DigiCert KnowledgeBase - Technical Support-hero

Knowledge Base

Cloud-based private key storage with DigiCert® KeyLocker

Solution ID : SO060423171117
Last Modified : 05/10/2024


Starting on June 1, 2023, at 00:00 UTC, industry standards will require private keys for code signing certificates to be stored on hardware certified as FIPS 140-2 level 3, Common Criteria EAL 4+, or equivalent.

DigiCert’s May 30 timeline to meet the new private key storage requirement

DigiCert’s timeline ensures we update our code signing certificate process so that private keys for code signing certificates are stored on hardware certified as FIPS 140-2 level 3, Common Criteria EAL 4+, or equivalent by May 30, 2023.


On May 30, 2023, DigiCert will release DigiCert KeyLocker, a cloud‐based solution that generates and provides FIPS 140-2 level 3 compliant private key storage for your code signing certificates.

DigiCert KeyLocker is an automated alternative to manually generating and storing your private key on a hardware token that can be lost or stolen or purchasing a hardware security module (HSM) and storing it on-premises. Cloud storage provides the additional benefit of allowing you to access your private key anytime and sign code from anywhere.

DigiCert KeyLocker features:

  • FIPS 140-2 Level 3 certified key storage.
  • Key generation, key protection and signing without the delays of shipped tokens.
  • Cloud-based service, supporting the needs of a remote or geographically distributed workforce.
  • Seamless integration with automated CI/CD pipelines.

How does the process work?

  1. Order a code signing certificate from your CertCentral account.
  2. On the request form, select DigiCert KeyLocker as the Provisioning Method.
  3. DigiCert completes the validation procedure for your code signing certificate.
  4. CertCentral requests a DigiCert ONE account for the CertCentral approver.

    • If the certificate requester has approve permission for the organization listed on the certificate, the Certificate requester becomes the KeyLocker lead.
    • If the certificate requester does not have approve permission for the organization listed on the certificate, the approver becomes the KeyLocker lead.
  5. The CertCentral approver for the organization listed on the certificate (not necessarily the certificate requester) receives two emails:

    • Welcome to DigiCert ONE
      This email contains the username of the DigiCert KeyLocker lead.
    • Reset your DigiCert ONE password
      This email lets you reset your password for the username provided in the previous email.
  6. KeyLocker generates and securely stores your private key on a compliant FIPS 140-2 level 3 HSM.
  7. KeyLocker generates a CSR with your private key.
  8. KeyLocker uploads the CSR to CertCentral.
  9. Your certificate is issued and associated with the key generated and stored in KeyLocker.
  10. KeyLocker lead signs in to DigiCert ONE to use KeyLocker.
  11. KeyLocker lead invites additional users with the DigiCert KeyLocker signer role assigned.

For additional information about DigiCert KeyLocker and how to use it to sign code, see DigiCert KeyLocker

Prevent email tampering and phishing with a DigiCert S/MIME certificate.