DigiCert KeyLocker

We resolved an issue where users received a Error parsing JSON object error when attempting to change the signer to themselves. Users can now successfully update the signer without encountering this error.

On September 12, 2025, at 10:00 MDT (16:00 UTC), DigiCert will add new IP addresses for inbound requests using the Client authentication endpoint (clientauth.one.digicert.com).

To ensure proper connectivity for your client tools, you or your customers need to add the following IP addresses to applicable allowlists and firewall rules:

We updated two broken links that were displaying in the Start signing with DigiCert KeyLocker setup wizard. This update ensures the correct workflow to access DigiCert's documentation site.

In the DigiCert KeyLocker section of DigiCert ONE, we have made significant style updates to the platform to improve the user experience, including:

We will continue making additional design and styles changes in future releases.

We have added two flags that allow users to sign without the need of third-party tools or libraries:

--simple

--unsigned

To learn more, see Sign binary commands.

DigiCert must perform maintenance affecting DigiCert® Software Trust Manager, DigiCert® Document Trust Manager, and the PrimoSign signing service in our DigiCert® ONE USA location during scheduled maintenance on July 12, 2025, 22:00 – 24:00 MDT (July 13, 04:00 – 06:00 UTC). For more details, refer to the DigiCert Global 2025 maintenance schedule.

During this time, the Software Trust Manager and Document Trust Manager will be down for approximately 10 minutes, and the PrimoSign signing service will be down for approximately 30 minutes.

Services will be restored as soon as we complete our maintenance.

How does this affect me?

Affected services

What can I do?

Plan accordingly:

We apologize for any inconvenience. If you have questions or concerns, please contact your account manager or PKI Support | DigiCert.

We have added new flags for SMCTL that allow users to define the application name in User Account Control (UAC) prompts.

This enhancement also enforces UTF-8 encoding to prevent character display issues, particularly on systems using Japanese language settings.

We have added the following flags:

We resolved an issue where the smksp_cert_sync.exe process was failing during execution.

We resolved an issue affecting PKCS#11 client tool commands, specifically the following commands: p11cat, p11ls, p11more, and p11od.

We resolved an issue where non-subscription KeyLocker orders were incorrectly displaying Invalid date in the Current subscription term field under Signature limit in DigiCert ONE.

This issue has been resolved; the field now only displays for retail subscription orders.

We have introduced new renewal workflows for retail subscriptions in KeyLocker. With this release, when your subscription is renewed in CertCentral, KeyLocker will automatically update your order with the new subscription dates and allotted signatures.

Additionally with this release, email notifications are generated to KeyLocker account admins and assigned users regarding the new subscription period.

We have resolved an issue that prevented users from signing .jar files using the JCE method with Java 8.

Previously, attempts to sign using the documented jarsigner command failed, despite JCE method support for Java 8.

With this update, we have ensured compatibility of the JCE signing method with Java 8.

Notes::

To address user feedback, we have upgraded client tools and software. This update does not impact KeyLocker customers, and no user action is required.

To keep users informed about KeyLocker signature consumption, in this release we have introduced email notifications.

When 80%, 90%, and 100% of signature units are used, an email will be sent to the assigned signer and all account admins, when applicable.

With this release:

To address user feedback, we have upgraded client tools and software. This update does not impact KeyLocker customers, and no user action is required.

To address user feedback, we have upgraded client tools and software. This update does not impact KeyLocker customers, and no user action is required.

We resolved a broken documentation link in the Get started page in DigiCert One.

In this release, we have increased the synchronization window from 7 days to 14 days for Cert Central certificate orders.

This update reduces synchronization failures and better aligns with business timelines.

To address reported vulnerabilities, we have upgraded certain client tools and software.

We resolved an issue where clicking the KeyLocker icon to access a KeyLocker account would result in an error.

This issue has been resolved, ensuring the correct workflow to access your KeyLocker account.

In DigiCert One, we updated broken links that lead users to the documentation site.

You may have been notified about version 1.52.00 of KeyLocker tools; however, if you have already downloaded version 1.46.0 of the KeyLocker client tools, there is no need to update your client tools to the latest version as the changes made do not affect KeyLocker users.

You may have been notified about version 1.50.0 of KeyLocker tools; however, if you have already downloaded version 1.46.0 of the KeyLocker client tools, there is no need to update your client tools to the latest version as the changes made do not affect KeyLocker users.

You may have been notified about version 1.49.0 of KeyLocker tools; however, if you have already downloaded version 1.46.0 of the KeyLocker client tools, there is no need to update your client tools to the latest version as the changes made do not affect KeyLocker users.

KeyLocker accounts' end dates now automatically reflect the expiry date of the longest-valid certificate within the account. Users can align the account expiry date manually using the Sync certificate feature or wait for the automated sync job, which runs every Sunday at 2 AM, to ensure account end dates are accurately updated to match the latest certificate expiry.

You may have been notified about an updated version of KeyLocker tools; however, if you have already downloaded version 1.46.0 of the KeyLocker client tools, there is no need to update your client tools to the latest version as the changes made do not affect KeyLocker users.

We identified that the SMCTL and PKCS11 library was unintentionally excluded in version 1.46.0 of the Mac Clients. We have rectified this issue without altering the version number. If you've already installed this version, download it again to ensure you have access to all required client tools.

We added a JCE library to our Client tool repository. JCE is part of the Java Development Kit (JDK) that facilitates digital signing of Java Archive (JAR) files and related artifacts. Using JCE for signing is preferred over PKCS11 and KSP library options due to its compatibility with various operating systems (Windows, Linux, macOS, Solaris, and AIX) and Java architectures, including 64-bit, 32-bit, and ARM processors.

You may have been notified about an updated version of KeyLocker tools; however, if you have already downloaded version 1.41.0 of the KeyLocker client tools, there is no need to update your client tools to the latest version as the changes made do not affect KeyLocker users.

We have resolved an issue where the Certificate details page became skewed when multiple users were assigned as the certificate signer. This update ensures that the names are displayed clearly, without compromising user experience.

We have removed references to signature limits for certificates purchased before November 3, 2024. This update aligns with our commitment to honor the service agreement at the time of purchase.

The sync certificate feature retrieves the latest certificate status from CertCentral. This action is used if your order status in CertCentral is different to your status in DigiCert® KeyLocker. While this works correctly, we noticed that after syncing the certificate, the keypair alias was not immediately displayed in the certificate details page. We have corrected this and all relevant information should display as expected.

We have fixed an issue on the Certificates tab where filtering by keypair alias did not apply correctly, resulting in multiple certificates being listed. Now, when filtering by keypair alias, only the certificate associated with the specified keypair alias will be displayed in the list, ensuring accurate and streamlined results for users.

When a user ran the smctl healthcheck command and no signing tools were found in their system, the log files listed the following error message: "Error Tools cannot be null." We updated the error message to: "Unable to detect compatible signing tools." to improve the clarity that the user needs to install third-party signing tools.

KeyLocker implemented technical controls to enforce signature and signer limits on KeyLocker certificates purchased as stated in DigiCert's service terms on or after November 3, 2023. You can designate a user as the signer for the certificate in the Certificates tab in DigiCert​​®​​ KeyLocker. To increase the signature limit of your certificate, you can purchase additional signatures in increments of 1,000 from CertCentral. Learn more

As an ongoing effort, we have improved the scalability and reliability of DigiCert​​®​​ KeyLocker. These updates ensures seamless operations even during peak usage and provides our users with a more efficient and robust user experience.

CertCentral now issues certificates off SHA-384 signature algorithm ICAs. While previously limited to SHA-256, this update enables users to utilize SHA-384 signatures based on their CA and ICA settings within CertCentral. Users can seamlessly leverage this feature to further strengthen their certificate management workflows.

We identified an issue preventing the download of DigiCert​​®​​ KeyLocker client tools via the no authentication API endpoint: /signingmanager/api-ui/v1/releases/noauth/{releaseName}/download and CI/CD plugins. We have fixed this issue, and users should be able to successfully download our client tools using the endpoint referred to above and DigiCert​​®​​ KeyLocker plugins.

You may have been notified about an updated version of KeyLocker tools; however, if you have already downloaded version 1.41.0 of the KeyLocker client tools, there is no need to update your client tools to the latest version as the changes made do not affect KeyLocker users.