Skip to main content

Credential setup for Windows

To effectively use DigiCert​​®​​ KeyLocker client tools on your Windows system, it's crucial to configure your environment variables correctly. Below are the prerequisites and recommended methods for credential setup.


Before you begin, ensure you have the following:

Credential setup methods for Windows

There are four methods for storing your credentials. For enhanced security, you may want to follow these best practices when configuring your environment variables for SMCTL:

  • Windows Credential Manager (recommended)

    The most secure option is to store your API key and client authentication certificate password in Windows Credential Manager. It provides an added layer of protection against unauthorized access.

  • Properties file

    Alternatively, you can securely store your API key and client authentication certificate password in a properties file. This approach is also highly secure and recommended for safeguarding sensitive credentials.

  • Session-based environment variables

    For improved security, consider setting the host and client authentication certificate file path as session-based variables, which means they are temporary and will only be available during your current session. This approach minimizes the risk of unauthorized access and ensures that these critical variables are available only for the duration of your session.

  • Persistent environment variables

    Alternatively, you can set the host and client authentication certificate file path as persistent variables.


    Storing sensitive credentials as persistent environment variables comes with a significant security risk. If you choose to store the API key and client authentication certificate password as persistent variables, anyone with access to your system can potentially perform actions using DigiCert​​®​​ KeyLocker client tools. We strongly advise against this practice to protect your data and system integrity.

Credential sources prioritization

When using DigiCert​​®​​ KeyLocker client tools, it is important to understand the order in which the tools prioritize different sources for credentials:

  1. Session-based

    The client tools will first check if session-based have been provided in the session.

  2. Persistent environment variables

    If session-based environment variables were not provided, the client tools checks if persistent environment variables have been set.

  3. Properties file

    If the API key and client authentication password are not found in environment variables, the client tools will then look for them in the properties file if it has been set up.

  4. Windows Credential Manager

    In case the credentials are not found in the previous two sources, the client tools will check if credentials can be found in Windows Credential Manager.

In the event that credentials are available in multiple locations, the client tools will follow this priority order: session environment variables, persistent environment variables, properties file, and then Windows Credential Manager.


Location of log files: C:\Users\<Username>\.signingmanager\logs

Reviewing these log files will provide insights into which credential source was used for each execution, helping you track and ensure the correct credentials are being utilized for your operations.