Skip to main content

Lead guide

The KeyLocker Lead is the account administrator responsible for managing assets, users, and is able to sign with the key stored DigiCert​​®​​ KeyLocker.

Invite users

The CertCentral user that approves the KeyLocker certificate request automatically becomes the KeyLocker lead with is assigned additional DigiCert® Account Manager permissions to invite new users.

There are three main points to consider before inviting signers to your DigiCert​​®​​ KeyLocker account:

User types

There are two types of DigiCert ONE users:

  • User

    A DigiCert ONE user refers to a person that can sign in to DigiCert​​®​​ KeyLocker. For more information, refer to User .

  • Service user

    A DigiCert ONE service user is generally used for automation of workflows on a machine such as a build server. For more information, refer to Service user.

KeyLocker roles

There are two types of DigiCert​​®​​ KeyLocker user roles:

  • KeyLocker lead

    This user can sign but also has additional permissions that allow them to perform administrative actions such as managing the CertCentral integration, revoking certificates, and changing the keypair alias. For more information, refer to KeyLocker lead.

  • KeyLocker signer

    This user is primarily a signer, they can view keypair and certificate details but cannot implement any changes. For more information, refer to KeyLocker signer.

Account Manager roles (optional)

Note

An Account Manager role is only required if the user needs to view or perform actions related to the account, for example invite new signers.

There are five Account Manager user roles:

  • Account admin

    This role is used for the primary point of contact for managing account setup and user access.

  • User manager

    This role is used for managing user access and permissions.

  • Account user

    This role is for basic users that need to view account, organization, and user information but primarily works in DigiCert​​®​​ KeyLocker.

  • Default user

    This role is for basic users who need to view account and user information but primarily works in DigiCert​​®​​ KeyLocker.

  • View only

    This role is used for auditing and executive read-only access to account and user data.

Create a user and assign roles

Based on the user types and user roles you have reviewed above, follow one of the procedures below to invite a signer to DigiCert​​®​​ KeyLocker:

View your certificates

Use the Certificates section to download your CertCentral code signing certificate, identify your certificate fingerprint, keypair alias, or keypair ID used in signing commands.

To view certificate information:

  1. Sign in to DigiCert ONE.

  2. Navigate to: Manager menu icon (top-right) > KeyLocker.

  3. Select Certificates.

  4. Select the certificate alias to view more information.

Designate a signer for the certificate

Code signing is only permitted for the user listed as the signer for the certificate. Only one signer can be designated per KeyLocker certificate. You can update the assigned user at any time during the certificate lifecycle.

To add a designated signer for your KeyLocker certificate:

  1. Sign in to DigiCert ONE.

  2. Navigate to: Manager menu (top right) > KeyLocker.

  3. Select Certificates.

  4. Select the Order ID to view more information.

  5. Under Manage signer, select Add signer.

  6. Select a KeyLocker user in your account from the drop-down list.

  7. Select Add signer.

Next steps

If you are also responsible for signing, follow the instructions in the Signer's guide to get ready to sign with your private key stored in DigiCert​​®​​ KeyLocker.

In this section: