How to Setup Credentials for Windows to Use DigiCert KeyLocker & SMCTL?

Setup Credentials to Use KeyLocker and SMCTL

Before you can securely sign software or automate code signing in your Windows environment, you will need to configure your credentials for DigiCert® KeyLocker and the Signing Manager Command-Line Tool (SMCTL).

Your credentials create a trusted connection between your local signing tools and DigiCert ONE to ensure that only authorized users are able to access private keys or sign.

This document outlines the steps to accurately set up and manage your credentials on Windows for KeyLocker and SMCTL.

Prerequisites

Before we get started, make sure you have:

DigiCert ONE Host Environment

The DigiCert ONE Host Environment will be your centralized connection point between your system and DigiCert services.

The Host Environment defines the API endpoint (e.g., https://one.digicert.com) that your SMCTL client will communicate with.

It provides the ability to request certificates, manage keys, and sign requests in a secure way through the DigiCert ONE infrastructure.

DigiCert ONE API Key

The DigiCert ONE API Key is your authentication token in verifying your identity when the SMCTL client interacts with DigiCert KeyLocker. It provides controlled access to your DigiCert ONE account and must be protected like a password.

Generate the API Key using the DigiCert ONE dashboard. Adding it to the SMCTL client will allow signing and allow you to manage digital certificates.

DigiCert ONE Client Authentication Certificate and Password

This certificate authenticates your client system to DigiCert’s servers to establish mutual secure communications. The certificate and password verify your identity each time you sign with the DigiCert ONE client.

You would usually save the certificate to a file in either .pem or .pfx format, and both the file and password need to be encrypted (with as many security options in place as possible) and only shared with authorized users to prevent unauthorized use of the certificate.

DigiCert KeyLocker Client Installed

The DigiCert KeyLocker client connects your Windows environment to DigiCert’s Hardware Security Module (HSM). The KeyLocker client ties to the Windows Key Storage Provider (KSP) to store private keys securely in the cloud.

Therefore, if you are using KeyLocker, your cryptographic keys on the DigiCert protected infrastructure never leave that security and remain secure and compliant for code signing.

Administrative Access on Windows

 Administrative access is necessary to make system settings, such as environment variables or certificate stores.

Administrative access will allow the installation of the DigiCert KeyLocker client, access to credentials through the Windows Credential Manager, and/or sync certificates.

Without administrative rights, the configured signing process may fail or be restricted from changing certain configurations.

Recommended: How to Configure DigiCert KeyLocker on Windows?

Steps to Set Up Credentials

Step 1: Decide on the Credential Storage Method

DigiCert offers four ways to store your credentials in Windows, each with varying levels of convenience versus security.

  • Windows Credential Manager (best option): This is the most secure way to store your credentials. It encrypts them under your Windows user profile.
  • Properties File: The credentials will be stored in a .properties file (referenced by SMCTL). More suited to automated signing or build systems.
  • Temporary Environment Variables: Environment variables for your current session. Suitable for one-time signing.
  • Persistent Environment Variables: Permanent environment variables in your system environment. Not recommended as they openly expose sensitive data to others with general access.

Step 2: Add Credentials Using Windows Credential Manager (Secure Option)

Windows Credential Manager will encrypt your credentials and only give access to your Windows account.

  • Open either a Command Prompt or PowerShell window as an Admin.
  • Run the command below to add your credentials:
cmdkey /add:digicert.one /user:<username> /pass:<api_key_or_password>
  • Verify the credentials were stored by opening Control Panel → Credential Manager → Windows Credentials.

This ensures that your DigiCert API key and certificate password are never stored in plain text.

Step 3: Set Up Session-Based Environment Variables (Temporary Setup)

For temporary signing sessions, you can define environment variables in PowerShell or Command Prompt. These will expire when the session closes.

$env:DIGICERT_ONE_HOST = "https://one.digicert.com"
$env:DIGICERT_ONE_API_KEY = "<your_api_key>"
$env:DIGICERT_ONE_CLIENT_CERT_PATH = "C:\Certs\client_auth_cert.pem"
$env:DIGICERT_ONE_CLIENT_CERT_PASSWORD = "<your_password>"

This approach is ideal for secure build pipelines or isolated virtual machines that reset after deployment.

Step 4: Use a Properties File (Automated Systems)

For CI/CD environments or automated tools, you can store your credentials in a properties file that SMCTL references automatically.

  • Create a file named smctl.properties in a secure location, such as:
C:\Users\<Username>\.signingmanager\smctl.properties
  • Add the following content:
DIGICERT_ONE_HOST=https://one.digicert.com
DIGICERT_ONE_API_KEY=<your_api_key>
DIGICERT_ONE_CLIENT_CERT_PATH=C:\Certs\client_auth_cert.pem
DIGICERT_ONE_CLIENT_CERT_PASSWORD=<your_password>
  • Limit access to the file so that only the Windows user account has read access.

This will work well with automated builds or when embedded code-signing is used in the CI pipeline.

Step 5: Avoid Persistent Environment Variables

You can permanently store credentials with setx, but it is not ideal to use it for sensitive information/credentials like API keys or certificate passwords.

Persistent variables are available to view for anyone who can access system configuration and would create a significant security risk. This should only be used in isolated or non-production environments.

Step 6: Verify Configuration and Credential Source

To confirm your setup, run any SMCTL command such as:

smctl keypair list
  • If your configuration is successful, SMCTL will list the available key pairs from KeyLocker.
  • You can also check the logs for troubleshooting at:
C:\Users\<Username>\.signingmanager\logs

These records show the credential source (session, file, or Credential Manager) that was used during execution.      

Conclusion

Properly configuring credentials is the building block of a secure and reliable code signing workflow on Windows. By using DigiCert KeyLocker with SMCTL, you are ensuring your private keys are secured in a cloud-based HSM, while also giving you assurance and control of who can sign and verify your code.

Obtain your trusted Code Signing Certificate, and configure DigiCert KeyLoocker integration with SignMyCode — the best way to sign, verify, and protect your code with enterprise-grade security.

Cloud Code Signing

Cloud Code Signing

Seamless Automated Code Signing Tasks without Need of Physical HSM or Token using Cloud Code Signing Certificate.

Code Signing as a Service

Related posts:

  1. How to Keep Your Digital Signature Credentials Safe with YubiKey?
  2. What is an Inno Setup? Digitally Sign Installer and Uninstaller with Inno Setup
  3. How to Digitally Sign Binaries with Signing Manager Controller (SMCTL)?
  4. How to Configure DigiCert KeyLocker on Windows?
Janki Mehta

Janki Mehta

Janki Mehta is a Cyber-Security Enthusiast who constantly updates herself with new advancements in the Web/Cyber Security niche. Along with theoretical knowledge, she also implements her practical expertise in day-to-day tasks and helps others to protect themselves from threats.