Requirements

API key

An API key is a unique identifier generated by the server to authenticate a user or calling program to an API. The API key acts as the first factor of authentication when connecting to DigiCert® Software Trust Manager client tools.

Nota

The permissions for the API token are based upon your user permissions set in DigiCert® Software Trust Manager.

To create an API key:

Sign in to DigiCert ONE.
Navigate to the Profile icon > Admin Profile > API tokens.
Select Create API token.

Client authentication certificate

A client authentication certificate is a X.509 digital certificate with a unique password that is generated by the server to authenticate a user or calling program to an API. The client authentication certificate acts as the second factor of authentication when connecting to DigiCert® Software Trust Manager client tools .

Nota

The permissions for the client authentication certificate are based upon your user permissions set in DigiCert® Software Trust Manager.

To generate a client certificate:

Sign in to DigiCert ONE.
Navigate to the Profile icon > Admin Profile > Authentication Certificates.
Select Create authentication certificate.

Nota

The client certificate password is only shown once after creating the client certificate, it cannot be accessed again. Copy and paste the password directly into this field. Securely store the passcode if you will require it later.

Host environment

During environment variable setup, you are required to provide the DigiCert ONE host value.

tabla 1. Host options

Country	Host type	SM_HOST value
United States of America (USA)	Demo	https://clientauth.demo.one.digicert.com
United States of America (USA)	Production	https://clientauth.one.digicert.com
Switzerland (CH)	Demo	https://clientauth.demo.one.ch.digicert.com
Switzerland (CH)	Production	https://clientauth.one.ch.digicert.com
Japan (JP)	Demo	https://clientauth.demo.one.digicert.co.jp
Japan (JP)	Production	https://clientauth.one.digicert.co.jp
Netherlands (NL)	Demo	https://clientauth.demo.one.nl.digicert.com
Netherlands (NL)	Production	https://clientauth.one.nl.digicert.com

Client tools

To download client tools:

Sign in to DigiCert ONE.
Navigate to DigiCert® Software Trust Manager > Resources > Client tool repository.
Download the appropriate files, move them to the appropriate client computer, and extract (or install).

The following client tools are available:

ejemplo 1. Windows

The following clients tools are available for signing on Windows:

Signing Manager Controller (SMCTL)
SMCTL provides a Command Line Interface (CLI) that facilitates manual or automated private key, certificate management, and signing with or without the need for human intervention.
DigiCert® Click-to-sign
DigiCert Click-to-sign provides Windows customers with a simple UI-based signing workflow that does not require use of the SMCTL. After you specify your signing preferences in the DigiCert Click-to-sign installation wizard, you simply need to right-click on a file or folder to sign.
PKCS11 library
The PKCS11 library handles secure key generation, application hash signing, and associated certificate-related requirements when the signing request does not require the transportation of files and intellectual property.
KSP library
DigiCert® Software Trust Manager KSP is a Microsoft CNG (Cryptographic: Next Generation) library-based client-side tool
ReversingLabs scanning toolScan with ReversingLabs
This tool will only work if software scanner is enabled on your Software Trust Manager account. It is a Dynamic Application Security Testing (DAST) service powered by ReversingLabs to scan your software for malware, vulnerabilities, secrets, and more before releasing your software to the public.

ejemplo 2. Linux

The following clients tools are available for signing on Linux:

Signing Manager Controller (SMCTL)
SMCTL provides a Command Line Interface (CLI) that facilitates manual or automated private key, certificate management, and signing with or without the need for human intervention.
PKCS11 library
The PKCS11 library handles secure key generation, application hash signing, and associated certificate-related requirements when the signing request does not require the transportation of files and intellectual property.
GPG smart card daemon (SCD)
DigiCert® Software Trust Manager GPG Smart Card Daemon (SCD) is a GPG compliant SCD client-side tool that integrates with the GPG-agent (part of the GPG tool suite) for all GPG based hash signing use cases.
ReversingLabs scanning toolScan with ReversingLabs
This tool will only work if software scanner is enabled on your Software Trust Manager account. It is a Dynamic Application Security Testing (DAST) service powered by ReversingLabs to scan your software for malware, vulnerabilities, secrets, and more before releasing your software to the public.

ejemplo 3. macOS

The following clients tools are available for signing on macOS:

Signing Manager Controller (SMCTL)
SMCTL provides a Command Line Interface (CLI) that facilitates manual or automated private key, certificate management, and signing with or without the need for human intervention.
PKCS11 library
The PKCS11 library handles secure key generation, application hash signing, and associated certificate-related requirements when the signing request does not require the transportation of files and intellectual property.
CryptoTokenKit
CryptoTokenKit is an implementation of the Apple CryptoTokenKit extension and is used to sign Apple binaries while the keys are stored remotely in Software Trust Manager.
GPG smart card daemon (SCD)
DigiCert® Software Trust Manager GPG Smart Card Daemon (SCD) is a GPG compliant SCD client-side tool that integrates with the GPG-agent (part of the GPG tool suite) for all GPG based hash signing use cases.
ReversingLabs scanning toolScan with ReversingLabs
This tool will only work if software scanner is enabled on your Software Trust Manager account. It is a Dynamic Application Security Testing (DAST) service powered by ReversingLabs to scan your software for malware, vulnerabilities, secrets, and more before releasing your software to the public.

Secure your credentials

Your DigiCert ONE host environment, API key, client authentication certificate and password makes up your environment variables and are required to access Software Trust Manager client tools. Use one of the methods provided below to securely store your credentials based on your operating system.

ejemplo 4. Windows

The most secure method is to store your API key and client authentication certificate password in Windows Credential Manager, an encrypted vault, protected from unauthorized access.

ejemplo 5. Linux

The most secure method is to store your API key and client authentication certificate password in Linux Pass, a password manager that uses GnuPG for encryption and decryption of stored information.

ejemplo 6. macOS

The most secure method is to store your API key and client authentication certificate password in Keychain Access, an application that stores your passwords and account information.

Types of certificates

You can generate public or private code signing certificates in DigiCert® Software Trust Manager.

Public code signing certificates

A CertCentral account is required to order publicly trusted certificates. You can integrate your CertCentral account with Software Trust Manager.

Publicly trusted code signing certificates:

Follows strict CA/B forum guidelines.
Are issued by DigiCert (a third party trusted certificate authority) which allows your software to be universally trusted by operating systems.
Contains verified information about your organization.

Nota

When a user downloads software that is signed with a publicly trusted code signing certificate, the operating system they are using and the user knows that a legitimate and trusted entity published it.

Private code signing certificates

Private code signing certificates (also known as self signed code signing certificates) can be created directly from Software Trust Manager. These certificates:

Are more flexible and does not have to follow any guidelines.
Are signed by you.
Are only trusted by machines that have your public key within their trust store.

Nota

When a user downloads software that is signed with a publicly trusted code signing certificate and the user does not have your public key within their trust store, the operating system will warn your user that your software is not trusted.

En esta sección:

Requirements

API key

Nota

Client authentication certificate

Nota

Nota

Host environment

Client tools

Secure your credentials

Types of certificates

Public code signing certificates

Nota

Private code signing certificates

Nota

Resultados de la búsqueda