Knowledge Base

This article covers the steps that are needed to configure your signing machine to use DigiCert KeyLocker with JarSigner.

Before you begin:

• Ensure that you have generated your KeyLocker API key and client certificate (see: KeyLocker Configuration for Windows).
• Log in to your DigiCert ONE account to view and copy the keypair alias for your code signing certificate.
• Designate a signer for your certificate in DigiCert ONE (see: Understanding Signer Privileges in KeyLocker: Ensuring Proper Assignment for Code Signing for more information).
• Download a copy of your code signing certificate from your DigiCert ONE account. This file is referenced in the SignTool command.
• Install the Java Development Kit (JDK). This can be downloaded here.

Set your Environment Variables:

1. Locate Environment Variables via the Start Menu.

2. The System Properties window will open. Click on the Environmental Variables button.

3. Highlight the Path variable and click Edit.

4. Click on New and enter the directory into which DigiCert KeyLocker Tools was installed.

  
Note: The default directory is C:\Program Files\DigiCert\DigiCert KeyLocker Tools\.

5. Click on New and enter the directory which contains the file jarsigner.exe.

6. Click OK to save the new paths and return to the Environment Variables window.

7. Create a new variable by clicking on New.

8. Enter the following:

• Variable name: SM_HOST
• Variable value: https://clientauth.one.digicert.com
  
  

Note: This variable specifies the URL which the signing machine uses to connect to KeyLocker.

Click OK to create the new variable.

9. Create a second new variable and enter the following:

• Variable name: SM_CLIENT_CERT_FILE
• Variable value: C:\clientcertpath\Certificate_pkcs12.p12
  
  

Note: This is the location of the client certificate which you downloaded from your DigiCert ONE account. This certificate is used to authenticate with KeyLocker.

Click OK to create the new variable.

10. Click OK in the Environment Variables window and again in the System Properties window to save the new variables.

Set your KeyLocker credentials and register the KSP library:

1. Open a Command Prompt.

2. Run the following command: smctl credentials save <API token> <client certificate password>



If the command is successful, you should receive the following response: If successful, you should see the following response: Credentials saved to OS store

3.  Create a file named pkcs11properties.cfg using Notepad.


Enter the following details into the file:

name=signingmanager
library=path\to\smpkcs11.dll
slotListIndex=0

Sample:

name=signingmanager
library= C:\Program Files\DigiCert\DigiCert Keylocker Tools\smpkcs11.dll
slotListIndex=0

Place this file into the same folder as the file named smpkcs11.dll  (e.g.: C:\Program Files\DigiCert\DigiCert Keylocker Tools\smpkcs11.dll)

Synchronize and test your certificate configuration:

1. Synchronize your certificate using the following command: smctl windows certsync --keypair-alias=<your keypair alias>


You should receive the following response: Syncing certificate for alias: <your keypair alias>, ID: <your certificate ID> and SHA1 Fingerprint: <your certificate SHA1 fingerprint>

2. Run the following command: smctl healthcheck


Ensure that the following items are correct:

• Username: Your DigiCert ONE user name.
• Host: https://clientauth.one.digicert.com
• API key: Your DigiCert ONE API key.
• Client certificate file path: The location of your client certificate.
• Client certificate password: The password for your client certificate.
  
  

If JarSigner has been mapped correctly, it will be displayed here:

Once you have confirmed that the information above is correct, you are ready to begin signing your files.

Sign your files:
 

The syntax for the signing command is as follows:

jarsigner -keystore NONE -storepass NONE -storetype PKCS11 -sigalg SHA256withRSA -providerClass sun.security.pkcs11.SunPKCS11 -providerArg <path to pkcs11properties.cfg> -signedjar <path to signed file output> <unsigned file path> <keypair alias> -tsa http://timestamp.digicert.com

Example:

jarsigner -keystore NONE -storepass NONE -storetype PKCS11 -providerClass sun.security.pkcs11.SunPKCS11 -providerArg "C:\Program Files\DigiCert\DigiCert Keylocker Tools\pkcs11properties.cfg"  -digestalg SHA-256  -signedjar C:\filestosignpath\myfile.jar C:\filestosignpath\myfile.jar mykeylockercert -tsa http://timestamp.digicert.com -tsadigestalg SHA-256

If the signing command was successful, you should see the following response:

You can confirm that the file was signed correctly by using the verify command.

The syntax to verify a signed file is as follows:
jarsigner -verify <file_to_be_verified>

Example:
jarsigner -verify c:\filestosignpath\myfile.jar

If the file was signed correctly, you should receive the following response:

For troubleshooting tips, see the article Troubleshoot KeyLocker for JarSigner using the PKCS#11 Library.