Signer guide
The KeyLocker Signer is an account user responsible for signing with the key stored DigiCert® KeyLocker.
Note
If you are a KeyLocker Lead or Signer, follow this guide to get ready to sign while your private key remains securely stored in DigiCert® KeyLocker.
There are two methods you can use to set up the tools to sign:
DigiCert® KeyLocker wizard (recommended)
Follow the procedures outlined in this article
DigiCert® KeyLocker wizard
Using the DigiCert® KeyLocker wizard is recommended because it provides a wizard supported experience that validates whether you have successfully completed a step.
To access the DigiCert® KeyLocker wizard:
Sign in to DigiCert ONE.
Navigate to the Manager menu (top-right) > KeyLocker.
Select Get started.
Follow the instructions to get ready to sign.
Get ready to sign
If you are unable to use the DigiCert® KeyLocker wizard, manually complete the steps below to get ready to sign.
Download DigiCert® KeyLocker tools
Before downloading your tools, review the DigiCert® KeyLocker tools required for signing based on your operating.
Astuce
We have packaged all the tools you may require for your operating system to ensure that you have everything you need in one download. For more information, review Compatible operating system versions for client tools.
Download tools
To download DigiCert® KeyLocker client tools:
Sign in to DigiCert ONE.
Select the Manager menu icon (top-right) > KeyLocker.
Navigate to: Resources > Client tool repository.
Select your operating system.
Select the download icon next to the client you want to download.
When you sign your software, your API key and client authentication certificate authenticate you to DigiCert® KeyLocker, not your DigiCert ONE username and password. The API key and client authentication certificate provide two-factor authentication (2FA).
Astuce
Service users are generally used for automated signing and therefore do not have credentials to access DigiCert ONE. However, service users can still sign and access resources like keys and certificates in DigiCert® KeyLocker when authenticated by an API token and client authentication certificate.
Create an API key
An API key is a unique identifier generated by the server to authenticate a user or calling program to an API.
Follow the procedure below based on your user classification:
Create a client authentication certificate
A client authentication certificate is a X.509 digital certificate with a unique password that is generated by the server to authenticate a user or calling program to an API.
Note
Your API key and client authentication certificate inherit your user role.
Secure your credentials
Your DigiCert ONE host environment, API key, client authentication certificate and password make up your environment variables and are required to access DigiCert® KeyLocker client tools. You may want to use one of the methods below to securely store your credentials based on your operating system.
Install third-party signing tools
DigiCert® KeyLocker offers simplified signing with third-party signing tools. Refer to Files supported for signing for list of compatible tools and what they can be used to sign.
Configuration instructions:
To confirm that your credentials and signing tools were configured correctly:
Open SMCTL.
Run the command:
smctl healthcheck
Output sample:
--------- User credentials ------ Status: Connected Username: john.doe Accounts: Example, Inc. Authentication: 2FA Environment: Prod Credentials: Host: https://clientauth.one.digicert.com API key: 01587358d5ae74e214f7dd332b_09exxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxe6 (Pulled from environment variable) Client certificate file path: C:\Users\John.Doe\Documents\KL\john-client-cert.p12 Client certificate password: feoTxxxxxxf8 (Pulled from environment variable) API keys: Name: john-API (expires on Fri, 31 Jul 2026 23:59:59 UTC) Client certificates: Name: john-client-cert (expires on Fri, 31 Jul 2026 23:59:59 UTC) Privileges: Can sign: Yes Can approve release window: No Can revoke certificate: Yes Permissions: Account Manager: VIEW_AM_ROLE VIEW_AM_ACCOUNT VIEW_AM_USER Keypairs: MANAGE_SM_KEYPAIR VIEW_SM_KEYPAIR SIGN_SM_HASH Certificates: VIEW_SM_CERTIFICATE REVOKE_SM_CERTIFICATE Other permissions: VIEW_SM_LICENSE MANAGE_SM_CC_API_KEY --------- Signing tools --------- Mage: Mapped: Yes Path: C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8 Tools\mage.exe Nuget: Mapped: Yes Path: C:\Program Files (x86)\NuGet uget.exe Jarsigner: Mapped: Yes Path: C:\Program Files\Java\jdk-17\bin\jarsigner.exe Apksigner: Mapped: No Signtool 32 bit: Mapped: Yes Path: C:\Program Files (x86)\Windows Kits\signtool_32.exe Signtool: Mapped: Yes Path: C:\Program Files (x86)\Windows Kits\10\bin\10.0.22621.0\x64\signtool.exe
Note
If the healthcheck fails, troubleshoot the following.
Ensure that:
You provided the correct host in the environment variable.
You provided the correct API token in the environment variable.
You provided the correct client authentication certificate in the environment variable.
You provided the correct password for your client authentication certificate.
You have a stable internet connection.
If the organization's proxy is enabled, you need to add these settings to the environment variables.
View your certificates
The Certificates tab is useful to identify your certificate fingerprint, keypair alias, or keypair ID used in signing commands.
Note
Don't see any certificates?
As a KeyLocker Signer, you can only view certificates that you can sign with. Reach out to your account Lead, and request to be added as the designated signer for a KeyLocker certificate.
To view certificate information:
Sign in to DigiCert ONE.
Navigate to: Manager menu icon (top-right) > KeyLocker.
Select Certificates.
Select the certificate alias to view more information.
Integrate DigiCert® KeyLocker into continuous integration and continuous deployment (CI/CD) pipelines. CI/CD integrations automate and streamline the software development and deployment process. DigiCert® KeyLocker offers CI/CD plugins and script integrations which are both methods used to incorporate CI/CD functionality into your software development workflow. While plugins are easier to use, script integrations offer more flexibility.
To automate signing as part of your CI/CD workflows, refer to CI/CD integrations.
Sign
Follow the instructions in the following articles to sign while your private key remains in DigiCert® KeyLocker: