Healthcheck commands
Use this command to check if your credentials and signing tools were configured correctly in SMCTL.
Command
To run a healthcheck on your credentials and signing tools, use the command:
smctl healthcheck
Flags
The healthcheck command supports these flags:
Shortcut | Flag | Description |
|---|---|---|
--all | Verify user credentials and tools you can sign with. | |
--tools | Verify configured tools you can sign with. | |
--user | Verify your user credentials and view your permissions. | |
-h | --help | Help for describing a keypair. |
Examples
Check user credentials and tools
To verify your user credentials and the signing tools that are configured for you to sign with, use the command:
smctl healthcheck
Command sample:
--------- User credentials ------
Status: Connected
Username: john.doe
Accounts: Example, Inc.
Authentication: 2FA
Environment: Unknown
Credentials:
Host: https://clientauth.one.digicert.com
API key: 01a007567da265b5909d11b8ea_b70xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxb9 (Pulled from environment variable)
Client certificate file path: C:\Users\John.Doe\Documents\STM\JohnD_Auth_Cert_2023.p12
Client certificate password: JM7QxxxxxxqO (Pulled from environment variable)
API keys:
Name: John API Token 2023 (expires on Fri, 31 Jan 2025 23:59:59 UTC)
Client certificates:
Name: John Auth Cert (expires on Tue, 31 Jan 2023 23:59:59 UTC)
Name: John Auth Cert 2023 (expires on Fri, 31 Jan 2025 23:59:59 UTC)
Privileges:
Can sign: Yes
Can approve release window: Yes
Can revoke certificate: Yes
Permissions:
Account Manager:
VIEW_AM_USER
VIEW_AM_ORGANIZATION
MANAGE_AM_PERMISSION
VIEW_AM_ROLE
VIEW_AM_ACCOUNT
VIEW_AM_AUDIT_LOG
Keypairs:
APPROVE_SM_KEYPAIR_DELETE
GENERATE_SM_KEYPAIR
MANAGE_SM_KEYPAIR
REQUEST_SM_KEYPAIR_EXPORT
EXPORT_SM_KEYPAIR
APPROVE_SM_KEYPAIR_EXPORT
IMPORT_SM_KEYPAIR
SIGN_SM_HASH
MANAGE_SM_MASTER_KEYPAIR
VIEW_SM_KEYPAIR
Certificates:
MANAGE_SM_CERTIFICATE_PROFILE
GENERATE_SM_CERTIFICATE
IMPORT_SM_CERTIFICATE
VIEW_SM_CERTIFICATE
VIEW_SM_CERTIFICATE_TEMPLATE
VIEW_SM_CERTIFICATE_PROFILE
REVOKE_SM_CERTIFICATE
Releases:
APPROVE_SM_RELEASE_WINDOW
REQUEST_SM_RELEASE_WINDOW
VIEW_SM_RELEASE_WINDOW
Audit logs:
VIEW_SM_AUDIT_LOG
EXPORT_SM_LOGS
Other permissions:
MANAGE_SM_CC_API_KEY
VIEW_SM_LICENSE
MANAGE_SM_HIERARCHY
MANAGE_SM_ACCOUNT_SETTINGS
--------- Signing tools ---------
Nuget:
Mapped: No
Jarsigner:
Mapped: No
Apksigner:
Mapped: No
Signtool 32 bit:
Mapped: No
Signtool:
Mapped: Yes
Path: C:\Program Files (x86)\Windows Kits\10\bin\10.0.33621.0\x64\signtool.exe
Mage:
Mapped: NoCheck user credentials
To verify your user credentials and permissions, use the command:
smctl healthcheck --user
Command output sample:
--------- User credentials ------
Status: Connected
Username: john.doe
Accounts: Example, Inc.
Authentication: 2FA
Environment: Unknown
Credentials:
Host: https://clientauth.one.digicert.com
API key: 01a007567da265b5909d11b8ea_b70xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxb9 (Pulled from environment variable)
Client certificate file path: C:\Users\John.Doe\Documents\STM\JohnD_Auth_Cert_2023.p12
Client certificate password: JM7QxxxxxxqO (Pulled from environment variable)
API keys:
Name: John API Token 2023 (expires on Fri, 31 Jan 2025 23:59:59 UTC)
Client certificates:
Name: John Auth Cert (expires on Tue, 31 Jan 2023 23:59:59 UTC)
Name: John Auth Cert 2023 (expires on Fri, 31 Jan 2025 23:59:59 UTC)
Privileges:
Can sign: Yes
Can approve release window: Yes
Can revoke certificate: Yes
Permissions:
Account Manager:
VIEW_AM_USER
VIEW_AM_ORGANIZATION
MANAGE_AM_PERMISSION
VIEW_AM_ROLE
VIEW_AM_ACCOUNT
VIEW_AM_AUDIT_LOG
Keypairs:
APPROVE_SM_KEYPAIR_DELETE
GENERATE_SM_KEYPAIR
MANAGE_SM_KEYPAIR
REQUEST_SM_KEYPAIR_EXPORT
EXPORT_SM_KEYPAIR
APPROVE_SM_KEYPAIR_EXPORT
IMPORT_SM_KEYPAIR
SIGN_SM_HASH
MANAGE_SM_MASTER_KEYPAIR
VIEW_SM_KEYPAIR
Certificates:
MANAGE_SM_CERTIFICATE_PROFILE
GENERATE_SM_CERTIFICATE
IMPORT_SM_CERTIFICATE
VIEW_SM_CERTIFICATE
VIEW_SM_CERTIFICATE_TEMPLATE
VIEW_SM_CERTIFICATE_PROFILE
REVOKE_SM_CERTIFICATE
Releases:
APPROVE_SM_RELEASE_WINDOW
REQUEST_SM_RELEASE_WINDOW
VIEW_SM_RELEASE_WINDOW
Audit logs:
VIEW_SM_AUDIT_LOG
EXPORT_SM_LOGS
Other permissions:
MANAGE_SM_CC_API_KEY
VIEW_SM_LICENSE
MANAGE_SM_HIERARCHY
MANAGE_SM_ACCOUNT_SETTINGS
Check integrated third-party tools
To verify the signing tools that are configured for you to sign with, use the command:
smctl healthcheck --tools
Command output sample:
--------- Signing tools ---------
Nuget:
Mapped: No
Jarsigner:
Mapped: No
Apksigner:
Mapped: No
Signtool 32 bit:
Mapped: No
Signtool:
Mapped: Yes
Path: C:\Program Files (x86)\Windows Kits\10\bin\10.0.22621.0\x64\signtool.exe
Mage:
Mapped: NoHealthcheck errors and solutions
If the healthcheck command fails, troubleshoot the following.
Status: Not connected
Error message
--------- User credentials ------ Status: Not connected
Problem
This error can occur for multiple reasons:
You provided the correct host in the environment variable.
You provided the correct API token in the environment variable.
You have a stable internet connection.
If the organization's proxy is enabled, you need to add these settings to the environment variables.
Solution
You may need to troubleshoot a variety of areas:
Compare the host listed in the healthcheck command output to this list of hosts.
Compare the last two digits the API key listed in the healthcheck command output to the last two digits of your API key in DigiCert ONE.
Sugerencia
To identify existing API keys for your user:
Sign in to DigiCert ONE.
Click Profile icon (top-right).
Select Admin Profile.
Identify the On this page section (right), select API tokens.
Your client certificate path or password is incorrect (1FA)
Error message
--------- User credentials ------ Status: Connected Your client certificate path or password is incorrect. You will not be able to complete specific actions (such as sign, generate keypairs and approve releases) until these credentials are corrected.
Problem
Your host environment and API key (first factor of authentication) are correct, however SMCTL was unable to authenticate your client certificate (second factor of authentication). This means that the path to your client authentication certificate or it's password is incorrect. Two factor authentication is required to perform specific actions, such as: sign, generate keypairs, scan your software with Threat detection, and approve releases. If you try and perform one of these actions with only one factor of authentication, you will receive the following error:
status_code=403, message={"error":{"status":"access_denied","message":"User is not multi-factor authenticated. Missing Client Authentication Certificate. As per compliance rules, user needs to be authenticated using multi-factor for performing <action> operation."}}, nested_error=<nil>Solution
Ensure that the client authentication certificate path and password is correct. One of the follow methods may be useful:
Navigate to the client authentication certificate path listed in the healthcheck command output and confirm if the file name provided and path matches.
Compare the your client authentication certificate password listed in the healthcheck command output to your password to confirm that it is correct.
Nota
If you have lost or forgotten your password, create a new client authentication certificate and securely store your password.