Credential setup for Windows
To effectively use DigiCert® KeyLocker client tools on your Windows system, it's crucial to configure your environment variables correctly. Below are the prerequisites and recommended methods for credential setup.
Prerequisites
Before you begin, ensure you have the following:
DigiCert ONE host
DigiCert ONE Client authentication certificate path
DigiCert ONE Client authentication certificate password
Credential setup methods for Windows
There are four methods for storing your credentials. For enhanced security, you may want to follow these best practices when configuring your environment variables for SMCTL:
Windows Credential Manager (recommended)
The most secure option is to store your API key and client authentication certificate password in Windows Credential Manager. It provides an added layer of protection against unauthorized access.
Alternatively, you can securely store your API key and client authentication certificate password in a properties file. This approach is also highly secure and recommended for safeguarding sensitive credentials.
Session-based environment variables
For improved security, consider setting the host and client authentication certificate file path as session-based variables, which means they are temporary and will only be available during your current session. This approach minimizes the risk of unauthorized access and ensures that these critical variables are available only for the duration of your session.
Persistent environment variables
Alternatively, you can set the host and client authentication certificate file path as persistent variables.
Avertissement
Storing sensitive credentials as persistent environment variables comes with a significant security risk. If you choose to store the API key and client authentication certificate password as persistent variables, anyone with access to your system can potentially perform actions using DigiCert® KeyLocker client tools. We strongly advise against this practice to protect your data and system integrity.
Credential sources prioritization
When using DigiCert® KeyLocker client tools, it is important to understand the order in which the tools prioritize different sources for credentials:
Session-based
The client tools will first check if session-based have been provided in the session.
Persistent environment variables
If session-based environment variables were not provided, the client tools checks if persistent environment variables have been set.
Properties file
If the API key and client authentication password are not found in environment variables, the client tools will then look for them in the properties file if it has been set up.
Windows Credential Manager
In case the credentials are not found in the previous two sources, the client tools will check if credentials can be found in Windows Credential Manager.
In the event that credentials are available in multiple locations, the client tools will follow this priority order: session environment variables, persistent environment variables, properties file, and then Windows Credential Manager.
Note
Location of log files: C:\Users\<Username>\.signingmanager\logs
Reviewing these log files will provide insights into which credential source was used for each execution, helping you track and ensure the correct credentials are being utilized for your operations.