Dynamic authentication commands
The DigiCert ONE Clients app supports dynamic authentication, which enables secure API communication between your tool and the server-side Software Trust module.
Dynamic authentication supports user-based authentication. If your organization uses SSO to sign in to DigiCert ONE, dynamic authentication is ideal because it leverages the same browser-based login flow for authentication.
When user-based authentication is enabled, your tool can request access through DigiCert ONE Clients, which return a JSON access token for immediate use and a renewal token for ongoing transactions.
Review the following commands and flags available to use for dynamic authentication through SMCTL.
These commands and flags begin with:
smctl smctl [command]
Commands
Review the following commands that you can use
Command | Description |
|---|---|
certificate | Manage certificates. |
completion | Generate autocompletion scripts for the specified shell. |
credentials | Manage Secure Software Manager (SSM) credentials from the OS-specific credential store. |
gpg | Manage GPG keypairs. |
healthcheck | View and check the validity of the credentials and configured tools. |
help | Obtain help information for any command. |
hsm | Manage HSMs mapped to the account. |
keypair | Manage keypairs. |
logs | Manage logs. |
manual | Generates manual pages for SMCTL. |
release | Manage releases. |
scan | Manage scans. |
sign | Sign, verify, or remove signatures. |
team | Manage teams. |
user | Obtain user information. |
windows | Commands specific to Windows. |
Flags
This command supports the following flags:
Shortcut | Flag | Description |
|---|---|---|
--dynamic-auth | Use dynamic authentication via DigiCert ONE Clients. | |
-h | --help | Obtain help for SMCTL. |
-v | --version | Obtain version number for SMCTL. |
Dynamic authentication behavior for signing
Dynamic authentication behaves differently depending on the signing method used.
Simple and bulk signing with SMCTL only
When using the --simple signing approach, all signing operations are performed directly by SMCTL. In this scenario, dynamic authentication works as expected when the --dynamic-auth flag is provided.
Example command
smctl sign --keypair-alias <aliasname> --input <file_or_folder> --simple --dynamic-auth
Dica
This works for both simple and bulk signing because the --simple option does not rely on third party signing tools.
Signing with third party tools
When signing without the --simple flag, SMCTL delegates the signing operation to third party tools such as signtool or jarsigner. These tools rely on Software Trust Manager libraries such as KSP or PKCS#11.
Command example
smctl sign --keypair-alias <aliasname> --input <file_or_folder> --dynamic-auth
Dica
Providing the --dynamic-auth flag alone is not sufficient. The signing operation will fail because the dynamic authentication setting is not automatically passed to the underlying libraries.
Required environment variable for third party signing
To enable dynamic authentication when using third party signing tools, you must set the following environment variable command before running the signing command:
This environment variable allows the libraries used by tools like KSP and PKCS#11 to participate in the dynamic authentication flow.
Dica
Once this environment variable is set, the signing command will work as expected with dynamic authentication enabled.