Coming soon: Sign with OpenSSL using Software Trust OpenSSL provider (recommended)
Sign artifacts using signing keys stored in DigiCert® Software Trust Manager. This signing method uses the Software Trust Manager OpenSSL provider which plugs into OpenSSL's provider architecture via a shared library, meaning that existing OpenSSL commands and toolchains work unchanged; you simply add -provider digicert_stm to your command line.
ヒント
All signing commands follow the same pattern: add -provider digicert_stm (and -provider default to keep standard algorithms available) then reference your key with a stm:// URI.
Before you begin
Before you begin, make sure you have:
OpenSSL
3.1or later (ML-DSA requires OpenSSL3.5.0or later)Operating system:
Windows (x64, x86, ARM64)
Linux (x64, x86, ARM64)
macOS (x64, ARM64/Apple Silicon)
Step 1: Sign with OpenSSL
Select a signing tool to see the sign commands.
openssl dgst is the most common command for producing detached signatures and verifying them.
Select the type of signing:
openssl dgst -sha256 \ -provider digicert_stm -provider default \ -sign "stm://3f46a2c1-8b9d-4e72-a3f1-0123456789ab" \ -out signature.bin \ artifact.tar.gz
openssl pkeyutl provides entry-level sign, verify, encrypt, and decrypt operations.
Sign a pre-computed digest:
# Compute digest first openssl dgst -sha256 -binary artifact.tar.gz > digest.bin # Sign the digest openssl pkeyutl \ -provider digicert_stm -provider default \ -keyform ENGINE \ -inkey stm://my-rsa-4096-key \ -sign -in digest.bin \ -out signature.bin \ -pkeyopt digest:sha256
RSA encryption / decryption:
# Extract public key (no STM credentials needed for this step) openssl storeutl -provider digicert_stm -provider default \ -keys -out pubkey.pem stm://my-rsa-4096-key # Encrypt with public key (no STM needed) openssl pkeyutl -encrypt \ -inkey pubkey.pem -pubin \ -in plaintext.bin -out ciphertext.bin # Decrypt with STM private key openssl pkeyutl -decrypt \ -provider digicert_stm -provider default \ -inkey stm://my-rsa-4096-key \ -in ciphertext.bin -out plaintext.bin
Used for email signing, document signing, and packaging artifacts with embedded certificates.
CMS sign (detached):
openssl cms -sign \ -provider digicert_stm -provider default \ -inkey stm://my-rsa-4096-key \ -signer signing-cert.pem \ -in document.pdf \ -out document.pdf.p7s \ -outform DER \ -nodetach
S/MIME sign an email message:
openssl smime -sign \ -provider digicert_stm -provider default \ -inkey stm://my-ecdsa-p384-key \ -signer signing-cert.pem \ -in email.txt \ -out email.p7m \ -md sha384
You can generate a certificate signing request (CSR) using a Software Trust Manager key. The private key stays in the HSM, the public key is embedded in the CSR.
openssl req -new \ -provider digicert_stm -provider default \ -key stm://my-rsa-4096-key \ -subj "/CN=my-service/O=MyOrg/C=US" \ -out request.csr
For ECDSA:
openssl req -new \ -provider digicert_stm -provider default \ -key stm://my-ecdsa-p256-key \ -subj "/CN=my-service/O=MyOrg/C=US" \ -out request.csr
Use storeutl to extract the public key or certificate chain for the associated keypair. This doesn’t require the private key.
Extract the public key in PEM format:
openssl storeutl \ -provider digicert_stm -provider default \ -keys \ stm://my-rsa-4096-key
Extract the signing certificate:
openssl storeutl \ -provider digicert_stm -provider default \ -certs \ stm://my-rsa-4096-key
Extract and save to a file:
Step 2: Verify signature offline
Verification uses the standard OpenSSL default provider, no Software Trust Manager credentials are required.
To verify a signature:
Extract the public key or certificate.
Verify the signature locally.
Verify signature with openssl dgst
To extract the signer's public key:
openssl storeutl \ -provider digicert_stm -provider default \ -keys -out pubkey.pem stm://my-rsa-4096-key
To verify the signature:
openssl dgst -sha256 \ -verify pubkey.pem \ -signature signature.bin \ artifact.tar.gz
Successful output:
Verified OK
Verify signature with openssl pkeyutl
openssl pkeyutl \ -verify \ -inkey pubkey.pem -pubin \ -sigfile signature.bin \ -in artifact.tar.gz
RSA padding modes
For RSA keys, the provider supports two padding modes:
Mode | -sigopt value | Use case |
|---|---|---|
PKCS#1 v1.5 | (default, no option needed) | Broadest compatibility |
RSA-PSS | | Modern APIs, Authenticode |
RSA-PSS example:
openssl dgst -sha256 \ -provider digicert_stm -provider default \ -sign stm://my-rsa-4096-key \ -sigopt rsa_padding_mode:pss \ -sigopt rsa_pss_saltlen:32 \ -out signature.pss.bin \ artifact.tar.gz
Troubleshooting
Logging and diagnostics
By default the provider writes logs to $SM_HOME/logs/digicert_stm_ossl_provider.log.
Enable debug logging:
export SM_LOG_LEVEL=debug
Stream logs to console for interactive debugging:
export SM_LOG_OUTPUT=stdout export SM_LOG_LEVEL=trace
Typical log entries:
time="2026-03-20T10:15:23Z" level=info msg="Initializing SM OpenSSL Provider" provider="digicert_stm" time="2026-03-20T10:15:23Z" level=info msg="REST client initialized successfully" time="2026-03-20T10:15:24Z" level=debug msg="key 3f46a2c1-... found in cache" time="2026-03-20T10:15:24Z" level=info msg="Signing operation completed" alg="SHA256withRSA"
Debugging aid
Enable trace-level logging to see every API call and parameter:
export SM_LOG_LEVEL=trace export SM_LOG_OUTPUT=stdout openssl dgst -sha256 -provider digicert_stm -provider default \ -sign stm://my-key -out sig.bin file.txt 2>&1 | head -100
Error messages and solutions
Provider fails to load
Error
openssl: provider 'digicert_stm' not found
Solution
Confirm the file exists:
Windows:
dir $env:OPENSSL_MODULES\digicert_stm.dllLinux and macOS:
ls $OPENSSL_MODULES/digicert_stm.soVerify with
openssl version.ヒント
Requires OpenSSL
3.xor later.On Linux, check library dependencies:
ldd libdigicert_stm.so. Missinglibssl.so.3/libcrypto.so.3means OpenSSL 3.x isn’t installed.
Authentication failures
Error
failed to setup REST client
Or in logs
401 Unauthorized
Solution
Print and verify all required environment variables are set (
echo $SM_API_KEY).Confirm
SM_CLIENT_CERT_FILEpath exists and the password is correct:openssl pkcs12 -info -in $SM_CLIENT_CERT_FILE -passin env:SM_CLIENT_CERT_PASSWORD.Verify the API key has signing permissions in Software Trust Manager.
ヒント
To check your permissions, in SMCTL run:
smctl healthcheck
Key not found
Error
failed to load keypair: 404 Not Found
Solution
In SMCTL, confirm the keypair exists:
smctl keypair list
Confirm keypair alias spelling, aliases are case-sensitive.
Verify your API key has access to the keypair, your keypair may be restricted to a different project.
ML-DSA key fails with "unknown algorithm"
Error
unknown message digest algorithm 'mldsa44'
Solution
ML-DSA requires OpenSSL 3.5.0 or higher. Check openssl version. If your system OpenSSL is older, specify the path of OpenSSL 3.5.0:
export OPENSSL_MODULES=/opt/openssl-3.5.0/lib/ossl-modules /opt/openssl-3.5.0/bin/openssl dgst \ -provider digicert_stm -provider default \ -sign stm://my-mldsa-65-key \ -out sig.bin file.txt
Signature verification fails with default provider
Error
Verification Failure
Solution
Ensure you used the public key that matches the signing key.
Confirm the same
-sha<N>hash algorithm was used for both signing and verifying.For RSA-PSS signatures, pass the same
-sigoptsettings during verification:openssl dgst -sha256 -verify pubkey.pem \ -sigopt rsa_padding_mode:pss \ -signature signature.bin artifact.tar.gz