DigiCert offers a variety of platforms and solutions to gracefully organize and streamline the code signing certificate operations. DigiCert KeyLocker is one of the solutions in its exclusive catalog. SMEs and enterprises use it to ease their work and strengthen private key security, availability, and usage.<\/p>\n\n\n\n
Professionals prefer DigiCert KeyLocker as a must-have solution. If you are also looking for a cloud-based HSM, then you must undergo this blog, which offers insights about DigiCert KeyLocker.<\/p>\n\n\n\n
DigiCert KeyLocker is a cloud-based service that helps you generate and store the private key without a physical HSM (Hardware Security Module). It was developed to reduce certificate administrators’ efforts and strengthen private key security.<\/p>\n\n\n\n
DigiCert ensures that its KeyLocker aligns with the latest standards issued by the CA\/B council. Currently, FIPS 140-2 Level 3 is the required HSM standard, and DigiCert KeyLocker seamlessly complies with it. In addition, numerous globally recognized trust this solution for better efficiency and collaboration.<\/p>\n\n\n\n
Further, DigiCert KeyLocker was released on 30 May 2023, and until now, it has been a top choice among professionals. <\/p>\n\n\n\n
Its robust features are its prime highlight, including the following:<\/strong><\/p>\n\n\n\n Before utilizing any of the solutions, it’s always recommended to understand its workflow. DigiCert KeyLocker works in a quite streamlined manner, combining the tasks that need to be completed by the user and the solution itself. <\/p>\n\n\n\n Its workflow executes per the following steps:<\/strong><\/p>\n\n\n\n Step 1:<\/strong> Create an account on the DigiCert CertCentral platform.<\/strong><\/p>\n\n\n\n Step 2:<\/strong> Contact a DigiCert representative through support or customer care<\/strong>, asking them to enable the KeyLocker facility on your CertCentral account<\/strong>.<\/p>\n\n\n\n Step 3:<\/strong> Use the CertCentral account to order a Code Signing Certificate<\/a><\/strong>. It’s recommended to use an OV and EV certificate for robust security and to sign any type of executable file.<\/p>\n\n\n\n Step 4:<\/strong> While ordering the certificate, select the provisioning method as DigiCert KeyLocker<\/strong>.<\/p>\n\n\n\n Step 5:<\/strong> DigiCert CertCentral will request to create a DigiCert ONE account for the approver<\/strong>. At this stage, the KeyLocker lead<\/strong>, who will have privileges equal to an admin, will be selected. <\/p>\n\n\n\n Following are the two cases used to select the KeyLocker lead.<\/strong><\/p>\n\n\n\n Step 6:<\/strong> After the KeyLocker lead selection, the organization’s CertCentral approver will receive emails about DigiCert ONE account creation<\/strong> and resetting the account’s password<\/strong>.<\/p>\n\n\n\n Step 7:<\/strong> The DigiCert KeyLocker will now create<\/strong> and store the private key on a cloud-based hardware security module<\/strong>.<\/p>\n\n\n\n Step 8:<\/strong> The KeyLocker will generate a code signing request (CSR) using the private key<\/strong>.<\/p>\n\n\n\n Step 9:<\/strong> The CSR will be uploaded to the CertCentral<\/strong> platform by the KeyLocker<\/strong>.<\/p>\n\n\n\n Step 10:<\/strong> The CA will assess the company information<\/strong> and issue you a code signing certificate<\/strong> as requested.<\/p>\n\n\n\n Step 11:<\/strong> The selected KeyLocker lead will sign into the DigiCert ONE account<\/strong> and invite additional users<\/strong>.<\/p>\n\n\n\n Step 12:<\/strong> The added users can now access the certificate<\/strong> and sign the supported executable files<\/strong>. Also, the KeyLocker lead can remove and add new users and modify their permissions on the platform.<\/p>\n\n\n\n If you choose DigiCert KeyLocker for generating and storing your code signing certificate private key, you can avail of the following listed benefits.<\/p>\n\n\n\n The DigiCert KeyLocker is a cloud-based mechanism, which means that you can access your private key anytime and anywhere you want. Regardless of the time and your physical location, you will be capable of signing software and releasing it for end-users. In addition, it will also help you select who can access the private key by configuring the roles and responsibilities per security and business architecture.<\/p>\n\n\n\n Currently, the CA\/B<\/a> enables storage of private keys in a FIPS 140-2 Level 3 HSM. Any other HSM is not recommended, and its usage is prohibited due to weak security. But, by using DigiCert KeyLocker, you can be assured of aligning with the latest standards all the time. DigiCert itself is a certificate authority and updates its overall systems as soon as a new policy\/protocol\/standard is defined.<\/p>\n\n\n\n The DigiCert KeyLocker platform enables you to add the user per your needs and configure the policies accordingly. As a KeyLocker lead, you can remove and add new user regardless of the time and even restrict their usage. Further, it allows to configure multi-factor authentication to enable only authorized signing activities.<\/p>\n\n\n\n With KeyLocker, you are not required to manage a physical HSM device. All the private keys and certificates will be stored on a cloud-based solution. You are only required to log into your CertCentral account, and access will be provided. It will reduce the effort of handling the physical device and use additional security controls, such as biometrics or metal safes, to prevent unauthorized access.<\/p>\n\n\n\n By using the KeyLocker solution, you can save money used for purchasing a physical hardware token and installation of security mechanisms. In addition, it will be affordable in the long run, as DigiCert will automatically update its system to comply with new standards. Therefore, not now or in the future, you will be required to buy an HSM device.<\/p>\n\n\n\n The KeyLocker fulfills all the requirements and functionalities of a physical hardware security module. The HSM functionality is provided to you through a logical interface, but at the backend, a hardware device stores your private key. You can generate CSR, submit it to CA, receive the issued certificate, and sign the executable using this DigiCert solution.<\/p>\n\n\n\n Nowadays, the DevOps development lifecycle<\/a> is highly used by development teams. Most of this process is automated, and with KeyLocker, you can also integrate and automate software signing. All the signing processes will be completed in a secure environment, and you will receive a ready-to-release executable file.<\/p>\n\n\n\n In addition, DigiCert provides pre-build scripts and tools, which you can use to complete integration within minutes.<\/p>\n\n\n\n To use the DigiCert KeyLocker, you are required to configure or avail of the following components\/mechanisms:<\/p>\n\n\n\n The KeyLocker uses the API Key for authentication purposes when a user tries to call the program through an API. <\/p>\n\n\n\n The process to configure it is as follows:<\/strong><\/p>\n\n\n\n Step 1:<\/strong> Open the DigiCert ONE account<\/strong>.<\/p>\n\n\n\n Step 2:<\/strong> Click on the \u201cProfile Icon<\/strong>\u201d.<\/p>\n\n\n\n Step 3: <\/strong>Choose \u201cAdmin Profile<\/strong>\u201d.<\/p>\n\n\n\n Step 4:<\/strong> Go to the “On this page<\/strong>” section and choose “API Tokens<\/strong>“<\/p>\n\n\n\n Step 5:<\/strong> Choose the “Create API Token<\/strong>” option.<\/p>\n\n\n\n DigiCert KeyLocker uses an X.509 certificate<\/a> to authenticate the users trying to access the services through an API. <\/p>\n\n\n\n To use the cloud-based HSM facility, you should generate a client certificate with the following process:<\/strong><\/p>\n\n\n\n Step 1:<\/strong> Log in to the DigiCert ONE account<\/strong>.<\/p>\n\n\n\n Step 2:<\/strong> Click on the “Profile Icon<\/strong>“<\/p>\n\n\n\n Step 3:<\/strong> Choose \u201cAdmin Profile<\/strong>\u201d<\/p>\n\n\n\n Step 4:<\/strong> Go to the “On this page<\/strong>” section, and under it, choose “Authentication Certificates<\/strong>“.<\/p>\n\n\n\n Step 5: <\/strong>Choose “Create Authentication Certificate<\/strong>” Now, your X.509 certificate will be created.<\/p>\n\n\n\n The host value of DigiCert ONE is required while setting the PATH environment variable. The value in all use cases is constant: https:\/\/clientauth.one.digicert.com<\/a>, and you will also be using it while fulfilling the requirements for using DigiCert KeyLocker.<\/p>\n\n\n\n You need to download the client tools using DigiCert ONE account by following the below steps:<\/p>\n\n\n\n Step 1:<\/strong> Navigate to Manage Menu and click on DigiCert KeyLocker<\/strong><\/p>\n\n\n\n Step 2:<\/strong> Go to Resources<\/strong> and click on Client Tool Repository<\/strong>.<\/p>\n\n\n\n Step 3: Download the required tools to your machine and install them<\/strong>. Mainly, you will get the option to download Signing Manager Controller, DigiCert Click-to-Sign, PKCS11 library, and KSP library client tools.<\/p>\n\n\n\n The PATH variable is used by operating systems to locate the files on your system. You are required to define the path to signing tools so that executable files can be signed and timestamped. <\/p>\n\n\n\n The configuration of the PATH variable is different per the operating system.<\/strong><\/p>\n\n\n\n Step 1:<\/strong> Windows Start Menu<\/strong> and click on Search<\/strong> and open \u201cEnvironment Variables<\/strong>\u201d and Click \u201cEdit Environment Variables for your Account<\/strong>\u201d and Click on \u201cPath<\/strong>\u201d then Click “New<\/strong>“<\/p>\n\n\n\n Step 2:<\/strong> Browse and choose the path to client tools<\/strong> and save the settings.<\/p>\n\n\n\n Step 3 (Optional): <\/strong>You can use the CMD alternative<\/strong> by running the following command.<\/p>\n\n\n\n Open the terminal and start executing the command as follows:<\/p>\n\n\n\n Command #1<\/strong> to open the editor: nano ~\/.profile<\/strong><\/p>\n\n\n\n Command #2<\/strong> to add exports definition: export PATH=<Path to client tools><\/strong><\/p>\n\n\n\n Further, use “Ctrl +X<\/strong>” to exit the editor and “Y<\/strong>” to save and click enter.<\/p>\n\n\n\n Command #3<\/strong> to restart the profile: source ~\/.profile<\/strong><\/p>\n\n\n\n Open the terminal and create a profile by running the command: \u201ctouch ~\/.zprofile<\/strong>“ Lastly, save the profile by navigating to File and Save<\/strong> or use CMD + S<\/strong>. As a result, your PATH environment variable is configured.<\/p>\n\n\n\n You are required to secure your credentials, as their unauthorized usage can reveal your API Key, authentication certificate, and PATH variable. According to your OS, you can choose the security method.<\/p>\n\n\n\n You can utilize the Windows Credential Manager to secure your DigiCert ONE account username and password. If you use Linux or macOS, then Linux Pass and Keychain Access facilities are the best-in-class security solutions to use.<\/p>\n\n\n\n The DigiCert KeyLocker seamlessly integrates with CI\/CD pipelines<\/a>, helping you automate the code signing and timestamping procedure. DigiCert offers plugins and pre-build scripts according to all significant use cases. You can use any one of them to streamline your workflow.<\/p>\n\n\n\n As per software experts, using the plugin is recommended due to easy installation and quick usage. In comparison, scripts are complex to use and require professional support.<\/p>\n\n\n\n You can use any of the following plugins:<\/strong><\/p>\n\n\n\n The DigiCert KeyLocker offers an extended range of tools divided into five categories.<\/p>\n\n\n\n\n
How Does DigiCert KeyLocker Work?<\/h2>\n\n\n\n
\n
Exclusive Benefits of DigiCert KeyLocker<\/h2>\n\n\n\n
24\/7 Availability<\/h3>\n\n\n\n
Compliance To Necessary Standards<\/h3>\n\n\n\n
Authentication and Authorization<\/h3>\n\n\n\n
Reduces Key Management Efforts<\/h3>\n\n\n\n
Affordable<\/h3>\n\n\n\n
Executes All Significant Operations<\/h3>\n\n\n\n
CI\/CD Integration<\/h3>\n\n\n\n
The Prerequisites for Using the DigiCert KeyLocker<\/h2>\n\n\n\n
API Key<\/h3>\n\n\n\n
Client Authentication Certificate<\/h3>\n\n\n\n
Host Environment<\/h3>\n\n\n\n
Client Tools<\/h3>\n\n\n\n
PATH Environment Variable<\/h3>\n\n\n\n
For Windows:<\/h4>\n\n\n\n
set PATH=%path%;<path to client tools><\/code><\/pre>\n\n\n\nFor Linux:<\/h4>\n\n\n\n
For macOS:<\/h4>\n\n\n\n
Now, open an editor and add the exports by using the commands: \u201copen ~\/.zprofile<\/strong>\u201d and \u201cexport PATH=<Path to client tools>,”<\/strong> respectively.<\/p>\n\n\n\nCredential Security<\/h3>\n\n\n\n
How do you Integrate KeyLocker with the CI\/CD Pipeline?<\/h2>\n\n\n\n
\n
Extended DigiCert KeyLocker Toolkit<\/h2>\n\n\n\n