DigiCert recommends storing your API key and client authentication certificate password in Windows Credential Manager, an encrypted vault, protected from unauthorized access.
Signer guide
Follow this guide to get ready to sign while your private key remains securely stored in DigiCert® Software Trust Manager.
Tip
This guide assumes that your account Lead has already created a keypair and certificate as shown in the Lead guide.
Prerequisites
DigiCert ONE client authentication certificate
Keypair and default certificate
File or folder to be signed
Before downloading your tools, review the Software Trust Manager tools available for your operating system and identify the tools you require for signing.
Tip
We recommend downloading the tool packages for your operating system, this ensures that you have everything you need in one download.
What tools do I need for signing?
The following Software Trust Manager tools available based on your operating system:
Client tool | Description | Windows | Linux | macOS | AIX |
---|---|---|---|---|---|
Signing Manager CTL (SMCTL) | Signing Manager Controller (SMCTL) provides a Command Line Interface (CLI) that facilitates manual and automated private key management, certificate management, and signing with or without the need for human intervention. | Yes | Yes | Yes | Yes |
PKCS11 library | Public-Key Cryptography Standards 11 (PKCS11) library integrates with any operating system that supports Java and any any Java architecture, including: 64-bit, 32-bit, and ARM processors. | Yes | Yes | Yes | |
JCE library | Java Cryptography Extension (JCE) integrates with non-Microsoft signing tools while maintaining key protection, permission-based access and reporting all signing | Yes | |||
CSP library | Cryptographic Service Provider (CSP) is a library-based client-side tool that implements the Crypto API (CAPI) supported in Windows 2008 and later. | Yes | |||
KSP library | Key Service Provider (KSP) library is a Microsoft CNG (Cryptographic: Next Generation) library-based client-side tool. | Yes | |||
GPG smart card daemon (SCD) | GPG Smart Card Daemon (SCD) is a GPG compliant SCD client-side tool that integrates with the GPG-agent (part of the GPG tool suite) for all GPG based hash signing use cases. | Yes | Yes | Yes | Yes |
DigiCert Click-to-sign | DigiCert Click-to-sign provides Windows customers with a simple UI-based signing workflow that does not require use of the command line. | Yes | |||
CryptoTokenKit | CryptoTokenKit (CTK) is an implementation of the Apple CryptoTokenKit extension and is used to sign Apple binaries while the keys are stored remotely in DigiCert® Software Trust Manager. | Yes | |||
Windows Clients Installer (recommended) | This Windows clients package provides a wizard supported installation experience and downloads multiple clients you may need for signing in one download. These clients include:
| Yes | |||
Linux Clients (recommended) | This Linux clients package allows you to download multiple clients you may need for signing in one download. These clients include:
| Yes | |||
AIX Clients (recommended) | This AIX clients package allows you to download multiple clients you may need for signing in one download. These clients include:
| Yes |
Tip
For more information, review Compatible operating system versions for client tools.
Download tools
To download Software Trust Manager tools:
Sign in to DigiCert ONE.
Navigate to: Manager menu (top right) > Software Trust > Resources > Client tool repository.
Select your operating system.
Select the download icon next to the tool you want to download.
Software Trust Manager offers simplified signing with third-party signing tools. Refer to Files supported for signing for list of compatible tools and what they can be used to sign.
Which signing tools do I need?
Follow these instructions to identify the signing tools you require:
Identify the tools available for your operating system.
Identify the file types you need to sign.
Select the signing tool name associated with the file types you want to sign.
Follow the instructions to install the signing tool and integrate it with SMCTL.
When you sign your software, your API key and client authentication certificate authenticate you to DigiCert® Software Trust Manager, not your DigiCert ONE username and password. The API key and client authentication certificate provide two-factor authentication (2FA).
Tip
Service users are generally used for automated signing and therefore do not have credentials to access DigiCert ONE. However, service users can still sign and access resources like keys and certificates in DigiCert® Software Trust Manager when authenticated by an API token and client authentication certificate.
Create an API key
An API key is a unique identifier generated by the server to authenticate a user or calling program to an API.
Follow the procedure below based on your user classification:
Create a client authentication certificate
A client authentication certificate is a X.509 digital certificate with a unique password that is generated by the server to authenticate a user or calling program to an API.
Note
Your API key and client authentication certificate inherit your user permissions orrole.
Your DigiCert ONE host environment, API key, client authentication certificate and password make up your environment variables and are required to access Software Trust Manager client tools. You may want to use one of the methods below to securely store your credentials based on your operating system.
To confirm that your credentials and signing tools were configured correctly:
Open SMCTL.
Run the command:
smctl healthcheck
Output sample:
--------- User credentials ------ Status: Connected Username: john.doe Accounts: Example, Inc. Authentication: 2FA Environment: Unknown Credentials: Host: https://clientauth.one.digicert.com API key: 01a007567da265b5909d11b8ea_b70xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxb9 (Pulled from environment variable) Client certificate file path: C:\Users\John.Doe\Documents\STM\JohnD_Auth_Cert_2023.p12 Client certificate password: JM7QxxxxxxqO (Pulled from environment variable) API keys: Name: John API Token 2023 (expires on Fri, 31 Jan 2025 23:59:59 UTC) Client certificates: Name: John Auth Cert (expires on Tue, 31 Jan 2023 23:59:59 UTC) Name: John Auth Cert 2023 (expires on Fri, 31 Jan 2025 23:59:59 UTC) Privileges: Can sign: Yes Can approve release window: Yes Can revoke certificate: Yes Permissions: Account Manager: VIEW_AM_USER VIEW_AM_ORGANIZATION MANAGE_AM_PERMISSION VIEW_AM_ROLE VIEW_AM_ACCOUNT VIEW_AM_AUDIT_LOG Keypairs: MANAGE_SM_KEYPAIR VIEW_SM_KEYPAIR Certificates: VIEW_SM_CERTIFICATE REVOKE_SM_CERTIFICATE Other permissions: MANAGE_SM_CC_API_KEY --------- Signing tools --------- Nuget: Mapped: No Jarsigner: Mapped: No Apksigner: Mapped: No Signtool 32 bit: Mapped: No Signtool: Mapped: Yes Path: C:\Program Files (x86)\Windows Kits\10\bin\10.0.33621.0\x64\signtool.exe Mage: Mapped: No
Note
If the healthcheck fails, troubleshoot the following.
Ensure that:
You provided the correct host in the environment variable.
You provided the correct API token in the environment variable.
You provided the correct client authentication certificate in the environment variable.
You provided the correct password for your client authentication certificate.
You have a stable internet connection.
If the organization's proxy is enabled, you need to add these settings to the environment variables.
Integrate DigiCert® Software Trust Manager into continuous integration and continuous deployment (CI/CD) pipelines. CI/CD integrations automate and streamline the software development and deployment process. Software Trust Manager offers CI/CD plugins and script integrations which are both methods used to incorporate CI/CD functionality into your software development workflow. While plugins are easier to use, script integrations offer more flexibility.
To automate signing as part of your CI/CD workflows, refer to CI/CD integrations.
Follow the instructions in the following articles to sign while your private key remains in Software Trust Manager: