Skip to main content

Requirements

DigiCert​​®​​ requires two-factor authentication (2FA) for all DigiCert​​®​​ Software Trust Manager users. This requirement applies to signing activities and to DigiCert® ONE-based actions, such as keypair and certificate generation.

This requirement ensures compliance with CA/B Browser Forum rules for public code signing and mitigates overall security risks.

Two-factor authentication

To authenticate, two-factor authentication (2FA) must be enabled on your DigiCert® ONE account.

  • For DigiCert® ONE logins, authenticate with a password and a one-time password (OTP) code generated by the Google Authenticator app.

  • If you have admin privileges in DigiCert® ONE, you can enable the 2FA requirement.

Software Trust uses a client certificate and an API key to authenticate with DigiCert during signing.

  • The API key acts as the first factor of authentication and the client authentication certificate acts as the second when connecting to Software Trust client tools.

  • The permissions for the the API token and client authentication certificate are based on your user permissions set in Software Trust.

Create an API key

An API key is a unique identifier that verifies your identity as a DigiCert ONE user when you make requests via the DigiCert ONE API or client tools. It enables secure communication between applications.

Follow the procedure below based on your user type and role:

Create a client authentication certificate

A client authentication certificate is an X.509 digital certificate that verifies your identity as a DigiCert ONE user when you make requests via the DigiCert ONE API or client tools. It enables secure communication between applications.

Follow the procedure below based on your user type and role:

Host environment

When you are setting up your environment variable, you must provide the DigiCert ONE host value.

The DigiCert ONE host value refers to the specific environment URL for connecting your client tools to perform an operation, such as software signing.

The value is a designated endpoint that corresponds to your operational region and environment (production or demo).

  • For example, if you are operating a production environment in the United States, then the value for SM_HOST would be https://clientauth.one.digicert.com/.

  • As another example, if you are operating a demo environment in the Netherlands, then the value for SM_HOST would be https://clientauth.demo.one.nl.digicert.com.

These host values are essential for configuring your environment variables correctly, ensuring secure and accurate connections between your client tools and DigiCert ONE services.

Note

You can only connect to the host that was used to create your credentials.

Tableau 1. Host options

Country

Host type

SM_HOST value

United States of America (USA)

Demo

https://clientauth.demo.one.digicert.com

Production

https://clientauth.one.digicert.com

Switzerland (CH)

Demo

https://clientauth.demo.one.ch.digicert.com

Production

https://clientauth.one.ch.digicert.com

Japan (JP)

Demo

https://clientauth.demo.one.digicert.co.jp

Production

https://clientauth.one.digicert.co.jp

Netherlands (NL)

Demo

https://clientauth.demo.one.nl.digicert.com

Production

https://clientauth.one.nl.digicert.com


Client tools

Software Trust enables you to sign either directly with third-party signing tools or via DigiCert signing tools. Regardless of the method you choose, you will require a cryptographic library to ensure that your private key remains protected while allowing you to create digital signatures.

To download client tools:

  1. Sign in to DigiCert ONE.

  2. In the Managers ( grid-blue.svg ) menu, select Software Trust.

  3. In the Software Trust menu, go to Resources > Client tool repository.

  4. Download the appropriate files, move them to the appropriate client computer, and extract (or install).

The following client tools are available:

Set PATH environment variables

Operating systems use the environment variable called PATH to determine where executable files are stored on your system. Use the PATH environment variable to store the file path to your signing tools to ensure that the CLI can reference these signing tools.

Note

Client tools must be available in the PATH variable for the environment to invoke the client control from CI/CD integration without specifying the path. For the following examples, it's assumed the path to the client control tools has been set in the path.

Secure your credentials

Your DigiCert ONE host environment, API key, client authentication certificate, and password make up your environment variables and are required to access Software Trust client tools. Use one of the following methods to securely store your credentials based on your operating system.