What is DigiCert Keylocker? Everything to Know About This Cloud Based Solution
DigiCert offers a variety of platforms and solutions to gracefully organize and streamline the code signing certificate operations. DigiCert KeyLocker is one of the solutions in its exclusive catalog. SMEs and enterprises use it to ease their work and strengthen private key security, availability, and usage.
Professionals prefer DigiCert KeyLocker as a must-have solution. If you are also looking for a cloud-based HSM, then you must undergo this blog, which offers insights about DigiCert KeyLocker.
What is DigiCert KeyLocker?
DigiCert KeyLocker is a cloud-based service that helps you generate and store the private key without a physical HSM (Hardware Security Module). It was developed to reduce certificate administrators’ efforts and strengthen private key security.
DigiCert ensures that its KeyLocker aligns with the latest standards issued by the CA/B council. Currently, FIPS 140-2 Level 3 is the required HSM standard, and DigiCert KeyLocker seamlessly complies with it. In addition, numerous globally recognized trust this solution for better efficiency and collaboration.
Further, DigiCert KeyLocker was released on 30 May 2023, and until now, it has been a top choice among professionals.
Its robust features are its prime highlight, including the following:
- CAs can directly issue the private key in DigiCert KeyLocker.
- It’s a cloud-based service that ensures key availability from anywhere, 24/7.
- It can integrate with the CI/CD pipeline for automation purposes.
- You can generate 1,000 signatures per certificate using the KeyLocker.
- It makes logging and monitoring easy for the security teams.
- Cloud storage aligns with all regulatory and administrative standards.
- It helps you save money, as you are not required to purchase different HSMs for private keys of different code signing certificates.
- The time is also saved, as you don’t have to wait for physical HSM to get delivered.
How Does DigiCert KeyLocker Work?
Before utilizing any of the solutions, it’s always recommended to understand its workflow. DigiCert KeyLocker works in a quite streamlined manner, combining the tasks that need to be completed by the user and the solution itself.
Its workflow executes per the following steps:
Step 1: Create an account on the DigiCert CertCentral platform.
Step 2: Contact a DigiCert representative through support or customer care, asking them to enable the KeyLocker facility on your CertCentral account.
Step 3: Use the CertCentral account to order a Code Signing Certificate. It’s recommended to use an OV and EV certificate for robust security and to sign any type of executable file.
Step 4: While ordering the certificate, select the provisioning method as DigiCert KeyLocker.
Step 5: DigiCert CertCentral will request to create a DigiCert ONE account for the approver. At this stage, the KeyLocker lead, who will have privileges equal to an admin, will be selected.
Following are the two cases used to select the KeyLocker lead.
- If the approved permissions are provided to the requester, then the requester is the KeyLocker lead.
- If the requester doesn’t have approved permission, then the certificate approver is the KeyLocker lead.
Step 6: After the KeyLocker lead selection, the organization’s CertCentral approver will receive emails about DigiCert ONE account creation and resetting the account’s password.
Step 7: The DigiCert KeyLocker will now create and store the private key on a cloud-based hardware security module.
Step 8: The KeyLocker will generate a code signing request (CSR) using the private key.
Step 9: The CSR will be uploaded to the CertCentral platform by the KeyLocker.
Step 10: The CA will assess the company information and issue you a code signing certificate as requested.
Step 11: The selected KeyLocker lead will sign into the DigiCert ONE account and invite additional users.
Step 12: The added users can now access the certificate and sign the supported executable files. Also, the KeyLocker lead can remove and add new users and modify their permissions on the platform.
Exclusive Benefits of DigiCert KeyLocker
If you choose DigiCert KeyLocker for generating and storing your code signing certificate private key, you can avail of the following listed benefits.
24/7 Availability
The DigiCert KeyLocker is a cloud-based mechanism, which means that you can access your private key anytime and anywhere you want. Regardless of the time and your physical location, you will be capable of signing software and releasing it for end-users. In addition, it will also help you select who can access the private key by configuring the roles and responsibilities per security and business architecture.
Compliance To Necessary Standards
Currently, the CA/B enables storage of private keys in a FIPS 140-2 Level 3 HSM. Any other HSM is not recommended, and its usage is prohibited due to weak security. But, by using DigiCert KeyLocker, you can be assured of aligning with the latest standards all the time. DigiCert itself is a certificate authority and updates its overall systems as soon as a new policy/protocol/standard is defined.
Authentication and Authorization
The DigiCert KeyLocker platform enables you to add the user per your needs and configure the policies accordingly. As a KeyLocker lead, you can remove and add new user regardless of the time and even restrict their usage. Further, it allows to configure multi-factor authentication to enable only authorized signing activities.
Reduces Key Management Efforts
With KeyLocker, you are not required to manage a physical HSM device. All the private keys and certificates will be stored on a cloud-based solution. You are only required to log into your CertCentral account, and access will be provided. It will reduce the effort of handling the physical device and use additional security controls, such as biometrics or metal safes, to prevent unauthorized access.
Affordable
By using the KeyLocker solution, you can save money used for purchasing a physical hardware token and installation of security mechanisms. In addition, it will be affordable in the long run, as DigiCert will automatically update its system to comply with new standards. Therefore, not now or in the future, you will be required to buy an HSM device.
Executes All Significant Operations
The KeyLocker fulfills all the requirements and functionalities of a physical hardware security module. The HSM functionality is provided to you through a logical interface, but at the backend, a hardware device stores your private key. You can generate CSR, submit it to CA, receive the issued certificate, and sign the executable using this DigiCert solution.
CI/CD Integration
Nowadays, the DevOps development lifecycle is highly used by development teams. Most of this process is automated, and with KeyLocker, you can also integrate and automate software signing. All the signing processes will be completed in a secure environment, and you will receive a ready-to-release executable file.
In addition, DigiCert provides pre-build scripts and tools, which you can use to complete integration within minutes.
The Prerequisites for Using the DigiCert KeyLocker
To use the DigiCert KeyLocker, you are required to configure or avail of the following components/mechanisms:
API Key
The KeyLocker uses the API Key for authentication purposes when a user tries to call the program through an API.
The process to configure it is as follows:
Step 1: Open the DigiCert ONE account.
Step 2: Click on the “Profile Icon”.
Step 3: Choose “Admin Profile”.
Step 4: Go to the “On this page” section and choose “API Tokens“
Step 5: Choose the “Create API Token” option.
Client Authentication Certificate
DigiCert KeyLocker uses an X.509 certificate to authenticate the users trying to access the services through an API.
To use the cloud-based HSM facility, you should generate a client certificate with the following process:
Step 1: Log in to the DigiCert ONE account.
Step 2: Click on the “Profile Icon“
Step 3: Choose “Admin Profile”
Step 4: Go to the “On this page” section, and under it, choose “Authentication Certificates“.
Step 5: Choose “Create Authentication Certificate” Now, your X.509 certificate will be created.
Host Environment
The host value of DigiCert ONE is required while setting the PATH environment variable. The value in all use cases is constant: https://clientauth.one.digicert.com, and you will also be using it while fulfilling the requirements for using DigiCert KeyLocker.
Client Tools
You need to download the client tools using DigiCert ONE account by following the below steps:
Step 1: Navigate to Manage Menu and click on DigiCert KeyLocker
Step 2: Go to Resources and click on Client Tool Repository.
Step 3: Download the required tools to your machine and install them. Mainly, you will get the option to download Signing Manager Controller, DigiCert Click-to-Sign, PKCS11 library, and KSP library client tools.
PATH Environment Variable
The PATH variable is used by operating systems to locate the files on your system. You are required to define the path to signing tools so that executable files can be signed and timestamped.
The configuration of the PATH variable is different per the operating system.
For Windows:
Step 1: Windows Start Menu and click on Search and open “Environment Variables” and Click “Edit Environment Variables for your Account” and Click on “Path” then Click “New“
Step 2: Browse and choose the path to client tools and save the settings.
Step 3 (Optional): You can use the CMD alternative by running the following command.
set PATH=%path%;<path to client tools>
For Linux:
Open the terminal and start executing the command as follows:
Command #1 to open the editor: nano ~/.profile
Command #2 to add exports definition: export PATH=<Path to client tools>
Further, use “Ctrl +X” to exit the editor and “Y” to save and click enter.
Command #3 to restart the profile: source ~/.profile
For macOS:
Open the terminal and create a profile by running the command: “touch ~/.zprofile“
Now, open an editor and add the exports by using the commands: “open ~/.zprofile” and “export PATH=<Path to client tools>,” respectively.
Lastly, save the profile by navigating to File and Save or use CMD + S. As a result, your PATH environment variable is configured.
Credential Security
You are required to secure your credentials, as their unauthorized usage can reveal your API Key, authentication certificate, and PATH variable. According to your OS, you can choose the security method.
You can utilize the Windows Credential Manager to secure your DigiCert ONE account username and password. If you use Linux or macOS, then Linux Pass and Keychain Access facilities are the best-in-class security solutions to use.
How do you Integrate KeyLocker with the CI/CD Pipeline?
The DigiCert KeyLocker seamlessly integrates with CI/CD pipelines, helping you automate the code signing and timestamping procedure. DigiCert offers plugins and pre-build scripts according to all significant use cases. You can use any one of them to streamline your workflow.
As per software experts, using the plugin is recommended due to easy installation and quick usage. In comparison, scripts are complex to use and require professional support.
You can use any of the following plugins:
- Azure DevOps plugin
- GitHub custom action for keypair signing plugin
- Jenkins keypair signing plugin
Extended DigiCert KeyLocker Toolkit
The DigiCert KeyLocker offers an extended range of tools divided into five categories.
DigiCert KeyLocker Tools | ||||
Cryptographic Libraries and Frameworks | Signing Tools | Tool Packages | Command Line Interface | Custom Tool Settings |
KSP Library PKCS11 Library | Signing Manager Controller DigiCert Click-To-Sign | Windows Clients Installer Linux Clients macOS Clients | Signing Manager Controller (SMTCL)Signing Manager Controller Command Manual | Environment Variables |
Concluding Up
DigiCert KeyLocker helps you store the private key on a cloud-based HSM. It eliminates the efforts of managing a physical HSM and provides the remote access functionality to sign code regardless of time and location.
In addition, it’s an affordable and industry-standard compliance solution that every organization should prefer. Once you start using the DigiCert KeyLocker, your code signing operations will also be streamlined, and the private key will be under more robust security..
Recommended: What is DigiCert Software Trust Manager?
Cloud Code Signing
Seamless Automated Code Signing Tasks without Need of Physical HSM or Token using Cloud Code Signing Certificate.
Code Signing as a Service