Knowledge Base

Healthcheck Errors:

Your client certificate path or password is incorrect. You will not be able to complete specific actions (such as sign, generate keypairs and approve releases) until these credentials are corrected.

This error can occur if the path set in your Environment Variables is incorrect.

Open your Environment Variables and ensure that the following variable is correct:

• Variable name: SM_CLIENT_CERT_FILE
• Variable value: C:\clientcertpath\Certificate_pkcs12.p12

Another reason for this error is the use of an incorrect client certificate password.

• Run the following command to delete your credentials: smctl credentials delete
• Add your credentials again as follows: smctl credentials save <API token> <client certificate password>

A third possible cause is that the client certificate was generated and encrypted using AES and a SHA-256 signature hash. This is not supported by older versions of Windows.

• Generate a new client certificate and select AES with a SHA-1 signature hash or select 3DES encryption.

Status: Connection failed

This error can be caused by using an invalid API key.

• Ensure that you have entered the correct API key string. This is displayed in the healthcheck results under Credentials.
• If the API key string is incorrect, delete the existing credentials by running the following command: smctl credentials delete
• Once the credentials have been deleted, add the correct credentials by running this command: smctl credentials save <API token> <client certificate password>

SignTool: Mapped: No

This status means that DigiCert KeyLocker Tools is unable to locate the path to signtool.exe.

• Check your Environment Variables and ensure that the correct path to SignTool has been added.
• The default path for SignTool is C:\Program Files (x86)\Windows Kits\10\bin\xxxx\x64 where xxxx is the version number.
• For example: C:\Program Files (x86)\Windows Kits\10\bin\10.0.26100.0\x64

Jarsigner: Mapped: No

This status means that DigiCert KeyLocker Tools is unable to locate the path to jarsigner.exe.

• Check your Environment Variables and ensure that the correct path to JarSigner has been added.
• The default path for JarSigner is C:\Program Files\Java\xxxx\bin where xxxx is the version number.
• For example: C:\Program Files\Java\jdk-17\bin

Click-to-Sign Configuration Errors:

Invalid api key or host server:



This error is caused by using an invalid API key string. To resolve this, please confirm that you have pasted the correct API key string into the API key field.

Another possible cause is using an incorrect URL in the Host field. The Host field should contain the following URL: https://clientauth.one.digicert.com

Invalid client certificate or passcode:



This message appears when either the path to the Client authentication certificate is incorrect or if an invalid  Client authentication certificate password has been used.

To resolve this, ensure that you have specified the correct client certificate file and that you have entered the correct password for your client certificate.

Click-to-Sign Signing Errors:

Click-to-Sign produces a single error message whenever signing is unsuccessful:

Signing failed
Failed to sign “<file name>”

This error message can appear for a number of reasons. To confirm the cause, you will need to check the signing manager log files.

These files can be found here: C:\Users\<user name>\.signingmanager\logs

The primary log file for Click-to-Sign is named digicert-click-to-sign.log. This log file tracks all activity within the Click-to-Sign tool.

When a signing failure occurs, you will see the following lines in the log file:

INFO cts.SignStart - Sign failed for the file - C:\filestosignpath\myfile
INFO cts.SignStart - getting error message from cmd line

Once you have confirmed that a signing error has occurred, you will need to check one of the following log files:

• Click-to-Sign / SMCTL: smctl.log
• SignTool: smksp.log
• JarSigner: smpkcs11.log

Click-to-Sign / digicert-click-to-sign.log Errors:

INFO cts.SignStart - Sign failed for the file - C:\filestosignpath\myfile
INFO cts.SignStart - getting error message from cmd line

This error message confirms that there was a problem with the signing process. However, it does not indicate any specific cause for a failed signing attempt.

• If you see this error, ensure that the path to your DigiCert KeyLocker Tools installation folder has been added to your environment variables.
• The default path is C:\Program Files\DigiCert\DigiCert Keylocker Tools

If this path has been mapped correctly, then the next step is to check the file named smctl.log for more information.

Click-to-Sign / smctl.log Errors:

level="error" msg="Error :  - exec: \"signtool\": executable file not found in %PATH%: " executable="smctl" func="securesigning/cli/cli/command/sign.runCommand:78"

This error means that Click-to-Sign is unable to locate the path to signtool.exe.

• Check your Environment Variables and ensure that the correct path to SignTool has been added.
• The default path for SignTool is C:\Program Files (x86)\Windows Kits\10\bin\xxxx\x64 where xxxx is the version number.
• For example: C:\Program Files (x86)\Windows Kits\10\bin\10.0.26100.0\x64

level="error" msg="Error :  - exec: \"jarsigner\": executable file not found in %PATH%: " executable="smctl" func="securesigning/cli/cli/command/sign.runCommand:78"

This status means that Click-to-Sign is unable to locate the path to jarsigner.exe.

• Check your Environment Variables and ensure that the correct path to JarSigner has been added.
• The default path for SignTool is C:\Program Files\Java\xxxx\bin where xxxx is the version number.
• For example: C:\Program Files\Java\jdk-17\bin

level="error" msg="Error : jarsigner error: java.lang.Exception: Provider \"sun.security.pkcs11.SunPKCS11\" not found\r\n - exit status 1: " executable="smctl" func="securesigning/cli/cli/command/sign.runCommand:78"

This message means that the path to your PKCS11 properties file has not been mapped correctly. To resolve this, open Click-to-Sign and update the Pkcs11 configuration file field.

The default path is: C:\Program Files\DigiCert\DigiCert KeyLocker Tools\pkcs11properties.cfg

SignTool / smksp.log Errors:

level="error" msg="failed to sign: status_code=403, message={\"error\":{\"status\":\"access_denied\",\"message\":\"User - <User Name> does not have privileges to access the keypair - mykeylockertcert.\"}}, nested_error=<nil>" executable="signtool" func="main.SMKSPSignHashInternal:727

The above error means that you have not assigned a signer to your code signing certificate.

• Log in to your DigiCert ONE account and designate a signer for your certificate.

This message also appears if the incorrect keypair alias was specified in the signing command.

• Ensure that you have selected the correct keypair alias in Click-to-Sign. If you are unsure, log in to your DigiCert ONE account to view the keypair alias for your code signing certificate.

JarSigner / smpkcs11.log Errors:

level="error" msg="failed to sign, nested_error=\"hash signing failed for hash: 72e6ca0f8566785e48b00630f32c13af7945f7c6139b03ea87bc2f51fea62e76, keypair_id: e57271a3-53f5-4540-8d8a-23f8854cb7fd, signature_algorithm: SHA256withRSA: status_code=403, message={\"error\":{\"status\":\"access_denied\",\"message\":\"User - <User Name> does not have privileges to access the keypair - key_linux.\"}}, nested_error=<nil>\"" executable="jarsigner" func="securesigning/cli/pkcs11.(*Context).SignFinal:411"

The above error means that you have not assigned a signer to your code signing certificate.

• Log in to your DigiCert ONE account and designate a signer for your certificate.

This message also appears if the incorrect keypair alias was specified in the signing command.

• Ensure that you have selected the correct keypair alias in Click-to-Sign. If you are unsure, log in to your DigiCert ONE account to view the keypair alias for your code signing certificate.

For details on setting KeyLocker up for use with Click-to-Sign see Configure KeyLocker for Click-to-Sign.