DigiCert KeyLocker

We have resolved an issue where the Certificate details page became skewed when multiple users were assigned as the certificate signer. This update ensures that the names are displayed clearly, without compromising user experience.

We have removed references to signature limits for certificates purchased before November 3, 2024. This update aligns with our commitment to honor the service agreement at the time of purchase.

The sync certificate feature retrieves the latest certificate status from CertCentral. This action is used if your order status in CertCentral is different to your status in DigiCert® KeyLocker. While this works correctly, we noticed that after syncing the certificate, the keypair alias was not immediately displayed in the certificate details page. We have corrected this and all relevant information should display as expected.

We have fixed an issue on the Certificates tab where filtering by keypair alias did not apply correctly, resulting in multiple certificates being listed. Now, when filtering by keypair alias, only the certificate associated with the specified keypair alias will be displayed in the list, ensuring accurate and streamlined results for users.

When a user ran the smctl healthcheck command and no signing tools were found in their system, the log files listed the following error message: "Error Tools cannot be null." We updated the error message to: "Unable to detect compatible signing tools." to improve the clarity that the user needs to install third-party signing tools.

KeyLocker implemented technical controls to enforce signature and signer limits on KeyLocker certificates purchased as stated in DigiCert's service terms on or after November 3, 2023. You can designate a user as the signer for the certificate in the Certificates tab in DigiCert​​®​​ KeyLocker. To increase the signature limit of your certificate, you can purchase additional signatures in increments of 1,000 from CertCentral. Learn more

As an ongoing effort, we have improved the scalability and reliability of DigiCert​​®​​ KeyLocker. These updates ensures seamless operations even during peak usage and provides our users with a more efficient and robust user experience.

CertCentral now issues certificates off SHA-384 signature algorithm ICAs. While previously limited to SHA-256, this update enables users to utilize SHA-384 signatures based on their CA and ICA settings within CertCentral. Users can seamlessly leverage this feature to further strengthen their certificate management workflows.

We identified an issue preventing the download of DigiCert​​®​​ KeyLocker client tools via the no authentication API endpoint: /signingmanager/api-ui/v1/releases/noauth/{releaseName}/download and CI/CD plugins. We have fixed this issue, and users should be able to successfully download our client tools using the endpoint referred to above and DigiCert​​®​​ KeyLocker plugins.

You may have been notified about an updated version of KeyLocker tools; however, if you have already downloaded version 1.41.0 of the KeyLocker client tools, there is no need to update your client tools to the latest version as the changes made do not affect KeyLocker users.

You may have been notified about an updated version of KeyLocker tools. However, if you have already downloaded version 1.41.0 of the KeyLocker client tools, there is no need to update your client tools to the latest version, as the changes made do not affect KeyLocker users.

Starting November 1, 2023, at 18:00 MDT (November 2, 2023, at 00:00 UTC), we will require all DigiCert ONE accounts to use two-factor authentication (2FA).

You will use both your credentials and a one-time password to access your account. When you log in to your DigiCert ONE account on November 1, you will be prompted to set up two-factor authentication. If you have already enabled two-factor authentication in Account Manager before this date, no further action is necessary.

How to enable two-factor authentication in Account Manager.

The SMCTL desync command previously only desynced the expired and revoked certificates associated with a keypair from the local Windows store. We have improved the functionality of this command to allow you to additionally specify invalid or all as a parameter in the Windows desync command so that all certificates associated with the keypair would be desynced.

The SMCTL verify signature command has previously provided a lengthy output that made it difficult to identify if the verification of the signature was a success or failure. We have introduced a new parameter called --quiet that can be added to the verify signature command to limit the output of the command to one sentence confirming if the verification of the signature is a success or failure.

DigiCert​​®​​ KeyLocker client tools previously only worked on old versions of MacOS with x86_64 architecture. To support the newer versions of macOS with arm64 architecture we upgraded our macOS client tools to support signing on both macOS x86_64 and arm64 architecture.

New DigiCert​​®​​ KeyLocker accounts were unable to connect to CertCentral using a CertCentral API key. This issue has been fixed and new DigiCert​​®​​ KeyLocker accounts are successfully able to connect to CertCentral using a CertCentral API key.

On August 15, 2023, DigiCert upgraded our support plans to provide a better, more customizable experience. These improved plans are scalable and backed by our technical experts to ensure your success.

New plans:

For more details about what these plans include, see the DigiCert Support Plans and DigiCert Support: Enabling Your Success.

How does this affect me?

To show our appreciation, DigiCert has upgraded all existing customers to either Business or Premium support plans for a limited time at no additional charge. See our August 15 change log entry.

How the limited-time upgrade works:

DigiCert​​®​​ KeyLocker now supports signing on macOS. You can continue to sign directly with third-party signing tools or use Signing Manager Controller (SMCTL), a command line interface (CLI) that offers simplified signing integrated with third-party signing tools. Download macOS clients to enable signing. To identify the third-party signing tools required to sign, refer to file types supported for signing.

Fixed tool descriptions to specify that DigiCert Click-to-sign is only compatible with Windows 10.

When creating an API token or client authentication certificate from the KeyLocker wizard, users had to select a hyperlink. We found that this was not intuitive enough and resulted in users selecting Next without creating an API token or client authentication certificate. Added a Create button to streamline the process.

Signing commands often require the keypair alias and/or the certificate alias. These aliases are case-sensitive. To prevent unnecessary errors during signing, we have ensured that all certificate and keypair aliases are assigned in lowercase and have assigned the keypair and certificate aliases in a predictable format. Example:

CertCentral order number: 12345

Keypair alias: key_12345

Certificate alias: cert_12345

When a user requested a code signing certificate with KeyLocker provisioning in CertCentral, the master administrator for the CertCentral account was used to create the KeyLocker lead. This workflow caused KeyLocker account creation to fail when CertCentral accounts had no master administrator assigned to their account. In future, when a user requests a code signing certificate with KeyLocker provisioning in CertCentral, the user who approves the certificate request will become the KeyLocker lead.

Fixed an issue that loaded and incorrect page when loading the KeyLocker wizard, then redirected to the correct page. When selecting Get Started in KeyLocker, the wizard now correctly displays without the redirect.

Fixed an issue where a banner message failed to confirm the tools the user could use to sign after running the smctl healthcheck command in step 3 of the KeyLocker wizard. Running the healthcheck command and selecting the Check status button now displays a banner confirming which signing tools the user has integrated with and can use to sign.

Link users to online documentation for KeyLocker workflows from resources section of the UI. Remove documentation links to API for KeyLocker customers in resources section of the UI.

Resolved a processing bug whereby when a CertCentral order request failed, it caused other orders for the account also to not processed. This issue is resolved with this release.

Implemented several content fixes and workflow improvements to the user setup wizard to help improve the overall experience when first using KeyLocker.

Enabled multi-factor authentication for all KeyLocker accounts at time of account setup.

Changed format of key alias from Key(CountOfKeysForAccount) to Key_CC_orderID.

KeyLocker now saves CertCentral order details in Keylocker even if the following occur:

Instead, you now receive the following error in CertCentral for one of the above failures: "CSR update failed for order ID. The requested action could not be completed at this time due to a resource conflict. Please try again after previous actions have completed."

DigiCert ONE is launching support for KeyLocker. KeyLocker is DigiCert's cloud-based key storage solution, compliant with CA/B Forum requirements for storing private keys for code signing and EV code signing certificates.

In this release, we are enabling service-to-service APIs to support key generation and check for feature flag enablement of DigiCert ONE accounts for the KeyLocker use case.

More features will follow in future releases.