Skip to main content

Lead guide

The account lead is responsible for managing assets, users, and is able to sign with the key stored DigiCert® Software Trust Manager.

Follow the instructions below to set up your account for code signing.

Enable two-factor authentication (2FA)

2FA is required when signing with a key stored in Software Trust Manager.

To enable 2FA:

Sign in to DigiCert ONE.
Navigate to the Manager menu icon (top right) > Accounts.
Select the Name of the account.
On the Account details page, navigate to the Sign-in settings for all-account-access users section.
Select the pencil icon next to Two-factor authentication.
Select the radio button next to Enable two-factor authentication.
Select Update two-factor authentication.

Manage your account users

Before adding new users, identify the type of user and the role you need them to play in the account.

User types

There are two types of DigiCert ONE users:

例 1. User

A user has access to DigiCert ONE. A user is generally a person who needs to perform cryptographic actions in Software Trust Manager and clients.

Users are associated with:

First and last name
Username
Email address
Telephone number

例 2. Service user

A service user does not have access to the Software Trust Manager UI. A service user is generally a user-like entity with API access that is not associated with a real person and is used for automation of workflows on a machine such as a build server.

Service users are associated with:

Friendly name
Email address (used for notifications)

User roles

There are 5 types of Software Trust Manager user roles:

例 3. Lead

The lead role is used for users responsible for managing cryptographic assets, enforcing policies, monitoring compliance for users in the account.

The following permissions assigned to this role:

Category	Permission	Description
User settings	Default	User can view their own user profile and generate their own API key and client authentication certificate in DigiCert ONE.
Account settings	Manage account settings	User can update DigiCert® Software Trust Manager > Accounts > Account settings.
Account settings	View license	User can view licenses for the account.
Teams	Manage all teams	User can: Create new teams. View, update, deactivate, delete, and map resources to existing teams.
Audit logs	View audit log	User can view audit and signature logs in the account.
Audit logs	Export audit logs	User can export audit logs in the account.
Certificates	Manage certificate hierarchy	User can create, update, approve, reject, suspend, unsuspend, and view certificate hierarchies.
	Manage certificate profiles	User can: Create, update, enable, disable, and delete certificate profiles. Update and delete certificates.
	View certificate profile	User can view certificate profile details in the account.
	View certificate template	User can view certificate template details in the account.
	Generate certificate	User can create a new certificate.
	Import certificate	User can import certificates into the account.
	Revoke certificate	User can revoke certificates in the account.
	View certificate	User can view certificate details in the account.
Keypairs	Request keypair export	User can request to export keypairs.
	Approve keypair export	User can approve requests to export keypairs.
	Approve keypair delete	User can approve requests to delete keypairs.
	Import keypair	User can import keypairs into the account.
	Generate keypair	User can create a new keypair.
	View keypair	User can view keypair details in the account.
	Manage keypair	User can: Update, suspend or unsuspend keypairs. Create, update, enable, and disable keypair profiles. Create and update user groups. Create, update, and refresh key rotation. Generate a CSR
	Manage master keypair	User can: Create GPG master key Update, import, delete, generate, revoke, suspend, unsuspend a master key. Sign and create subkeys.
Signatures	Sign	User can sign.
Releases	View release	User can view releases in the account.
	Request release	User can request to create an offline release.
	Approve release	User can approve requests to create offline releases.
Threat detection	Manage Threat detection	User can view and download threat detection scans in the account.

例 4. Team lead

The team lead role is used for managing developers and engineering teams responsible for signing and releasing software.

The following permissions assigned to this role:

Category	Permission	Description
User settings	Default	User can view their own user profile and generate their own API key and client authentication certificate in DigiCert ONE.
Account settings	View license	User can view licenses for the account.
Teams	Manage my team	User can view, update, deactivate, and map resources to existing teams that they are part of.
Audit logs	View audit log	User can view audit and signature logs in the account.
Audit logs	Export audit logs	User can export audit logs in the account.
Certificates	Manage certificate hierarchy	User can create, update, approve, reject, suspend, unsuspend, and view certificate hierarchies.
	View certificate profile	User can view certificate profile details in the account.
	View certificate template	User can view certificate template details in the account.
	Import certificate	User can import certificates into the account.
	Revoke certificate	User can revoke certificates in the account.
	Generate certificate	User can create a new certificate.
	View certificate	User can view certificate details in the account.
Keypairs	Import keypair	User can import keypairs into the account.
	Request keypair export	User can request to export keypairs.
	Approve keypair export	User can approve requests to export keypairs.
	Approve keypair delete	User can approve requests to delete keypairs.
	Generate keypair	User can create a new keypair.
	View keypair	User can view keypair details in the account.
	Manage keypair	User can: Update, suspend or unsuspend keypairs. Create, update, enable, and disable keypair profiles. Create and update user groups. Create, update, and refresh key rotation. Generate a CSR
	Manage master keypair	User can: Create GPG master key Update, import, delete, generate, revoke, suspend, unsuspend a master key. Sign and create subkeys.
Signatures	Sign	User can sign.
Releases	View release	User can view releases in the account.
	Request release	User can request to create an offline release.
	Approve release	User can approve requests to create offline releases.
Threat detection	Manage Threat detection	User can download threat detection scans in the account. User can run scans on software using Threat detection.

例 5. Developer

The developer role is used for users responsible for signing, managing assets related to signing, and releasing software.

The following permissions assigned to this role:

Category	Permission	Description
User settings	Default	User can view their own user profile and generate their own API key and client authentication certificate in DigiCert ONE.
Account settings	View license	User can view licenses for the account.
Audit logs	View audit log	User can view audit and signature logs in the account.
Certificates	View certificate profile	User can view certificate profile details in the account.
	View certificate template	User can view certificate template details in the account.
	Generate certificate	User can create a new certificate.
	View certificate	User can view certificate details in the account.
Keypairs	Generate keypair	User can create a new keypair.
Keypairs	View keypair	User can view keypair details in the account.
Signatures	Sign	User can sign.
Releases	Request release	User can request to create an offline release.
Releases	View release	User can view releases in the account.
Threat detection	View Threat detection	User can view threat detection scans in the account.

例 6. Build engineer

The build engineer role is for users responsible for signing and scanning software using threat detection.

The following permissions assigned to this role:

Category	Permission	Description
User settings	Default	User can view their own user profile and generate their own API key and client authentication certificate in DigiCert ONE.
Audit logs	View audit log	User can view audit and signature logs in the account.
Certificates	View certificate profile	User can view certificate profile details in the account.
	View certificate template	User can view certificate template details in the account.
	View certificate	User can view certificate details in the account.
Keypairs	View keypair	User can view keypair details in the account.
Signatures	Sign	User can sign.
Releases	View release	User can view releases in the account.
Threat detection	View Threat detection	User can view threat detection scans in the account.
	Manage Threat detection	User can download threat detection scans in the account.
	Run Threat detection scans	User can run scans on software using Threat detection.

例 7. Signer

The signer role is used for engineers or authenticated devices responsible for signing software.

The following permissions assigned to this role:

Category	Permission	Description
User settings	Default	User can view their own user profile and generate their own API key and client authentication certificate in DigiCert ONE.
Account settings	View license	User can view licenses for the account.
Audit logs	View audit log	User can view audit and signature logs in the account.
Certificates	View certificate profile	User can view certificate profile details in the account.
	View certificate template	User can view certificate template details in the account.
	View certificate	User can view certificate details in the account.
Keypair	View keypair	User can view keypair details in the account.
Signatures	Sign	User can sign.
Releases	View release	User can view releases in the account.

Add users

Based on the user types and user roles you have reviewed above, follow one of the procedures below to add a user to DigiCert ONE:

Create a team (optional)

Select users, groups, or both to form a team and then map relevant resources to them. You can restrict team resources such as keypairs, releases, and enforce keypair profiles and certificate profiles. If you do not see this option, enable teams.

To create a team:

Sign in to DigiCert ONE.
Navigate to the Manager menu icon (top-right) > Software Trust.
Select Account > Teams.
Select Create.

ヒント

For more detailed instructions, refer to Teams .

Create a keypair profile (optional)

Keypair profiles simplify keypair generation by preconfiguring values for all keypair options. If you do not see Keypair profiles in the left navigation menu, enable keypair profiles.

To create a keypair profile:

Sign in to DigiCert ONE.
Navigate to manager menu icon (top-right) > Software Trust.
Select Keypairs > Keypair profiles.
Select Create keypair profile.

ヒント

For more detailed instructions, refer to Keypair profiles.

Create a keypair

A keypair is required to create a certificate and sign. You have permission create keypairs, review the two keypair types supported by Software Trust Manager:

例 10. Standard keypairs

A standard keypair refers to a public key and an associated private key. The public key encrypts data that can only be decrypted by its associated private key, thereby establishing an encrypted connection.

To create a standard keypair:

Sign in to DigiCert ONE.
Navigate to the manager menu icon (top-right) > Software Trust.
注記
Check the box next to Generate certificate to create a certificate at the same time as generating a keypair.
Select Keypairs > Create keypair.

ヒント

For more detailed instructions, refer to standard keypair.

例 11. GPG keys

GPG keys are different from standard keypairs because each GPG key includes a master key and associated subkeys. We recommend that the master key only be used for creating subkeys and the subkeys be used for signing. In the event that a subkey is compromised, this will allow you to revoke and replace the affected subkey, while the master key and uncompromised subkeys remain secure.

注記

Use of GPG keys are generally enabled by Technical support. However, if DigiCert ONE is hosted in-house, the certificate template can be created by a system scope admin with the Manage account settings permission.

To create a GPG master key or subkey:

Sign in to DigiCert ONE.
Navigate to the manager menu icon (top-right) > Software Trust.
Select Keypairs > GPG keys.
Select Create master key or Create subkey.

ヒント

For more detailed instructions, refer to GPG keys.

Integrate your account with CertCentral (optional)

If you intend to use publicly trusted certificates, integrate your account with CertCentral. If you do not see an Integrations tab in the left navigation bar, contact your account manager to enable CertCentral integration.

ヒント

For more detailed instructions, refer to CertCentral integration.

Set up CertCentral integration

To set up CertCentral integration:

Sign in to DigiCert ONE.
Navigate to the Manager menu icon (top-right) > Software Trust.
In the left navigation bar, select Integration > CertCentral.
Link your CertCentral account by choosing one of the three options below:
1. Enter your CertCentral credentials.
2. Create a CertCentral account.
3. Connect using your CertCentral API key.

注記

If you choose to connect using your API key, follow the instructions below to generate an API key in CertCentral.

Generate an API key in CertCentral

Sign in to CertCentral.
In the left-hand side navigation bar, select Automation.
Navigate to: API Keys > Add API Key.

Complete the following fields:

Field	Description
Description	Provide an identifiable name for your CertCentral API key.
User	Select a user you want to link the CertCentral API key to. 注記 The user must have the Administrative role assigned to them in CertCentral.
API key restrictions	Select Orders, Domains, and Organizations.

Select Add API Key.

注記

The API key is only shown once, it cannot be accessed again. Securely store the API key to use it later.

Create a certificate profile

Certificate profiles simplify certificate generation by preconfiguring values for all certificate options.

To create a certificate profile:

Sign in to DigiCert ONE.
Navigate to: Manager menu icon (top right) > Software Trust.
Select Certificates > Certificate profiles.
Select Create certificate profile.

ヒント

For more detailed instructions, refer to Certificate profiles.

Create a certificate

A certificate is required to sign. You have permission generate certificates, you can generate public or private code signing certificates in Software Trust Manager.

To create a certificate:

Sign in to DigiCert ONE.
Navigate to the Manager menu icon (top right) > Software Trust.
Select Keypairs.
Hover over the keypair you want to use to create the certificate until the menu icon appears.
Select Generate certificate.

ヒント

For more detailed instructions, refer to Certificates.

Create a release

Releases protect keys by restricting their use to pre-approved dates and times. The pre-approved date and time selected for a release is referred to as a release window. Within a release window, organizations can control which keypairs can be used, who can use them, and the maximum number of signatures that can be used during the release.

To create a software release:

Sign in to DigiCert ONE.
Navigate to the manager menu icon (top-right) > Software Trust.
Select Releases.
Select Create release.

ヒント

For more detailed instructions, refer to Releases.

Manage threat detection

Software Trust Manager offers two types of threat detection. You can scan your software for malware, vulnerabilities, secrets, and more before releasing your software for consumption using our Dynamic Application Security Testing (DAST) service powered by ReversingLabs. You can also scan Developer ID-signed software for malicious components before distribution outside of the Mac App Store.

ヒント

If you do not see Threat detection in the left navigation menu, contact your account manager to add ReversingLabs integration to your service agreement. For more information about how to run a scan and interpret a scan report, refer to Threat dectection.

Next steps

If you as the account lead also want to sign, follow the instructions in the Signer's guide to get ready to sign with your private key stored in Software Trust Manager.

The following articles may be useful to you while managing the account:

このセクションの内容: