides a graphical interface for signing files.
It uses:
The default keypair and certificate configured in Click-to-sign
The signing algorithm you specify in the app
You select the file to sign, and Click-to-sign performs the signing operation without requiring command-line input.
Pros and considerations
Pros
Does not require command-line interaction
Accessible to less technical users
Simplifies manual signing by using predefined defaults for keys and algorithms
Well suited for interactive, occasional signing tasks
Considerations
Only compatible with Windows 10
Best suited for interactive, manual signing workflows
Require additional client tools: SMCTL, Click-to-sign and a KSP, CSP, or PKCS11 cryptographic library.
Client tools required
For Click-to-sign, install the following:
Third-party signing tools based on the file types you want to sign
A cryptographic library to integrate the signing tool with KeyLocker.
Signs files directly with supported third-party signing tools while your private key remains securely stored in KeyLocker.
You authenticate the third-party tool to KeyLocker using the appropriate cryptographic library.
Pros and considerations
Pros
Allows continued use of existing, third-party signing tools
Minimal disruption to established signing workflows
Full control over tool-specific options and signing behavior
Considerations
Different signing tools are required for different file types
Each signing tool uses its own commands, syntax, and configuration
Bulk signing and workflow consistency depend on the capabilities of each tool
Each signing tool requires configuring and maintaining the appropriate cryptographic libraries (such as KSP, CSP, or PKCS#11)
Required client tools
For signing directly with third-party signing tools, install the following:
Third-party signing tools based on the file types you want to sign
A cryptographic library to integrate the signing tool with KeyLocker.
Step 2: Choose a cryptographic library
If the signing approach you selected in Step 1 requires a cryptographic library, the library you install depends on the third-party signing tool you want to integrate with.
Use the following guidance to select the correct library.
Use CSP for legacy Windows environments that cannot be updated to KSP. Learn more
Common tools include:
Use KSP when signing on Windows with Microsoft-based tools. Learn more
Common tools include:
Use PKCS11 for cross-platform signing or when working in Linux-based environments. Best for containers, Linux systems, and cross-platform signing workflows. Learn more
Common tools include:
Jarsigner (for Java)
OpenSSL
Jsign
Osslsigncode
Use JCE when signing Java applications. Best for Java-based artifacts such as JAR, WAR, and EAR files. Learn more
Common tools include:
Jarsigner (for signing)
Keytool (for key management)
Use CTK for macOS native signing tools. Best for signing macOS applications and installer packages with native Apple tooling. Learn more
Common tools include:
Codesign
Productsign
Use GPG smart card daemon (SCD) for Linux package-signing workflows that rely on GPG integration. Best for Linux package signing where the signing workflow uses GPG-based tooling.
Common tools include:
GPG
Debian package (DEB)
Git commit
Redhat Package Manager (RPM)
Redhat container image