Skip to main content

Signer guide

The KeyLocker Signer is an account user responsible for signing with the key stored DigiCert​​®​​ KeyLocker.

Nota

If you are a KeyLocker Lead or Signer, follow this guide to get ready to sign while your private key remains securely stored in DigiCert​​®​​ KeyLocker.

There are two methods you can use to set up the tools to sign:

  • DigiCert​​®​​ KeyLocker wizard (recommended)

  • Follow the procedures outlined in this article

DigiCert​​®​​ KeyLocker wizard

Using the DigiCert​​®​​ KeyLocker wizard is recommended because it provides a wizard supported experience that validates whether you have successfully completed a step.

To access the DigiCert​​®​​ KeyLocker wizard:

  1. Sign in to DigiCert ONE.

  2. Navigate to the Manager menu (top-right) > KeyLocker.

  3. Select Get started.

  4. Follow the instructions to get ready to sign.

Get ready to sign

If you are unable to use the DigiCert​​®​​ KeyLocker wizard, manually complete the steps below to get ready to sign.

Download DigiCert​​®​​ KeyLocker tools

Before downloading your tools, review the DigiCert​​®​​ KeyLocker tools required for signing based on your operating.

Sugerencia

We have packaged all the tools you may require for your operating system to ensure that you have everything you need in one download. For more information, review Compatible operating system versions for client tools.

Download tools

To download DigiCert​​®​​ KeyLocker client tools:

  1. Sign in to DigiCert ONE.

  2. Select the Manager menu icon (top-right) > KeyLocker.

  3. Navigate to: Resources > Client tool repository.

  4. Select your operating system.

  5. Select the download icon next to the client you want to download.

When you sign your software, your API key and client authentication certificate authenticate you to DigiCert​​®​​ KeyLocker, not your DigiCert ONE username and password. The API key and client authentication certificate provide two-factor authentication (2FA).

Sugerencia

Service users are generally used for automated signing and therefore do not have credentials to access DigiCert ONE. However, service users can still sign and access resources like keys and certificates in DigiCert​​®​​ KeyLocker when authenticated by an API token and client authentication certificate.

Create an API key

An API key is a unique identifier generated by the server to authenticate a user or calling program to an API.

Follow the procedure below based on your user classification:

Create a client authentication certificate

A client authentication certificate is a X.509 digital certificate with a unique password that is generated by the server to authenticate a user or calling program to an API.

Nota

Your API key and client authentication certificate inherit your user role.

Secure your credentials

Your DigiCert ONE host environment, API key, client authentication certificate and password make up your environment variables and are required to access DigiCert​​®​​ KeyLocker client tools. You may want to use one of the methods below to securely store your credentials based on your operating system.

Install third-party signing tools

DigiCert​​®​​ KeyLocker offers simplified signing with third-party signing tools. Refer to Files supported for signing for list of compatible tools and what they can be used to sign.

Configuration instructions:

To confirm that your credentials and signing tools were configured correctly:

  1. Open SMCTL.

  2. Run the command:

    smctl healthcheck

    Output sample:

    --------- User credentials ------
    Status: Connected
    
    Username: john.doe
    Accounts: Example, Inc.
    Authentication: 2FA
    Environment: Prod
    Credentials:
            Host: https://clientauth.one.digicert.com
            API key: 01587358d5ae74e214f7dd332b_09exxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxe6 (Pulled from environment variable)
            Client certificate file path: C:\Users\John.Doe\Documents\KL\john-client-cert.p12
            Client certificate password: feoTxxxxxxf8 (Pulled from environment variable)
    API keys:
            Name: john-API (expires on Fri, 31 Jul 2026 23:59:59 UTC)
    Client certificates:
            Name: john-client-cert (expires on Fri, 31 Jul 2026 23:59:59 UTC)
    Privileges:
            Can sign: Yes
            Can approve release window: No
            Can revoke certificate: Yes
    
    Permissions:
    Account Manager:
            VIEW_AM_ROLE
            VIEW_AM_ACCOUNT
            VIEW_AM_USER
    
    Keypairs:
            MANAGE_SM_KEYPAIR
            VIEW_SM_KEYPAIR
            SIGN_SM_HASH
    
    Certificates:
            VIEW_SM_CERTIFICATE
            REVOKE_SM_CERTIFICATE
    
    Other permissions:
            VIEW_SM_LICENSE
            MANAGE_SM_CC_API_KEY
    
    --------- Signing tools ---------
    Mage:
            Mapped: Yes
            Path: C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8 Tools\mage.exe
    Nuget:
            Mapped: Yes
            Path: C:\Program Files (x86)\NuGet
    uget.exe
    Jarsigner:
            Mapped: Yes
            Path: C:\Program Files\Java\jdk-17\bin\jarsigner.exe
    Apksigner:
            Mapped: No
    Signtool 32 bit:
            Mapped: Yes
            Path: C:\Program Files (x86)\Windows Kits\signtool_32.exe
    Signtool:
            Mapped: Yes
            Path: C:\Program Files (x86)\Windows Kits\10\bin\10.0.22621.0\x64\signtool.exe
    

Nota

If the healthcheck fails, troubleshoot the following.

Ensure that:

  • You provided the correct host in the environment variable.

  • You provided the correct API token in the environment variable.

  • You provided the correct client authentication certificate in the environment variable.

  • You provided the correct password for your client authentication certificate.

  • You have a stable internet connection.

  • If the organization's proxy is enabled, you need to add these settings to the environment variables.

View your certificates

The Certificates tab is useful to identify your certificate fingerprint, keypair alias, or keypair ID used in signing commands.

Nota

Don't see any certificates?

As a KeyLocker Signer, you can only view certificates that you can sign with. Reach out to your account Lead, and request to be added as the designated signer for a KeyLocker certificate.

 

To view certificate information:

  1. Sign in to DigiCert ONE.

  2. Navigate to: Manager menu icon (top-right) > KeyLocker.

  3. Select Certificates.

  4. Select the certificate alias to view more information.

Integrate DigiCert​​®​​ KeyLocker into continuous integration and continuous deployment (CI/CD) pipelines. CI/CD integrations automate and streamline the software development and deployment process. DigiCert​​®​​ KeyLocker offers CI/CD plugins and script integrations which are both methods used to incorporate CI/CD functionality into your software development workflow. While plugins are easier to use, script integrations offer more flexibility.

To automate signing as part of your CI/CD workflows, refer to CI/CD integrations.

Sign

Follow the instructions in the following articles to sign while your private key remains in DigiCert​​®​​ KeyLocker: