Coming soon: OpenSSL provider

This OpenSSL Provider is a drop-in OpenSSL 3.x provider that lets any OpenSSL-enabled application sign artifacts using signing keys stored in DigiCert® Software Trust Manager. It plugs into OpenSSL's provider architecture via a shared library, meaning that existing OpenSSL commands and toolchains work unchanged; you simply add -provider digicert_stm to your command line.

Overview

The provider implements the OpenSSL provider interface (OSSL_PROVIDER_init), registering itself as a cryptographic backend for:

OpenSSL Operation	Description
STORE	Load keys from STM using `stm://` URIs
KEYMGMT	Manage key lifecycles and export public-key parameters
SIGNATURE	Digital sign and verify operations
ASYM_CIPHER	RSA encrypt/decrypt operations
ENCODER	Export public keys in DER / PEM / TEXT formats

Tip

Private keys never leave Software Trust Manager. The provider holds only a reference (keypair UUID) locally; all signing operations are performed via authenticated API calls to the STM service.

How does it work?

Your tool (openssl dgst, Gradle, Maven, Sigstore, ...)
        |
        | loads provider via OPENSSL_MODULES
        v
  digicert_stm.dll|.so|.dylib
        |
        | stm:// URI  →  REST API call (mTLS authenticated)
        v
  DigiCert STM cloud HSM
        |
        | returns raw signature bytes
        v
  OpenSSL assembles final output

Prerequisites

Requirement	Details
OpenSSL 3.x	Version `3.1` or later. ML-DSA (post-quantum) keys require OpenSSL `3.5.0` or later. Verify with openssl version.
Operating system	Windows (x64, x86, ARM64) Linux (x64, x86, ARM64) macOS (x64, ARM64/Apple Silicon)
Software Trust Manager account	An active account with at least one keypair. See Create keypair.
API key	A unique identifier that verifies your identity as a DigiCert ONE user when you make requests via the DigiCert ONE API or client tools. See Create API key.
Client authentication certificate	A X.509 digital certificate that verifies your identity as a DigiCert ONE user when you make requests via the DigiCert ONE API or client tools. See Create client authentication certificate.

Tip

If your environment uses a corporate TLS inspection proxy, set SM_CA_FILE to a PEM bundle that includes your proxy's CA certificate, or set SM_TLS_SKIP_VERIFY=true (not recommended for production).

Step 1: Download OpenSSL provider

In the Software Trust menu, go to Resources > Client tool repository.
Select the Client tools tab.
Select the download icon next to OpenSSL provider.
Tip
File name differs based on your platform:
Platform
File name
Windows 64-bit
digicert_stm.dll
Windows 32-bit
digicert_stm_x86.dll
Linux 64-bit
libdigicert_stm.so
Linux 32-bit
libdigicert_stm_x86.so
macOS (Universal)
libdigicert_stm.dylib

Platform	File name
Windows 64-bit	digicert_stm.dll
Windows 32-bit	digicert_stm_x86.dll
Linux 64-bit	libdigicert_stm.so
Linux 32-bit	libdigicert_stm_x86.so
macOS (Universal)	libdigicert_stm.dylib

Step 2: Place the OpenSSL provider library

OpenSSL discovers providers from the directory pointed to by the OPENSSL_MODULES environment variable, or from the compiled-in MODULESDIR path.

The recommended layout is:

Step 3: Verify the provider loads

Run the verify command:

openssl list -providers -provider digicert_stm

Expected output (version may vary):

Providers:
  digicert_stm
    name: DigiCert STM OpenSSL Provider
    version: 1.x.x
    status: active

Step 4: Environment variables

The provider reads all configuration from environment variables. No configuration file is required.

Set environment variables

To set environment variables, run:

Example 3. Windows

$env:SM_HOST                  = "https://clientauth.one.digicert.com"
$env:SM_API_KEY               = "YOUR_API_KEY"
$env:SM_CLIENT_CERT_FILE      = "C:\DigiCert\client.p12"
$env:SM_CLIENT_CERT_PASSWORD  = "YOUR_CERT_PASSWORD"
$env:OPENSSL_MODULES          = "C:\DigiCert\STM\providers"

Example 4. Linux and macOS

export SM_HOST="https://clientauth.one.digicert.com"
export SM_API_KEY="YOUR_API_KEY"
export SM_CLIENT_CERT_FILE="/etc/digicert/client.p12"
export SM_CLIENT_CERT_PASSWORD="YOUR_CERT_PASSWORD"
export OPENSSL_MODULES="/opt/digicert/stm/providers"

Learn more about environment variables

Required variables

Variable	Description	Example
SM_HOST	Base URL of the Software Trust Manager API. See Clientauth URLs.	https://clientauth.one.digicert.com
SM_API_KEY	API key for authentication. See Create API key.	a1b2c3d4e5f6...
SM_CLIENT_CERT_FILE	Path to client authentication certificate for two-factor authentication. See Create client authentication certificate.	/etc/digicert/client.p12
SM_CLIENT_CERT_PASSWORD	Password for client authentication certificate for two-factor authentication.	myP@ssw0rd

Optional: TLS / Networking variables

Variable	Description	Default
SM_CA_FILE	Path to a custom PEM CA bundle	System trust store
SM_TLS_SKIP_VERIFY	Disable TLS certificate verification (`true`/`false`)	`false`
SM_USE_SYSTEM_CERT_POOL	Include OS certificate pool in trust chain	`false`
SM_CONN_TIMEOUT	HTTP connection timeout in milliseconds	`30000`

Optional: Logging variables

Variable	Description	Default
SM_HOME	Base directory for config and logs	~/.signingmanager
SM_LOG_LEVEL	Log verbosity: `info` (default) `debug` `trace` `warn` `error`	`info`
SM_LOG_DIR	Directory for log files	$SM_HOME/logs
SM_LOG_FILE_NAME	Log file name	digicert_stm_ossl_provider.log
SM_LOG_OUTPUT	Log destination: `file` (default) `stdout` `stderr` `discard`	`file`
SM_PROVIDER_LOG_LEVEL	Provider-specific log level (overrides `SM_LOG_LEVEL`)	—
SM_PROVIDER_LOG_DIR	Provider-specific log directory (overrides `SM_LOG_DIR`)	—
SM_PROVIDER_LOG_OUTPUT	Provider-specific log output (overrides `SM_LOG_OUTPUT`)	—

Optional: Authentication variables

Variable	Description	Default
SM_DYNAMIC_AUTH	Enables dynamic authentication in DigiCert ONE Clients app.	`false`

Step 5: Key URI reference

The provider identifies signing keys using stm:// URIs. You can reference a key by its UUID or by its human-readable alias.

URI format	When to use	Example
stm://<UUID>	Reference by keypair UUID	`stm://3f46a2c1-8b9d-4e72-a3f1-0123456789ab`
stm://<alias>	Reference by keypair alias	`stm://my-rsa-4096-key`
stm://?id=<UUID>	Explicit UUID via query param	`stm://?id=3f46a2c1-8b9d-4e72-a3f1-0123456789ab`
stm://?alias=<alias>	Explicit alias via query param	`stm://?alias=my-rsa-4096-key`

Tip

If the value after stm:// is a valid UUID (RFC 4122), it is treated as a keypair ID; otherwise it is treated as an alias.

Find your keypair alias

You can locate the keypair alias via DigiCert® Software Trust Manager or Signing Manager Controller (SMCTL).

Supported algorithms

Key types

Algorithm	Key sizes / curves	Notes
RSA	2048, 3072, 4096 bit	PKCS#1 v1.5 and RSA-PSS padding
ECDSA	P-256, P-384, P-521	ANSI X9.62 DER-encoded signatures
Ed25519	256-bit	Built-in hashing; no separate digest
ML-DSA	Level 44, 65, 87	Post-quantum; requires OpenSSL 3.5.0+

Digest algorithms

Digest	Notes
SHA-1	Legacy; avoid for new code
SHA-224	—
SHA-256	Recommended for RSA-2048, ECDSA P-256
SHA-384	Recommended for ECDSA P-384, RSA-3072
SHA-512	Recommended for RSA-4096, ECDSA P-521
SHA3-224 / SHA3-256 / SHA3-384 / SHA3-512	SHA-3 family

Tip

Ed25519 uses its own internal hashing. Do not specify a separate -md option.
ML-DSA is a "pure" signature scheme and does not take a separate digest.

Also see

Sign with OpenSSL using Software Trust OpenSSL provider

In this section: