Skip to main content

Customize tool settings

This documentation describes the environment variables used to configureDigiCert​​®​​ KeyLocker client tools. These variables control how tools authenticate, connect to services, handle Transport Layer Security (TLS), and manage logging. Use them to tailor behavior across supported integrations.

Each section below groups variables by function so you can quickly find and configure what you need.

Environment variables for all client tools

These variables apply across all supported client tools and define the core configuration required for authentication and connectivity.

Required variables

You can set these variables for any client tool to authenticate and communicate with KeyLocker.

Variable

Description

Example

SM_HOST

Provide the base URL of the Software Trust Manager API. See clientauth URLs.

https://clientauth.one.digicert.com

SM_API_KEY

Provide your API key for authentication. See create API key.

a1b2c3d4e5f6...

SM_CLIENT_CERT_FILE

Provide the path of your client authentication certificate for two-factor authentication. See create client authentication certificate.

/etc/digicert/client.p12

SM_CLIENT_CERT_PASSWORD

Provide the password for your client authentication certificate for two-factor authentication.

myP@ssw0rd

Optional: TLS / networking variables

These variables allow you to customize the following, based on your environment and security requirements:

  • TLS behavior

  • Certificate validation

  • Network timeouts

Variable

Description

Default

SM_CA_FILE

Path of a custom PEM CA bundle

Path of a certificate in PEM or DER format.

SM_TLS_SKIP_VERIFY

Disable TLS certificate verification

true

false (default)

SM_USE_SYSTEM_CERT_POOL

Include OS certificate pool in trust chain

true

false (default)

SM_CONN_TIMEOUT

HTTP connection timeout in milliseconds

Any positive integer (30000).

Optional: Logging variables

These variables control how logs are generated, where they’re stored, and the level of detail included for troubleshooting and monitoring.

Variable

Description

Default

SM_HOME

Base directory for config and logs

~/.signingmanager

SM_LOG_LEVEL

Log verbosity

  • info (default)

  • debug

  • trace

  • warn

  • error

SM_LOG_DIR

Directory for log files

$SM_HOME/logs

<user_home>/.signingmanager/logs

SM_LOG_FILE_NAME

Log file name

PKCS11: smpkcs11.log

KSP: smksp.log

SMCTL: smctl.log

KSP cert sync: smksp_cert_sync.log

CSP: smcsp.log

SM_LOG_OUTPUT

Log destination

  • file (default)

  • stdout/console

  • stderr

  • discard/none/null

SM_PROVIDER_LOG_LEVEL

Provider-specific log level (overrides SM_LOG_LEVEL)

ERROR (default)

FATAL

WARN

INFO

DEBUG

TRACE

SM_PROVIDER_LOG_DIR

Provider-specific log directory (overrides SM_LOG_DIR)

SM_PROVIDER_LOG_OUTPUT

Provider-specific log output (overrides SM_LOG_OUTPUT)

Optional: Authentication variables

These variables provide more authentication options, including enabling dynamic authentication flows in supported environments.

Variable

Description

Default

SM_DYNAMIC_AUTH

Enables dynamic authentication in the DigiCert ONE Clients app.

true

false (default)

Environment variables for PKCS11

These variables apply specifically to the KeyLocker PKCS11 library to configure local storage and offline behavior for key operations.

Variable

Description

Values

SM_PKCS11_DB_DSN

Provide the path for the SQLite3 DB file on the system.

Any valid absolute path with write permission.

SM_PKCS11_OFFLINE_MOD

Controls the functionality of PKCS11 by fetching the keypairs once, if the SQLite3 DB file is created. It then serves all the keypairs from the local SQLite3 DB file and calls the cloud for signing.

true

false (default)

In this section: