Requirements

DigiCert® requires two-factor authentication (2FA) for all DigiCert® Software Trust Manager users. This requirement applies to signing activities and to DigiCert® ONE-based actions, such as keypair and certificate generation.

This requirement ensures compliance with CA/B Browser Forum rules for public code signing and mitigates overall security risks.

Two-factor authentication

To authenticate, two-factor authentication (2FA) must be enabled on your DigiCert® ONE account.

For DigiCert® ONE logins, authenticate with a password and a one-time password (OTP) code generated by the Google Authenticator app.
If you have admin privileges in DigiCert® ONE, you can enable the 2FA requirement.

Software Trust uses a client certificate and an API key to authenticate with DigiCert during signing.

The API key acts as the first factor of authentication and the client authentication certificate acts as the second when connecting to Software Trust client tools.
The permissions for the the API token and client authentication certificate are based on your user permissions set in Software Trust.

Create an API key

An API key is a unique identifier that verifies your identity as a DigiCert ONE user when you make requests via the DigiCert ONE API or client tools. It enables secure communication between applications.

Follow the procedure below based on your user type and role:

Exemple 1. Standard user

Standard users can create their own API token because they have access to DigiCert ONE.

To create an API key:

Sign in to DigiCert ONE.
In the Managers (grid icon) menu, select Account.
On the Admin page, in the API key section, select Create API token.
On the Create API key page, add the details as needed:
1. Name
  Enter a name for the API token. This name is the display name on the API token cards. The name must be unique and only include letters, numbers, spaces, dashes, and underscores.
2. End date (optional)
  Adding an end date is not required. The end date is in UTC. For example, if you select 12 August 2023 as your end date, your API token expires on 12 August 2023 at 23:59:59 UTC.
  Note
  If you add an end date, make sure to note when the API token expires. You must update all API integrations using the API token before it expires. If you don't, the API token integrations will stop working.
  You can always edit the API token details and extend the expiration date before it expires.
Select Create.
On the Congratulations page, copy the API token and save it in a secure location so you can use it later.
Important
The API token is only displayed only once. You cannot access it after you select Finish. If you ever lose the API token, you'll need to delete the lost token and create a new one.
After you save the token, select Finish.

Exemple 2. Service user

An API key is only generated when you create a new service user. You cannot regenerate an API key for an existing service user.

Astuce

The DigiCert® Account Manager permission: Manage users is required to create a service user.

To create a service user:

Sign in to DigiCert ONE.
In the Managers (grid icon) menu, select Account.
In the Account menu, go to Access > Service User.
Select Create service user.
Enter service user details:
1. Friendly name
  Enter a unique display name. The name must include only letters, numbers, spaces, dashes, and underscores. Actions are logged under this name.
2. Optional: Description
  Add additional information about the service user. This description only appears in the Service user details.
3. Optional: End date
  Specify an expiration date (UTC). For example, selecting January 12, 2026 means the service user expires at 23:59:59 UTC.
  Astuce
  Update API integrations using this token ID before expiration to prevent disruptions. If needed, you can extend the expiration date later.
4. Email
  Provide the email address of the person managing this service user's credentials. DigiCert ONE does not send emails to this address, so communicate any necessary details directly.
5. Accounts that this service user can access
  In the dropdown, select the accounts that this service user can access for their API integrations.
6. DigiCert ONE Manager access
  Assign one or more DigiCert ONE Managers. The service user can access the API for each Manager assigned here.
Assign accounts and access:
1. In the Accounts that can use this service user field, select the accounts this service user needs to interact with.
2. In the DigiCert ONE Manager access field, assign one or more managers the service user will access via the API.
Select Next.
On the Roles and permissions page, select the user roles for each manager assigned to the service user.
Astuce
Only assign roles necessary for the task or integration. If required, you can update these roles later.
Select Create service user.
In the Service user token ID window, copy the ID and save it securely.
Important
The token ID is displayed only once and cannot be recovered if lost.
After saving the token ID, select Close.

Create a client authentication certificate

A client authentication certificate is an X.509 digital certificate that verifies your identity as a DigiCert ONE user when you make requests via the DigiCert ONE API or client tools. It enables secure communication between applications.

Follow the procedure below based on your user type and role:

Exemple 3. Standard user

Standard users can create their own client authentication certificate because they have access to DigiCert ONE.

To generate a client authentication certificate:

Sign in to DigiCert ONE.
In the Managers (grid icon) menu, select Account.
In the Account menu, go to Access > Users > Client authentication certificates.
Select Create client authentication certificate.
Provide the following information:
1. Nickname
  This name is the display name on the Admin details page in the Authentication certificates section. The name must be unique and only include letters, numbers, spaces, dashes, and underscores.
2. End date
  Enter the certificate expiration date. Make sure that the certificate expiration date does not expire after the API token expiration date.
  If the API token end date does not fit your use case, update or remove the API token end date first. Then come back and generate the authentication certificate.
  Note
  Note when the authentication certificate expires. You must generate a new certificate and update all API integrations using the certificate before it expires. If you don't, the API token integrations will stop working.
3. Encryption
  Select an encryption algorithm to use for securing communications. DigiCert recommends AES (Advanced Encryption Standard), which is the default selection.
4. Signature hash algorithm
  Select a hash function to use for verifying data integrity. DigiCert recommends SHA-256, which is the default selection.
Select Generate certificate.
Copy the certificate's password and store it in a secure location. You will need to use it later when installing the certificate or using it in your certificate request.
Note
The certificate's password is only displayed only once. You cannot access it after you select Download certificate. If you lose the password, you will need to generate a new authentication certificate.
Select Download certificate.
Remember the file path to your client authentication certificate, you will need to reference it later.
Note
You cannot download the certificate again. If you lose your certificate, you will need to generate a new authentication certificate.
Select Close.

Exemple 4. Service user

Service users do not have access to DigiCert ONE, therefore a standard user will need to generate a client authentication certificate for the service user.

Astuce

The DigiCert® Account Manager permission: Manage users is required to create a client authentication certificate for a service user.

To create a client authentication certificate for a service user:

Sign in to DigiCert ONE.
In the Managers (grid icon) menu, select Account.
In the Account menu, go to Access > Service User.
In the Friendly name column, select the service user's friendly name.
Navigate to the Client authentication certificates section.
Select Create client authentication certificate.
Provide the following information:
1. Nickname
  This is the friendly name shown on the Service user details page. The name must be unique and may only include letters, numbers, spaces, dashes, and underscores.
2. End date
  Enter an expiry date for the certificate.
  Astuce
  Note when the authentication certificate expires. You must generate a new certificate and update all API integrations using the certificate before it expires. If you don't, the API token integrations will stop working.
3. Encryption
  Select an encryption algorithm to use for securing communications. DigiCert recommends AES (Advanced Encryption Standard), which is the default selection.
4. Signature hash algorithm
  Select a hash function to use for verifying data integrity. DigiCert recommends SHA-256, which is the default selection.
Select Generate certificate.
Copy the certificate's password and store it in a secure location. You will need to use it later when installing the certificate or using it in your certificate request.
Astuce
This password is required for installation and API requests. You will not be able to retrieve it later.
Download Download certificate.
Astuce
You cannot download it again. If lost, you must generate a new certificate.
Remember the file path to your client authentication certificate, you will need to reference it later.
Select Close.

Host environment

When you are setting up your environment variable, you must provide the DigiCert ONE host value.

The DigiCert ONE host value refers to the specific environment URL for connecting your client tools to perform an operation, such as software signing.

The value is a designated endpoint that corresponds to your operational region and environment (production or demo).

For example, if you are operating a production environment in the United States, then the value for SM_HOST would be https://clientauth.one.digicert.com/.
As another example, if you are operating a demo environment in the Netherlands, then the value for SM_HOST would be https://clientauth.demo.one.nl.digicert.com.

These host values are essential for configuring your environment variables correctly, ensuring secure and accurate connections between your client tools and DigiCert ONE services.

Note

You can only connect to the host that was used to create your credentials.

Tableau 1. Host options

Country	Host type	SM_HOST value
United States of America (USA)	Demo	https://clientauth.demo.one.digicert.com
United States of America (USA)	Production	https://clientauth.one.digicert.com
Switzerland (CH)	Demo	https://clientauth.demo.one.ch.digicert.com
Switzerland (CH)	Production	https://clientauth.one.ch.digicert.com
Japan (JP)	Demo	https://clientauth.demo.one.digicert.co.jp
Japan (JP)	Production	https://clientauth.one.digicert.co.jp
Netherlands (NL)	Demo	https://clientauth.demo.one.nl.digicert.com
Netherlands (NL)	Production	https://clientauth.one.nl.digicert.com

Client tools

Software Trust enables you to sign either directly with third-party signing tools or via DigiCert signing tools. Regardless of the method you choose, you will require a cryptographic library to ensure that your private key remains protected while allowing you to create digital signatures.

To download client tools:

Sign in to DigiCert ONE.
In the Managers ( ) menu, select Software Trust.
In the Software Trust menu, go to Resources > Client tool repository.
Download the appropriate files, move them to the appropriate client computer, and extract (or install).

The following client tools are available:

Exemple 5. Windows

The following clients tools are available for signing on Windows:

Signing Manager Controller (SMCTL)
SMCTL provides a Command Line Interface (CLI) that facilitates manual or automated private key, certificate management, and signing with or without the need for human intervention.
DigiCert® Click-to-sign
DigiCert Click-to-sign provides Windows customers with a simple UI-based signing workflow that does not require use of the SMCTL. After you specify your signing preferences in the DigiCert Click-to-sign installation wizard, you simply need to right-click on a file or folder to sign.
PKCS11 library
The PKCS11 library handles secure key generation, application hash signing, and associated certificate-related requirements when the signing request does not require the transportation of files and intellectual property.
KSP library
Software Trust KSP is a Microsoft CNG (Cryptographic: Next Generation) library-based client-side tool
ReversingLabs scanning tool
This tool will only work if software scanner is enabled on your Software Trust account. It is a Dynamic Application Security Testing (DAST) service powered by ReversingLabs to scan your software for malware, vulnerabilities, secrets, and more before releasing your software to the public.

Exemple 6. Linux

The following clients tools are available for signing on Linux:

Signing Manager Controller (SMCTL)
SMCTL provides a Command Line Interface (CLI) that facilitates manual or automated private key, certificate management, and signing with or without the need for human intervention.
PKCS11 library
The PKCS11 library handles secure key generation, application hash signing, and associated certificate-related requirements when the signing request does not require the transportation of files and intellectual property.
GPG smart card daemon (SCD)
Software Trust GPG Smart Card Daemon (SCD) is a GPG compliant SCD client-side tool that integrates with the GPG-agent (part of the GPG tool suite) for all GPG based hash signing use cases.
ReversingLabs scanning tool
This tool only works if software scanner is enabled on your Software Trust account. It's a Dynamic Application Security Testing (DAST) service, powered by ReversingLabs, that scans your software for malware, vulnerabilities, secrets, and more before releasing your software.

Exemple 7. macOS

The following client tools are available for signing on macOS:

Signing Manager Controller (SMCTL)
SMCTL provides a Command Line Interface (CLI), which supports manual or automated private key, certificate management, and signing with (or without) the need for human intervention.
PKCS11 library
The PKCS11 library handles secure key generation, application hash signing, and associated certificate-related requirements when the signing request doesn't require the transportation of files and intellectual property.
CryptoTokenKit
CryptoTokenKit is an implementation of the Apple CryptoTokenKit extension and is used to sign Apple binaries while the keys are stored remotely in Software Trust.
GPG smart card daemon (SCD)
Software Trust GPG Smart Card Daemon (SCD) is a GPG compliant SCD client-side tool that integrates with the GPG-agent (part of the GPG tool suite) for all GPG based hash signing use cases.
ReversingLabs scanning tool
This tool only works if software scanner is enabled on your Software Trust account. It's a Dynamic Application Security Testing (DAST) service, powered by ReversingLabs, to scan your software for malware, vulnerabilities, secrets, and more before releasing your software.

Set PATH environment variables

Operating systems use the environment variable called PATH to determine where executable files are stored on your system. Use the PATH environment variable to store the file path to your signing tools to ensure that the CLI can reference these signing tools.

Note

Client tools must be available in the PATH variable for the environment to invoke the client control from CI/CD integration without specifying the path. For the following examples, it's assumed the path to the client control tools has been set in the path.

Exemple 8. Windows

You can set the PATH environment variable using command line or via the environment variables.

To set the path to your signing tools via command line:

set PATH=%path%;<path to client tools>

To set the path to your signing tools for your system or account:

Search for environment variables in the Windows start menu.
Select Edit environment variables for your account or Edit system environment variables.
Select (double-click) on the Path variable.
Select New.
Select Browse.
Select the path to the client tools.
Select OK to save the path.
Select OK to close the dialog.

Exemple 9. Linux

To set the path to your signing tools via command line:

Launch the Terminal application.
Open the file in an editor:
```
nano ~/.profile
```
Add any exports definitions you need:
```
export PATH=<Path to client tools>
```
Select CTRL+X to exit.
Select Y to save.
Select Enter to keep the same file name.
Execute the new .profile by restarting Terminal or using:
```
 source ~/.profile
```

Exemple 10. macOS

To set the path to your signing tools via command line:

Launch the Terminal application.
Create a profile file:
```
touch ~/.zprofile
```
Open the file in an editor:
```
open ~/.zprofile
```
Add any exports definitions you need, such as:
```
export PATH=<Path to client tools>
```
To save the new .zprofile, select File > Save (CMD + S).
Close the terminal window and reopen to use new saved variables.

Secure your credentials

Your DigiCert ONE host environment, API key, client authentication certificate, and password make up your environment variables and are required to access Software Trust client tools. Use one of the following methods to securely store your credentials based on your operating system.

Exemple 11. Windows

The most secure method is to store your API key and certificate password in Windows Credential Manager, a protected vault.

Exemple 12. Linux

The most secure method is to store your API key and certificate password in Linux Pass, which uses GnuPG encryption.

Exemple 13. macOS

The most secure method is to store your API key and certificate password in Keychain Access, macOS's built-in password manager.

Dans cette section:

Requirements

Two-factor authentication

Create an API key

Note

Important

Astuce

Astuce

Astuce

Important

Create a client authentication certificate

Note

Note

Note

Astuce

Astuce

Astuce

Astuce

Host environment

Note

Client tools

Set PATH environment variables

Note

Secure your credentials

Résultats de la recherche