Skip to main content

Coming soon: Sign with OpenSSL using Software Trust OpenSSL provider (recommended)

Sign artifacts using signing keys stored in DigiCert​​®​​ Software Trust Manager. This signing method uses the Software Trust Manager OpenSSL provider which plugs into OpenSSL's provider architecture via a shared library, meaning that existing OpenSSL commands and toolchains work unchanged; you simply add -provider digicert_stm to your command line.

Tip

All signing commands follow the same pattern: add -provider digicert_stm (and -provider default to keep standard algorithms available) then reference your key with a stm:// URI.

Before you begin

Sign commands

Select a signing tool:

openssl dgst commands

File hashing and signing

openssl dgst is the most common command for producing detached signatures and verifying them.

Sign using keypair alias

Select the type of signing:

Sign using UUID

openssl dgst -sha256 \
  -provider digicert_stm -provider default \
  -sign "stm://3f46a2c1-8b9d-4e72-a3f1-0123456789ab" \
  -out signature.bin \
  artifact.tar.gz

openssl pkeyutl

Raw key operations

openssl pkeyutl provides low-level sign/verify/encrypt/decrypt operations.

Sign a pre-computed digest:

# Compute digest first
openssl dgst -sha256 -binary artifact.tar.gz > digest.bin

# Sign the digest
openssl pkeyutl \
  -provider digicert_stm -provider default \
  -keyform ENGINE \
  -inkey stm://my-rsa-4096-key \
  -sign -in digest.bin \
  -out signature.bin \
  -pkeyopt digest:sha256

RSA encryption / decryption:

# Extract public key (no STM credentials needed for this step)
openssl storeutl -provider digicert_stm -provider default \
  -keys -out pubkey.pem stm://my-rsa-4096-key

# Encrypt with public key (no STM needed)
openssl pkeyutl -encrypt \
  -inkey pubkey.pem -pubin \
  -in plaintext.bin -out ciphertext.bin

# Decrypt with STM private key
openssl pkeyutl -decrypt \
  -provider digicert_stm -provider default \
  -inkey stm://my-rsa-4096-key \
  -in ciphertext.bin -out plaintext.bin

openssl

S/MIME and CMS signing

Used for email signing, document signing, and packaging artifacts with embedded certificates.

CMS sign (detached):

openssl cms -sign \
  -provider digicert_stm -provider default \
  -inkey stm://my-rsa-4096-key \
  -signer signing-cert.pem \
  -in document.pdf \
  -out document.pdf.p7s \
  -outform DER \
  -nodetach

S/MIME sign an email message:

openssl smime -sign \
  -provider digicert_stm -provider default \
  -inkey stm://my-ecdsa-p384-key \
  -signer signing-cert.pem \
  -in email.txt \
  -out email.p7m \
  -md sha384

openssl req — CSR Generation

You can generate a Certificate Signing Request (CSR) using an STM key. The private key stays in the HSM; only the public key is embedded in the CSR.

openssl req -new \
  -provider digicert_stm -provider default \
  -key stm://my-rsa-4096-key \
  -subj "/CN=my-service/O=MyOrg/C=US" \
  -out request.csr

For ECDSA:

openssl req -new \
  -provider digicert_stm -provider default \
  -key stm://my-ecdsa-p256-key \
  -subj "/CN=my-service/O=MyOrg/C=US" \
  -out request.csr

openssl storeutl

Extract public key and certificate

Use storeutl to extract the public key or certificate chain associated with a keypair. This does not require the private key.

Extract public key in PEM format:

openssl storeutl \
  -provider digicert_stm -provider default \
  -keys \
  stm://my-rsa-4096-key

Extract the signing certificate:

openssl storeutl \
  -provider digicert_stm -provider default \
  -certs \
  stm://my-rsa-4096-key

Extract and save to file:

Offline signature verification

Verification uses the standard OpenSSL default provider, no Software Trust Managercredentials are required.

To verify a signature:

  1. Extract the public key or certificate.

  2. Verify the signature locally.

Verify signature with openssl dgst

  1. To extract the signer's public key:

    openssl storeutl \
  -provider digicert_stm -provider default \
  -keys -out pubkey.pem stm://my-rsa-4096-key

  2. To verify the signature:

    openssl dgst -sha256 \
  -verify pubkey.pem \
  -signature signature.bin \
  artifact.tar.gz

  3. Successful output:

    Verified OK

Verify signature with openssl pkeyutl

openssl pkeyutl \
  -verify \
  -inkey pubkey.pem -pubin \
  -sigfile signature.bin \
  -in artifact.tar.gz

RSA padding modes

For RSA keys, the provider supports two padding modes:

Mode

-sigopt value

Use case

PKCS#1 v1.5

(default, no option needed)

Broadest compatibility

RSA-PSS

rsa_padding_mode:pss

Modern APIs, Authenticode

RSA-PSS example:

openssl dgst -sha256 \
  -provider digicert_stm -provider default \
  -sign stm://my-rsa-4096-key \
  -sigopt rsa_padding_mode:pss \
  -sigopt rsa_pss_saltlen:32 \
  -out signature.pss.bin \
  artifact.tar.gz

Troubleshooting

Logging and diagnostics

By default the provider writes logs to $SM_HOME/logs/digicert_stm_ossl_provider.log.

Enable debug logging:

export SM_LOG_LEVEL=debug

Stream logs to console for interactive debugging:

export SM_LOG_OUTPUT=stdout
export SM_LOG_LEVEL=trace

Typical log entries:

time="2026-03-20T10:15:23Z" level=info  msg="Initializing SM OpenSSL Provider" provider="digicert_stm"
time="2026-03-20T10:15:23Z" level=info  msg="REST client initialized successfully"
time="2026-03-20T10:15:24Z" level=debug msg="key 3f46a2c1-... found in cache"
time="2026-03-20T10:15:24Z" level=info  msg="Signing operation completed" alg="SHA256withRSA"

Debugging aid

Enable trace-level logging to see every API call and parameter:

export SM_LOG_LEVEL=trace
export SM_LOG_OUTPUT=stdout
openssl dgst -sha256 -provider digicert_stm -provider default \
  -sign stm://my-key -out sig.bin file.txt 2>&1 | head -100

Error messages and solutions

Provider fails to load

Error

openssl: provider 'digicert_stm' not found

Solution

  1. Confirm the file exists: 

    Windows: dir $env:OPENSSL_MODULES\digicert_stm.dll

    Linux and macOS: ls $OPENSSL_MODULES/digicert_stm.so

  2. Verify with openssl version.

    Tip

    Only works on OpenSSL 3.x. The provider will not load under OpenSSL 1.x.

  3. On Linux, check library dependencies: ldd libdigicert_stm.so. Missing libssl.so.3 / libcrypto.so.3 means OpenSSL 3.x is not installed.

Authentication failures

Error

failed to setup REST client

or in logs

401 Unauthorized

Solution

  1. Print and verify all required env vars are set (echo $SM_API_KEY).

  2. Confirm SM_CLIENT_CERT_FILE path exists and the password is correct: openssl pkcs12 -info -in $SM_CLIENT_CERT_FILE -passin env:SM_CLIENT_CERT_PASSWORD.

  3. Verify the API key has signing permissions in Software Trust Manager.

    Tip

    To check your permissions, in SMCTL run:

    smctl healthcheck

Key not found

Error

failed to load keypair: 404 Not Found

Solution

  1. In SMCTL, confirm the keypair exists:

    smctl keypair list

  2. Confirm keypair alias spelling, aliases are case-sensitive.

  3. Verify your API key has access to the keypair, your keypair may be restricted to a different project.

ML-DSA key fails with "unknown algorithm"

Error

unknown message digest algorithm 'mldsa44'

Solution

ML-DSA requires OpenSSL 3.5.0+. Check openssl version. If your system OpenSSL is older, specify the path to OpenSSL 3.5.0:

export OPENSSL_MODULES=/opt/openssl-3.5.0/lib/ossl-modules
/opt/openssl-3.5.0/bin/openssl dgst \
  -provider digicert_stm -provider default \
  -sign stm://my-mldsa-65-key \
  -out sig.bin file.txt

Signature verification fails with default provider

Error

Verification Failure

Solution

  1. Ensure you used the public key that matches the signing key.

  2. Confirm the same -sha<N> hash algorithm was used for both signing and verifying.

  3. For RSA-PSS signatures, pass the same -sigopt settings during verification:

    openssl dgst -sha256 -verify pubkey.pem \
  -sigopt rsa_padding_mode:pss \
  -signature signature.bin artifact.tar.gz
In this section: