Skip to main content

KSP library

DigiCert​​®​​ KeyLocker KSP is a Microsoft CNG (Cryptographic: Next Generation) library-based client-side tool. The KSP takes a hash-based approach when signing requests that do not require transportation of your files and intellectual property.

What Microsoft signing tools can the KSP integrate with?

The DigiCert​​®​​ KeyLocker KSP integrates with the following Microsoft signing tools while maintaining key protection, permission-based access and reporting all signing activities:

What can the KSP sign?

KSP enables secure hash-based signing of Microsoft:

  • Executables

  • Installers

  • Files

  • Applications

  • Drivers

  • Images

  • Scripts

Download KSP library

Tip

If you have downloaded and installed the Windows Clients Installer, the KSP is already downloaded and registered as part of the installation.

  1. Sign in to DigiCert​​®​​ KeyLocker.

  2. Navigate to: Manager menu (top-right) KeyLocker.

  3. Select Resources > Client tool repository.

  4. Click the download icon next to KeyLocker Clients.

    Note

    Two versions of the KSP exist:

    • 64bit: Recommended

    • 32bit: This version is used if you are running an older operating system with constrained resources that is not able to handle 64bit clients.

Register the KSP

To register the KSP, open a command prompt and run:

smksp_registrar.exe register

Verify the KSP

To verify that your KSP is configured properly, and that your client can properly authenticate to the DigiCert​​®​​ KeyLocker service, run:

certutil.exe -csp "DigiCert Software Trust Manager KSP" -key -user

Synchronize certificates

For the client tools to access the private keys in the service through the Key Storage Provider (KSP), your certificates must be synchronized to the local certificate store. Only if the certificate is synchronized, the private key remains stored securely in DigiCert​​®​​ KeyLocker.

To synchronize your certificates to the local certificate store, open a command prompt and run:

smksp_cert_sync.exe

To view the certificates, open Certificate Manager for the user account used to run the certificate sync utility:

certmgr.msc

If you do not see your certificates in the Certificate Manager, verify that you have opened the correct certificate store. There is a different certificate store for each Windows user account.

Note

All certificates are synched to the user store only. The certificates are not synchronized to the machine store (yet).