This article covers the steps that are needed to configure your signing machine to use DigiCert KeyLocker with jSign.
Before you begin:
Set your Environment Variables:
1. Locate Environment Variables via the Start Menu.
2. The System Properties window will open. Click on the Environmental Variables button.
3. Highlight the Path variable and click Edit.
4. Click on New and enter the directory into which DigiCert KeyLocker Tools was installed.
Note: The default directory is C:\Program Files\DigiCert\DigiCert KeyLocker Tools\.
5. Click on New and enter the directory which contains the file jsign-5.0.jar.
6. Click OK to save the new paths and return to the Environment Variables window.
7. Create a new variable by clicking on New.
8. Enter the following:
Note: This variable specifies the URL which the signing machine uses to connect to KeyLocker.
Click OK to create the new variable.
9. Create a second new variable and enter the following:
Note: This is the location of the client certificate which you downloaded from your DigiCert ONE account. This certificate is used to authenticate with KeyLocker.
Click OK to create the new variable.
10. Click OK in the Environment Variables window and again in the System Properties window to save the new variables.
Set your KeyLocker credentials and register the KSP library:
1. Open a Command Prompt.
2. Run the following command: smctl credentials save <API token> <client certificate password>
If the command is successful, you should receive the following response: If successful, you should see the following response: Credentials saved to OS store
3. Create a file named pkcs11properties.cfg using Notepad.
Enter the following details into the file:
name=signingmanager
library=path\to\smpkcs11.dll
slotListIndex=0
Sample:
name=signingmanager
library= C:\Program Files\DigiCert\DigiCert Keylocker Tools\smpkcs11.dll
slotListIndex=0
Place this file into the same folder as the file named smpkcs11.dll (e.g.: C:\Program Files\DigiCert\DigiCert Keylocker Tools\smpkcs11.dll)
Synchronize and test your certificate configuration:
1. Synchronize your certificate using the following command: smctl windows certsync --keypair-alias=<your keypair alias>
You should receive the following response: Syncing certificate for alias: <your keypair alias>, ID: <your certificate ID> and SHA1 Fingerprint: <your certificate SHA1 fingerprint>
2. Run the following command: smctl healthcheck
Ensure that the following items are correct:
Note: jSign is not listed among the mapped signing tools in the healthcheck.
Once you have confirmed that the information above is correct, you are ready to begin signing your files.
Sign your files:
The syntax for the signing command is as follows:
java -jar <path to jsign> --keystore <path to pkcs11properties.cfg> --storepass changeit --storetype PKCS11 --alias <keypair alias> <unsigned file>
Example:
java -jar "C:\jsignpath\jsign-5.0.jar" --keystore "C:\Program Files\DigiCert\DigiCert KeyLocker Tools\pkcs11properties.cfg" --storepass changeit --storetype PKCS11 --alias mykeylockercert “C:\filestosignpath\myfile.exe”
If the signing command was successful, you should see the following response:
To verify that the file was signed correctly, do the following:
For troubleshooting tips, see the article Troubleshoot KeyLocker for jSign using the PKCS#11 Library.