Knowledge Base

This article covers the steps that are needed to configure your signing machine to use DigiCert KeyLocker with JarSigner.

Before you begin:

• Ensure that you have generated your KeyLocker API key and client certificate (see: KeyLocker Configuration for Windows).
• Log in to your DigiCert ONE account to view and copy the keypair alias for your code signing certificate.
• Designate a signer for your certificate in DigiCert ONE (see: Understanding Signer Privileges in KeyLocker: Ensuring Proper Assignment for Code Signing for more information).
• Download a copy of your code signing certificate from your DigiCert ONE account. This file is referenced in the SignTool command.
• Install the Java Development Kit (JDK). This can be downloaded here.

Set your Environment Variables:

1. Locate Environment Variables via the Start Menu.

2. The System Properties window will open. Click on the Environmental Variables button.

3. Highlight the Path variable and click Edit.

4. Click on New and enter the directory into which DigiCert KeyLocker Tools was installed.

  
Note: The default directory is C:\Program Files\DigiCert\DigiCert KeyLocker Tools\.

5. Click on New and enter the directory which contains the file jarsigner.exe.

6. Click OK to save the new paths and return to the Environment Variables window.

7. Create a new variable by clicking on New.

8. Enter the following:

• Variable name: SM_HOST
• Variable value: https://clientauth.one.digicert.com
  
  

Note: This variable specifies the URL which the signing machine uses to connect to KeyLocker.

Click OK to create the new variable.

9. Create a second new variable and enter the following:

• Variable name: SM_CLIENT_CERT_FILE
• Variable value: C:\clientcertpath\Certificate_pkcs12.p12
  
  

Note: This is the location of the client certificate which you downloaded from your DigiCert ONE account. This certificate is used to authenticate with KeyLocker.

Click OK to create the new variable.


10. Create a third variable and enter the following:

• Variable name: SM_API_KEY
• Variable value: Paste your API Key string into this field.
  

11. Create a fourth variable and enter the following:

• Variable name: SM_CLIENT_CERT_PASSWORD
• Variable value: Paste your client certificate password into this field.

12. Click OK in the Environment Variables window and again in the System Properties window to save the new variables.

Synchronize and test your certificate configuration:

1. Synchronize your certificate using the following command: smctl windows certsync --keypair-alias=<your keypair alias>


You should receive the following response: Syncing certificate for alias: <your keypair alias>, ID: <your certificate ID> and SHA1 Fingerprint: <your certificate SHA1 fingerprint>

2. Run the following command: smctl healthcheck


Ensure that the following items are correct:

• Username: Your DigiCert ONE user name.
• Host: https://clientauth.one.digicert.com
• API key: Your DigiCert ONE API key.
• Client certificate file path: The location of your client certificate.
• Client certificate password: The password for your client certificate.
  
  

If JarSigner has been mapped correctly, it will be displayed here:

Once you have confirmed that the information above is correct, you are ready to begin signing your files.

Sign your files:

NOTE: The JarSigner command references two files which are located in the DigiCert KeyLocker Tools folder: digicert-jce-1.0.jar and bcprov-jdk18on-1.77.jar

If you have not installed KeyLocker Tools v1.47.0 (or higher), these files will not be found.

The syntax for the signing command is as follows:

jarsigner -J-Djava.class.path=<file_path>\digicert-jce-1.0.jar;<file_path>\bcprov-jdk18on-1.77.jar -keystore NONE -storetype DIGICERT -storepass changeit -providerClass com.digicert.jce.Provider -signedjar <signed_jar_file> -sigalg <signature_algorithm> -tsa http://timestamp.digicert.com <unsigned_jar_file> <keypair alias>
 

Example:

jarsigner -J-Djava.class.path="C:\Program Files\DigiCert\DigiCert Keylocker Tools\digicert-jce-1.0".jar;"C:\Program Files\DigiCert\DigiCert Keylocker Tools\bcprov-jdk18on-1.77.jar" -keystore NONE -storetype DIGICERT -storepass changeit -providerClass com.digicert.jce.Provider -signedjar C:\filestosignpath\myfile.jar -sigalg SHA256withRSA -tsa http://timestamp.digicert.com C:\filestosignpath\myfile.jar mykeylockercert

If the signing command was successful, you should see the following response:

You can confirm that the file was signed correctly by using the verify command.

The syntax to verify a signed file is as follows:
jarsigner -verify <file_to_be_verified>

Example:
jarsigner -verify c:\filestosignpath\myfile.jar

If the file was signed correctly, you should receive the following response:

For troubleshooting tips, see the article Troubleshoot KeyLocker for JarSigner using the Java Cryptography Library.