DigiCert-ONE-Clients-x.x.x-win-x64.exe
Signer guide
This guide explains how to sign software using keys stored in DigiCert® Software Trust Manager.
You can sign software using Software Trust Manager client tools, such as SMCTL (a command-line interface) or DigiCert Click-to-sign (a UI-based application). Alternatively, you can sign directly with supported third-party signing tools that integrate with Software Trust Manager.
This guide applies to any Software Trust user who has permission to sign software. All built-in Software Trust Manager roles include signing permissions. If your organization uses custom roles, ensure your role includes the signpermission.
Tip
This guide focuses on interactive, manual signing workflows. For automated signing in CI/CD pipelines, see CI/CD signing workflows.
Before you begin
This guide assumes
You have been assigned a Software Trust user role that contains the
signpermissionYou are assigned to a Keypair that has a default certificate
You will need
A file or folder to sign
SMCTL is Software Trust Manager's command line interface (CLI) and supports multiple ways to sign software using keys stored in Software Trust Manager. Choose the approach that best fits your workflow and level of control.
Most users should start with simple signing. It requires fewer dependencies, is easier to configure, and is the recommended approach for most signing workflows.
Your choice affects which tools you need to install and how you perform signing.
Simple signing with SMCTL (recommended)
Simple signing uses SMCTL to sign files directly within Software Trust Manager without integrating external signing tools.
Pros
Fastest and simplest way to get started with signing
No third-party tools required
Consistent signing experience across supported file types
Supports signing multiple files in a single operation
Can optionally ignore files that are already signed
Considerations
Supports fewer file types, see Files supported for simple signing
Does not capture signing metadata such as timestamps, tools, or checksums
Traditional signing integrates SMCTL with third-party signing tools that are specific to your platform and file types you want to sign.
Pros
Supports a wider range of file types, see Files supported for traditional signing
Consistent signing experience across supported file types
Captures full signing metadata
Considerations
Requires configuration with third-party signing tools (for example, signtool, jarsigner, or osslsigncode)
Require additional Software Trust client tools such as KSP, CSP, or PKCS#11 cryptographic libraries.
Does not support bulk signing
DigiCert® Click-to-sign is a desktop application that integrates with SMCTL and third-party signing tools and provides a graphical interface for signing files.
It uses:
The default keypair and certificate configured in Click-to-sign
The signing algorithm you specify in the app
You select the file to sign, and Click-to-sign performs the signing operation without requiring command-line input.
Pros
Does not require command-line interaction
Accessible to less technical users
Simplifies manual signing by using predefined defaults for keys and algorithms
Well suited for interactive, occasional signing tasks
Considerations
Only compatible with Windows 10
Best suited for interactive, manual signing workflows
Require additional Software Trust client tools: SMCTL, and a KSP, CSP, or PKCS#11 cryptographic library.
Does not support bulk signing
Signs files directly with supported third-party signing tools while your private key remains securely stored in Software Trust Manager.
You authenticate the third-party tool to Software Trust Manager using the appropriate cryptographic library.
Pros
Allows continued use of existing, third-party signing tools
Minimal disruption to established signing workflows
Full control over tool-specific options and signing behavior
Considerations
Different signing tools are required for different file types
Each signing tool uses its own commands, syntax, and configuration
Bulk signing and workflow consistency depend on the capabilities of each tool
Each signing tool requires configuring and maintaining the appropriate cryptographic libraries (such as KSP, CSP, or PKCS#11)
Use the DigiCert ONE Clients app to download and manage Software Trust client tools.
The app:
Automatically handles static or dynamic authentication.
Supports optional auto-updates to keep tools current
Provides the client tools available for your operating system
Sign in to DigiCert ONE.
In the Managers () menu, select Software Trust.
On the DigiCert ONE Clients tab, select Resources > Client tool repository.
Select the download icon next to DigiCert ONE Clients.
In the pop-up, select your operating system.
Tip
DigiCert ONE Clients displays tools compatible with your selected operating system.
Select Download.
Run the DigiCert ONE Clients installer for your operating system and follow the setup wizard:
In the setup wizard:
Read DigiCert's Master Services Agreement, then select I agree.
Select the installation scope:
Anyone who uses this computer
Only for myself
Select the installation location or use the default path.
Select Install.
Optional: Select the checkbox Run DigiCert ONE Clients if you want to open the application immediately.
Select Finish.
The client tools you need depend on the signing approach you choose:
Simple signing uses SMCTL to sign files directly and does not require third-party signing tools or additional signing infrastructure.
Tip
You will download these SMCTL in the next step.
For traditional signing, install the following:
SMCTL
Third-party signing tools based on the file types you want to sign
Cryptographic libraries required to integrate with those tools (such as CSP, KSP, or PKCS#11)
Which cryptographic library you need?
The file type you want to sign determine which signing tool you use. The cryptographic library you need depends on that signing tool.
To identify the cryptographic library you'll need:
Identify the file types you want to sign in the list of supported file types .
Identify the signing tool associated with those file types.
Select the signing tool name in the table to view installation and integration instructions.
Follow the instructions to install the signing tool.
Identify which Software Trust client tool it requires for signing.
Note: You will download these client tool in the next step.
For Click-to-sign, install the following:
DigiCert Click-to-sign
SMCTL
Third-party signing tools based on the file types you want to sign
Cryptographic libraries required to integrate with those tools (such as CSP, KSP, or PKCS#11)
Which cryptographic library you need?
The file type you want to sign determine which signing tool you use. The cryptographic library you need depends on that signing tool.
To identify the cryptographic library you'll need:
Identify the file types you want to sign in the list of supported file types .
Identify the signing tool associated with those file types.
Select the signing tool name in the table to view installation and integration instructions.
Follow the instructions to install the signing tool.
Identify which Software Trust client tool it requires for signing.
Note: You will download these client tool in the next step.
For signing directly with third-party signing tools, install the following:
Third-party signing tools based on the file types you want to sign
Cryptographic libraries required to integrate with those tools (such as CSP, KSP, or PKCS#11)
Which cryptographic library you need?
The file type you want to sign determine which signing tool you use. The cryptographic library you need depends on that signing tool.
To identify the cryptographic library you'll need:
Identify the file types you want to sign in the list of supported file types .
Identify the signing tool associated with those file types.
Select the signing tool name in the table to view installation and integration instructions.
Follow the instructions to install the signing tool.
Identify which Software Trust client tool it requires for signing.
Note: You will download these client tool in the next step.
Open DigiCert ONE Clients.
On the My client tools page, find the tool you want to install.
Select Install.
In the installation dialog:
SMCTL will now show in the Installed section of DigiCert ONE Clients.
Find SMCTL in DigiCert ONE Clients.
Select Open.
Run the command:
smctl healthcheck
Review the following sample output:
--------- User credentials ------ Status: Connected Username: john.doe Accounts: Win The Customer, LLC Authentication: 2FA Environment: Prod Credentials: Host: https://clientauth.one.digicert.com API key: 012345fe67a1234f56a7d8c911_055xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxd6 (Pulled from OS credential store) Client certificate file path: C:\Users\John.Doe\.digicert-ucpc\certs\1ec2dcd3-c4d5-481a-67a1-b891cc0c1234\20260122133923-480f4000-f123-4567-bd89-1cde2d834567.p12 Client certificate password: 1+cJxxxxxxmt (Pulled from OS credential store) Privileges: Can sign: Yes Can approve release window: Yes Can revoke certificate: Yes Permissions: Account Manager: VIEW_AM_USER VIEW_AM_ORGANIZATION MANAGE_AM_PERMISSION VIEW_AM_ROLE VIEW_AM_ACCOUNT VIEW_AM_AUDIT_LOG Keypairs: MANAGE_SM_KEYPAIR VIEW_SM_KEYPAIR Certificates: VIEW_SM_CERTIFICATE REVOKE_SM_CERTIFICATE Other permissions: MANAGE_SM_CC_API_KEY --------- Signing tools --------- Nuget: Mapped: No Jarsigner: Mapped: No Apksigner: Mapped: No Signtool 32 bit: Mapped: No Signtool: Mapped: Yes Path: C:\Program Files (x86)\Windows Kits\10\bin\10.0.33621.0\x64\signtool.exe Mage: Mapped: NoTip
If the check is successful, the output shows Status: Connected.
Review the following documents to learn how to sign while your private key remains in Software Trust.