Requirements

To securely sign your software using DigiCert® Software Trust Manager, you will need to set up specific authentication factors, environment configurations, and client tools. These steps ensure that your private keys are securely managed while allowing you to execute trusted, compliant signatures across various environments. Follow these requirements to establish a seamless signing process.

Two-factor authentication

Two-factor authentication is required to sign your software. The API key acts as the first factor of authentication and the client authentication certificate acts as the second when connecting to DigiCert® Software Trust Manager client tools.

Note

The permissions associated with the API token and client authentication certificate are based upon your user permissions set in DigiCert® Software Trust Manager.

Create an API key

An API key is a unique identifier generated by the server to authenticate a user or calling program to an API.

Follow the procedure below based on your user classification:

Example 1. User

Users can create their own API token because they have access to DigiCert ONE.

To create an API key:

Sign in to DigiCert ONE.
Navigate to the Profile icon (top right).
Select Admin Profile.
Identify the On this page section (right), select API tokens.
Select Create API Token.
Securely store your API token.
Note
The API token cannot be viewed again.

Example 2. Service user

Tip

The DigiCert® Account Manager permission: Manage users is required to create an API key for service users.

You can only create an API key for a new service user; you cannot create an API key for an existing user.

To create an API key for a new service user:

Sign in to DigiCert ONE.
Navigate to Manager menu icon (top right).
Select DigiCert® Account Manager > Access > Service users.
Select Create service user.
Complete the fields, and then select Next.
Define the roles and permissions for each selected manager, and then select Add user.
In the window that displays, securely copy and store the service user token ID, which is the user's API key.
Note
The API token cannot be viewed again.

Create a client authentication certificate

A client authentication certificate is a X.509 digital certificate with a unique password that is generated by the server to authenticate a user or calling program to an API.

Example 3. User

Users can create their own client authentication certificate because they have access to DigiCert ONE.

To generate a client authentication certificate:

Sign in to DigiCert ONE.
Navigate to the Profile icon (top right).
Select Admin Profile
Identify the On this page section (right), select Authentication Certificates.
Select Create authentication certificate.
Copy the certificate password.
Note
The password cannot be viewed again.
Select Download client authentication certificate.

Example 4. Service user

Tip

The DigiCert® Account Manager permission: Manage users is required to create a client authentication certificate for someone else.

To create a client authentication certificate for a service user:

Sign in to DigiCert ONE.
Navigate to Manager menu icon (top right).
Select DigiCert® Account Manager > Access > Service users.
Select on the user's name.
Identify the On this page section (right), select Authentication Certificates.
Select Create authentication certificate.
Copy and securely store the certificate password.
Note
The password cannot be viewed again.
Select Download client authentication certificate.

Host environment

During environment variable setup, you are required to provide the DigiCert ONE host value.

Note

You can only connect to the host that was used to create your credentials.

Table 1. Host options

Country	Host type	SM_HOST value
United States of America (USA)	Demo	https://clientauth.demo.one.digicert.com
United States of America (USA)	Production	https://clientauth.one.digicert.com
Switzerland (CH)	Demo	https://clientauth.demo.one.ch.digicert.com
Switzerland (CH)	Production	https://clientauth.one.ch.digicert.com
Japan (JP)	Demo	https://clientauth.demo.one.digicert.co.jp
Japan (JP)	Production	https://clientauth.one.digicert.co.jp
Netherlands (NL)	Demo	https://clientauth.demo.one.nl.digicert.com
Netherlands (NL)	Production	https://clientauth.one.nl.digicert.com

Client tools

Software Trust Manager enables you to sign either directly with third-party signing tools or via DigiCert signing tools. Regardless of the method you choose, you will require a cryptographic library to ensure that your private key remains protected while allowing you to create digital signatures.

To download client tools:

Sign in to DigiCert ONE.
Select the Manager meu (top-right) > DigiCert® Software Trust Manager.
Navigate to: Resources > Client tool repository.
Download the appropriate files, move them to the appropriate client computer, and extract (or install).

The following client tools are available:

Example 5. Windows

The following clients tools are available for signing on Windows:

Signing Manager Controller (SMCTL)
SMCTL provides a Command Line Interface (CLI) that facilitates manual or automated private key, certificate management, and signing with or without the need for human intervention.
DigiCert® Click-to-sign
DigiCert Click-to-sign provides Windows customers with a simple UI-based signing workflow that does not require use of the SMCTL. After you specify your signing preferences in the DigiCert Click-to-sign installation wizard, you simply need to right-click on a file or folder to sign.
PKCS11 library
The PKCS11 library handles secure key generation, application hash signing, and associated certificate-related requirements when the signing request does not require the transportation of files and intellectual property.
KSP library
DigiCert® Software Trust Manager KSP is a Microsoft CNG (Cryptographic: Next Generation) library-based client-side tool
ReversingLabs scanning tool
This tool will only work if software scanner is enabled on your Software Trust Manager account. It is a Dynamic Application Security Testing (DAST) service powered by ReversingLabs to scan your software for malware, vulnerabilities, secrets, and more before releasing your software to the public.

Example 6. Linux

The following clients tools are available for signing on Linux:

Signing Manager Controller (SMCTL)
SMCTL provides a Command Line Interface (CLI) that facilitates manual or automated private key, certificate management, and signing with or without the need for human intervention.
PKCS11 library
The PKCS11 library handles secure key generation, application hash signing, and associated certificate-related requirements when the signing request does not require the transportation of files and intellectual property.
GPG smart card daemon (SCD)
DigiCert® Software Trust Manager GPG Smart Card Daemon (SCD) is a GPG compliant SCD client-side tool that integrates with the GPG-agent (part of the GPG tool suite) for all GPG based hash signing use cases.
ReversingLabs scanning tool
This tool will only work if software scanner is enabled on your Software Trust Manager account. It is a Dynamic Application Security Testing (DAST) service powered by ReversingLabs to scan your software for malware, vulnerabilities, secrets, and more before releasing your software to the public.

Example 7. macOS

The following clients tools are available for signing on macOS:

Signing Manager Controller (SMCTL)
SMCTL provides a Command Line Interface (CLI) that facilitates manual or automated private key, certificate management, and signing with or without the need for human intervention.
PKCS11 library
The PKCS11 library handles secure key generation, application hash signing, and associated certificate-related requirements when the signing request does not require the transportation of files and intellectual property.
CryptoTokenKit
CryptoTokenKit is an implementation of the Apple CryptoTokenKit extension and is used to sign Apple binaries while the keys are stored remotely in Software Trust Manager.
GPG smart card daemon (SCD)
DigiCert® Software Trust Manager GPG Smart Card Daemon (SCD) is a GPG compliant SCD client-side tool that integrates with the GPG-agent (part of the GPG tool suite) for all GPG based hash signing use cases.
ReversingLabs scanning tool
This tool will only work if software scanner is enabled on your Software Trust Manager account. It is a Dynamic Application Security Testing (DAST) service powered by ReversingLabs to scan your software for malware, vulnerabilities, secrets, and more before releasing your software to the public.

Set PATH environment variables

Operating systems use the environment variable called PATH to determine where executable files are stored on your system. Use the PATH environment variable to store the file path to your signing tools to ensure that the CLI can reference these signing tools.

Note

Client tools must be available in the PATH variable for the environment to invoke the client control from CI/CD integration without specifying the path. For the examples given, it is assumed that the path to the client control tools has been set in the path.

Example 8. Windows

You can set the PATH environment variable using command line or via the environment variables.

To set the path to your signing tools via command line:

set PATH=%path%;<path to client tools>

To set the path to your signing tools for your system or account:

Search for environment variables in the Windows start menu.
Select Edit environment variables for your account or Edit system environment variables.
Double click on the Path variable.
Click New.
Select Browse.
Select the path to the client tools.
Click OK to save the path.
Click on OK to close the dialog.

Example 9. Linux

To set the path to your signing tools via command line:

Launch the Terminal application.
Open the file in an editor:
```
nano ~/.profile
```
Add any exports definitions you need:
```
export PATH=<Path to client tools>
```
Click CTRL+X to exit.
Click Y to save.
Click Enter to keep the same file name.
Execute the new .profile by restarting Terminal or using:
```
 source ~/.profile
```

Example 10. macOS

To set the path to your signing tools via command line:

Launch the Terminal application.
Create a profile file:
```
touch ~/.zprofile
```
Open the file in an editor:
```
open ~/.zprofile
```
Add any exports definitions you need, such as:
```
export PATH=<Path to client tools>
```
To save the new .zprofile, click File > Save (CMD + S).
Close the terminal window and reopen to use new saved variables.

Secure your credentials

Your DigiCert ONE host environment, API key, client authentication certificate, and password make up your environment variables and are required to access Software Trust Manager client tools. Use one of the methods provided below to securely store your credentials based on your operating system.

Example 11. Windows

The most secure method is to store your API key and client authentication certificate password in Windows Credential Manager, an encrypted vault, protected from unauthorized access.

Example 12. Linux

The most secure method is to store your API key and client authentication certificate password in Linux Pass, a password manager that uses GnuPG for encryption and decryption of stored information.

Example 13. macOS

The most secure method is to store your API key and client authentication certificate password in Keychain Access, an application that stores your passwords and account information.