Skip to main content

Signer guide

The KeyLocker Signer is an account user responsible for signing with the key stored DigiCert​​®​​ KeyLocker.

Note

If you are a KeyLocker Lead or Signer, follow this guide to get ready to sign while your private key remains securely stored in DigiCert​​®​​ KeyLocker.

There are two methods you can use to set up the tools to sign:

  • DigiCert​​®​​ KeyLocker wizard (recommended)

  • Follow the procedures outlined in this article

DigiCert​​®​​ KeyLocker wizard

Using the DigiCert​​®​​ KeyLocker wizard is recommended because it provides a wizard supported experience that validates whether you have successfully completed a step.

To access the DigiCert​​®​​ KeyLocker wizard:

  1. Sign in to DigiCert ONE.

  2. Navigate to the Manager menu (top-right) > KeyLocker.

  3. Select Get started.

  4. Follow the instructions to get ready to sign.

Get ready to sign

If you are unable to use the DigiCert​​®​​ KeyLocker wizard, manually complete the steps below to get ready to sign.

Download DigiCert​​®​​ KeyLocker tools

Before downloading your tools, review the DigiCert​​®​​ KeyLocker tools required for signing based on your operating.

Tip

We have packaged all the tools you may require for your operating system to ensure that you have everything you need in one download. For more information, review Compatible operating system versions for client tools.

Download tools

To download DigiCert​​®​​ KeyLocker client tools:

  1. Sign in to DigiCert ONE.

  2. Select the Manager menu icon (top-right) > KeyLocker.

  3. Navigate to: Resources > Client tool repository.

  4. Select your operating system.

  5. Select the download icon next to the client you want to download.

Create your credentials

During code signing, an API key and client authentication certificate is used to authenticate the user to DigiCert​​®​​ KeyLocker, not the DigiCert ONE username and password. The API key and client authentication certificate provides two-factor authentication (2FA).

Service users are generally used for automated signing and therefore do not have credentials to access to DigiCert ONE. However service users can still sign and access keys and certificates in DigiCert​​®​​ KeyLocker when authenticated by an API token and client authentication certificate.

Note

The permissions for the API key and client authentication certificate are based upon your user role assigned for DigiCert​​®​​ KeyLocker.

API key

An API key is a unique identifier generated by the server to authenticate a user or calling program to an API.

Follow the procedure below based on your user classification:

Client authentication certificate

A client authentication certificate is a X.509 digital certificate with a unique password that is generated by the server to authenticate a user or calling program to an API.

Follow the procedure below based on your user classification:

Secure your credentials

Your DigiCert ONE host environment, API key, client authentication certificate and password make up your environment variables and are required to access DigiCert​​®​​ KeyLocker client tools. You may want to use one of the methods below to securely store your credentials based on your operating system.

Install third-party signing tools

DigiCert​​®​​ KeyLocker offers simplified signing with third-party signing tools. Refer to Files supported for signing for list of compatible tools and what they can be used to sign.

Configuration instructions:

Verify that you are ready to sign

To confirm that your credentials and signing tools were configured correctly:

  1. Open SMCTL.

  2. Run the command:

    smctl healthcheck

    Output sample:

    --------- User credentials ------
Status: Connected

Username: john.doe
Accounts: Example, Inc.
Authentication: 2FA
Environment: Prod
Credentials:
        Host: https://clientauth.one.digicert.com
        API key: 01587358d5ae74e214f7dd332b_09exxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxe6 (Pulled from environment variable)
        Client certificate file path: C:\Users\John.Doe\Documents\KL\john-client-cert.p12
        Client certificate password: feoTxxxxxxf8 (Pulled from environment variable)
API keys:
        Name: john-API (expires on Fri, 31 Jul 2026 23:59:59 UTC)
Client certificates:
        Name: john-client-cert (expires on Fri, 31 Jul 2026 23:59:59 UTC)
Privileges:
        Can sign: Yes
        Can approve release window: No
        Can revoke certificate: Yes

Permissions:
Account Manager:
        VIEW_AM_ROLE
        VIEW_AM_ACCOUNT
        VIEW_AM_USER

Keypairs:
        MANAGE_SM_KEYPAIR
        VIEW_SM_KEYPAIR
        SIGN_SM_HASH

Certificates:
        VIEW_SM_CERTIFICATE
        REVOKE_SM_CERTIFICATE

Other permissions:
        VIEW_SM_LICENSE
        MANAGE_SM_CC_API_KEY

--------- Signing tools ---------
Mage:
        Mapped: Yes
        Path: C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8 Tools\mage.exe
Nuget:
        Mapped: Yes
        Path: C:\Program Files (x86)\NuGet
uget.exe
Jarsigner:
        Mapped: Yes
        Path: C:\Program Files\Java\jdk-17\bin\jarsigner.exe
Apksigner:
        Mapped: No
Signtool 32 bit:
        Mapped: Yes
        Path: C:\Program Files (x86)\Windows Kits\signtool_32.exe
Signtool:
        Mapped: Yes
        Path: C:\Program Files (x86)\Windows Kits\10\bin\10.0.22621.0\x64\signtool.exe

Note

If the healthcheck fails, troubleshoot the following.

Ensure that:

  • You provided the correct host in the environment variable.

  • You provided the correct API token in the environment variable.

  • You provided the correct client authentication certificate in the environment variable.

  • You provided the correct password for your client authentication certificate.

  • You have a stable internet connection.

  • If the organization's proxy is enabled, you need to add these settings to the environment variables.

View your certificates

The Certificates tab is useful to identify your certificate fingerprint, keypair alias, or keypair ID used in signing commands.

Note

Don't see any certificates?

As a KeyLocker Signer, you can only view certificates that you can sign with. Reach out to your account Lead, and request to be added as the designated signer for a KeyLocker certificate.

 

To view certificate information:

  1. Sign in to DigiCert ONE.

  2. Navigate to: Manager menu icon (top-right) > KeyLocker.

  3. Select Certificates.

  4. Select the certificate alias to view more information.

CI/CD integration (optional)

Integrate DigiCert​​®​​ KeyLocker into continuous integration and continuous deployment (CI/CD) pipelines. CI/CD integrations automate and streamline the software development and deployment process. DigiCert​​®​​ KeyLocker offers CI/CD plugins and script integrations which are both methods used to incorporate CI/CD functionality into your software development workflow. While plugins are easier to use, script integrations offer more flexibility.

To automate signing as part of your CI/CD workflows, refer to CI/CD integrations.

Sign

Follow the instructions in the following articles to sign while your private key remains in DigiCert​​®​​ KeyLocker:

In this section: