DigiCert KnowledgeBase - Technical Support-hero

Knowledge Base

Configure KeyLocker for Microsoft SignTool

Solution ID : TL33
Last Modified : 10/02/2024

 

This article covers the steps that are needed to configure your signing machine to use DigiCert KeyLocker with Microsoft Signtool.

 

Before you begin:

 

Set your Environment Variables:

 

1. Locate Environment Variables via the Start Menu.


2. The System Properties window will open. Click on the Environmental Variables button.


3. Highlight the Path variable and click Edit.

4. Click on New and enter the directory into which DigiCert KeyLocker Tools was installed.

 
Note:
The default directory is C:\Program Files\DigiCert\DigiCert KeyLocker Tools\.

5. Click on New and enter the directory which contains the file signtool.exe.




6. Click OK to save the new paths and return to the Environment Variables window.

7. Create a new variable by clicking on New.



8. Enter the following:


Note: This variable specifies the URL which the signing machine uses to connect to KeyLocker.

Click OK to create the new variable.


9. Create a second new variable and enter the following:

  • Variable name: SM_CLIENT_CERT_FILE
  • Variable value: C:\clientcertpath\Certificate_pkcs12.p12


Note: This is the location of the client certificate which you downloaded from your DigiCert ONE account. This certificate is used to authenticate with KeyLocker.

Click OK to create the new variable.


10. Click OK in the Environment Variables window and again in the System Properties window to save the new variables.

 

Set your KeyLocker credentials and register the KSP library:

1. Open a Command Prompt.



2. Run the following command: smctl credentials save <API token> <client certificate password>



If the command is successful, you should receive the following response: If successful, you should see the following response: Credentials saved to OS store

 

3. Run "smctl windows ksp list”. This will confirm whether the DigiCert KSP libraries are installed or not.



If the DigiCert KSP libraries are not registered, run the following command: smctl windows ksp register

This will register the DigiCert KSP libraries.

 

Synchronize and test your certificate configuration:

 

1. Synchronize your certificate using the following command: smctl windows certsync --keypair-alias=<your keypair alias>


You should receive the following response: Syncing certificate for alias: <your keypair alias>, ID: <your certificate ID> and SHA1 Fingerprint: <your certificate SHA1 fingerprint>


2. Run the following command: smctl healthcheck


Ensure that the following items are correct:

  • Username: Your DigiCert ONE user name.
  • Host: https://clientauth.one.digicert.com
  • API key: Your DigiCert ONE API key.
  • Client certificate file path: The location of your client certificate.
  • Client certificate password: The password for your client certificate.

If SignTool has been mapped correctly, it will be displayed here:


Once you have confirmed that the information above is correct, you are ready to begin signing your files.


Sign your files:

The syntax for the signing command is as follows:

signtool.exe sign /csp "DigiCert Signing Manager KSP" /kc <keypair_alias> /f <certificate_file_from_DC1> /tr http://timestamp.digicert.com /td SHA256 /fd SHA256 <file_to_be_signed>

Example:

signtool.exe sign /csp "DigiCert Signing Manager KSP" /kc mykeylockercert /f c:\cscertpath\cert_1234567890.crt /tr http://timestamp.digicert.com /td SHA256 /fd SHA256 c:\filestosignpath\myfile.exe

If the signing command was successful, you should see the following response:



You can confirm that the file was signed correctly by using the verify command.

The syntax to verify a signed file is as follows:
signtool verify /pa <file_to_be_verified>


Example:
signtool verify /pa c:\filestosignpath\myfile.exe
 

If the file was signed correctly, you should receive the following response:


 

For troubleshooting tips, see the article Troubleshoot KeyLocker for Microsoft SignTool.