Healthcheck commands
Use this command to check if your credentials and signing tools were configured correctly in SMCTL.
Command
To run a healthcheck on your credentials and signing tools, use the command:
smctl healthcheck
Flags
The healthcheck command supports these flags:
Shortcut | Flag | Description |
---|---|---|
--all | Verify user credentials and tools you can sign with. | |
--tools | Verify configured tools you can sign with. | |
--user | Verify your user credentials and view your permissions. | |
-h | --help | Help for describing a keypair. |
Examples
Check user credentials and tools
To verify your user credentials and the signing tools that are configured for you to sign with, use the command:
smctl healthcheck
Command sample:
--------- User credentials ------ Status: Connected Username: john.doe Accounts: Example, Inc. Authentication: 2FA Environment: Unknown Credentials: Host: https://clientauth.one.digicert.com API key: 01a007567da265b5909d11b8ea_b70xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxb9 (Pulled from environment variable) Client certificate file path: C:\Users\John.Doe\Documents\STM\JohnD_Auth_Cert_2023.p12 Client certificate password: JM7QxxxxxxqO (Pulled from environment variable) API keys: Name: John API Token 2023 (expires on Fri, 31 Jan 2025 23:59:59 UTC) Client certificates: Name: John Auth Cert (expires on Tue, 31 Jan 2023 23:59:59 UTC) Name: John Auth Cert 2023 (expires on Fri, 31 Jan 2025 23:59:59 UTC) Privileges: Can sign: Yes Can approve release window: Yes Can revoke certificate: Yes Permissions: Account Manager: VIEW_AM_USER VIEW_AM_ORGANIZATION MANAGE_AM_PERMISSION VIEW_AM_ROLE VIEW_AM_ACCOUNT VIEW_AM_AUDIT_LOG Keypairs: APPROVE_SM_KEYPAIR_DELETE GENERATE_SM_KEYPAIR MANAGE_SM_KEYPAIR REQUEST_SM_KEYPAIR_EXPORT EXPORT_SM_KEYPAIR APPROVE_SM_KEYPAIR_EXPORT IMPORT_SM_KEYPAIR SIGN_SM_HASH MANAGE_SM_MASTER_KEYPAIR VIEW_SM_KEYPAIR Certificates: MANAGE_SM_CERTIFICATE_PROFILE GENERATE_SM_CERTIFICATE IMPORT_SM_CERTIFICATE VIEW_SM_CERTIFICATE VIEW_SM_CERTIFICATE_TEMPLATE VIEW_SM_CERTIFICATE_PROFILE REVOKE_SM_CERTIFICATE Releases: APPROVE_SM_RELEASE_WINDOW REQUEST_SM_RELEASE_WINDOW VIEW_SM_RELEASE_WINDOW Audit logs: VIEW_SM_AUDIT_LOG EXPORT_SM_LOGS Other permissions: MANAGE_SM_CC_API_KEY VIEW_SM_LICENSE MANAGE_SM_HIERARCHY MANAGE_SM_ACCOUNT_SETTINGS --------- Signing tools --------- Nuget: Mapped: No Jarsigner: Mapped: No Apksigner: Mapped: No Signtool 32 bit: Mapped: No Signtool: Mapped: Yes Path: C:\Program Files (x86)\Windows Kits\10\bin\10.0.33621.0\x64\signtool.exe Mage: Mapped: No
Check user credentials
To verify your user credentials and permissions, use the command:
smctl healthcheck --user
Command output sample:
--------- User credentials ------ Status: Connected Username: john.doe Accounts: Example, Inc. Authentication: 2FA Environment: Unknown Credentials: Host: https://clientauth.one.digicert.com API key: 01a007567da265b5909d11b8ea_b70xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxb9 (Pulled from environment variable) Client certificate file path: C:\Users\John.Doe\Documents\STM\JohnD_Auth_Cert_2023.p12 Client certificate password: JM7QxxxxxxqO (Pulled from environment variable) API keys: Name: John API Token 2023 (expires on Fri, 31 Jan 2025 23:59:59 UTC) Client certificates: Name: John Auth Cert (expires on Tue, 31 Jan 2023 23:59:59 UTC) Name: John Auth Cert 2023 (expires on Fri, 31 Jan 2025 23:59:59 UTC) Privileges: Can sign: Yes Can approve release window: Yes Can revoke certificate: Yes Permissions: Account Manager: VIEW_AM_USER VIEW_AM_ORGANIZATION MANAGE_AM_PERMISSION VIEW_AM_ROLE VIEW_AM_ACCOUNT VIEW_AM_AUDIT_LOG Keypairs: APPROVE_SM_KEYPAIR_DELETE GENERATE_SM_KEYPAIR MANAGE_SM_KEYPAIR REQUEST_SM_KEYPAIR_EXPORT EXPORT_SM_KEYPAIR APPROVE_SM_KEYPAIR_EXPORT IMPORT_SM_KEYPAIR SIGN_SM_HASH MANAGE_SM_MASTER_KEYPAIR VIEW_SM_KEYPAIR Certificates: MANAGE_SM_CERTIFICATE_PROFILE GENERATE_SM_CERTIFICATE IMPORT_SM_CERTIFICATE VIEW_SM_CERTIFICATE VIEW_SM_CERTIFICATE_TEMPLATE VIEW_SM_CERTIFICATE_PROFILE REVOKE_SM_CERTIFICATE Releases: APPROVE_SM_RELEASE_WINDOW REQUEST_SM_RELEASE_WINDOW VIEW_SM_RELEASE_WINDOW Audit logs: VIEW_SM_AUDIT_LOG EXPORT_SM_LOGS Other permissions: MANAGE_SM_CC_API_KEY VIEW_SM_LICENSE MANAGE_SM_HIERARCHY MANAGE_SM_ACCOUNT_SETTINGS
Check integrated third-party tools
To verify the signing tools that are configured for you to sign with, use the command:
smctl healthcheck --tools
Command output sample:
--------- Signing tools --------- Nuget: Mapped: No Jarsigner: Mapped: No Apksigner: Mapped: No Signtool 32 bit: Mapped: No Signtool: Mapped: Yes Path: C:\Program Files (x86)\Windows Kits\10\bin\10.0.22621.0\x64\signtool.exe Mage: Mapped: No
Healthcheck errors and solutions
If the healthcheck command fails, troubleshoot the following.
Status: Not connected
Error message
--------- User credentials ------ Status: Not connected
Problem
This error can occur for multiple reasons:
You provided the correct host in the environment variable.
You provided the correct API token in the environment variable.
You have a stable internet connection.
If the organization's proxy is enabled, you need to add these settings to the environment variables.
Solution
You may need to troubleshoot a variety of areas:
Compare the host listed in the healthcheck command output to this list of hosts.
Compare the last two digits the API key listed in the healthcheck command output to the last two digits of your API key in DigiCert ONE.
提示
To identify existing API keys for your user:
Sign in to DigiCert ONE.
Click Profile icon (top-right).
Select Admin Profile.
Identify the On this page section (right), select API tokens.
Your client certificate path or password is incorrect (1FA)
Error message
--------- User credentials ------ Status: Connected Your client certificate path or password is incorrect. You will not be able to complete specific actions (such as sign, generate keypairs and approve releases) until these credentials are corrected.
Problem
Your host environment and API key (first factor of authentication) are correct, however SMCTL was unable to authenticate your client certificate (second factor of authentication). This means that the path to your client authentication certificate or it's password is incorrect. Two factor authentication is required to perform specific actions, such as: sign, generate keypairs, scan your software with Threat detection, and approve releases. If you try and perform one of these actions with only one factor of authentication, you will receive the following error:
status_code=403, message={"error":{"status":"access_denied","message":"User is not multi-factor authenticated. Missing Client Authentication Certificate. As per compliance rules, user needs to be authenticated using multi-factor for performing <action> operation."}}, nested_error=<nil>
Solution
Ensure that the client authentication certificate path and password is correct. One of the follow methods may be useful:
Navigate to the client authentication certificate path listed in the healthcheck command output and confirm if the file name provided and path matches.
Compare the your client authentication certificate password listed in the healthcheck command output to your password to confirm that it is correct.
注意
If you have lost or forgotten your password, create a new client authentication certificate and securely store your password.