Knowledge Base

Healthcheck Errors:

Your client certificate path or password is incorrect. You will not be able to complete specific actions (such as sign, generate keypairs and approve releases) until these credentials are corrected.

This error can occur if the path set in your Environment Variables is incorrect.

Open your Environment Variables and ensure that the following variable is correct:

• Variable name: SM_CLIENT_CERT_FILE
• Variable value: C:\clientcertpath\Certificate_pkcs12.p12
  

Another reason for this error is the use of an incorrect client certificate password.

• Run the following command to delete your credentials: smctl credentials delete
• Add your credentials again as follows: smctl credentials save <API token> <client certificate password>

A third possible cause is that the client certificate was generated and encrypted using AES and a SHA-256 signature hash. This is not supported by older versions of Windows.

• Generate a new client certificate and select AES with a SHA-1 signature hash or select 3DES encryption.
  

Status: Connection failed

This error can be caused by using an invalid API key.

• Ensure that you have entered the correct API key string. This is displayed in the healthcheck results under Credentials.
• If the API key string is incorrect, delete the existing credentials by running the following command: smctl credentials delete
• Once the credentials have been deleted, add the correct credentials by running this command: smctl credentials save <API token> <client certificate password>
  

SignTool: Mapped: No

This status means that DigiCert KeyLocker Tools is unable to locate the path to signtool.exe.

• Check your Environment Variables and ensure that the correct path to SignTool has been added.
• The default path for SignTool is C:\Program Files (x86)\Windows Kits\10\bin\xxxx\x64 where xxxx is the version number.
• For example: C:\Program Files (x86)\Windows Kits\10\bin\10.0.26100.0\x64
  
  

SignTool Errors:

SignTool Error: File not found

This error can be caused by any of the following:

• The file name or containing folder does not exist.
• There is a typographical error in either the file name or containing folder.
• The file or containing folder contains at least one space.
  

Ensure that the name of your file as well as its containing folder are spelt correctly.

If either the file name or the containing folder contains at least one space, enclose the full path to the file in quotation marks as follows: “c:\cs cert path\cert 1234567890.crt”

SignTool Error: No private key is available

This message appears if the incorrect keypair alias was specified in the signing command.

• Log in to your DigiCert ONE account to view and copy the keypair alias for your code signing certificate.
  

This message can also mean that your credentials have not been saved.

• Run the following command: smctl credentials save <API token> <client certificate password>
  

A third possibility is that an incorrect API key may have been saved.

• Run the following command to delete your credentials: smctl credentials delete
  
• Add your credentials again as follows: smctl credentials save <API token> <client certificate password>
  
  

Signtool Error: The specified private key does not match the public key of the selected certificate.

This error can occur if the wrong code signing certificate file was specified in the signing command.

• Log in to your DigiCert ONE account and Download a copy of your code signing certificate from the correct certificate order.
  
  

Signtool Error: An unexpected internal error has occurred.
Error information: “Error: SignerSign() failed.” (-2146893779/0x8009002d)

The above error means that you have not assigned a signer to your code signing certificate.

• Log in for your DigiCert ONE account and designate a signer for your certificate.

The error can also occur if the wrong password for the client certificate was used.

• Run the following command to delete your credentials: smctl credentials delete
• Add your credentials again as follows: smctl credentials save <API token> <client certificate password>

SignTool Error: No file digest algorithm specified. Please specify the digest algorithm with the /fd flag. Using /fd SHA256 is recommended and more secure than SHA1. Calling signtool with /fd sha1 is equivalent to the previous behavior. In order to select the hash algorithm used in the signing certificate's signature, use the /fd certHash option.

This error appears if the /fd flag used in the signing command is missing.

• Ensure that your signing command includes the /fd flag followed by the algorithm that you want to use. For example: /fd SHA256

This can also occur if the path to the downloaded code signing certificate file which is listed after the /f switch contains spaces. For example: /f c:\cs cert path\cert_1234567890.crt

• Enclose the full path to the file in quotation marks as follows: /f “c:\cs cert path\cert_1234567890.crt”

For a detailed guide to setting KeyLocker up for use with SignTool see Configure KeyLocker for Microsoft SignTool.