DEV Community

Cover image for Configure DigiCert KeyLocker KSP Library
Anna Shipman
Anna Shipman

Posted on

Configure DigiCert KeyLocker KSP Library

#digicert #appdev #keylocker #ksp

1. Download the DigiCert KeyLocker KSP Library

If you've already installed the Windows Client Installer, congratulations, the KSP is already downloaded and registered for you.

But if not, here's what to do:

  • Log in to your DigiCert KeyLocker portal.
  • In the KeyLocker menu, go to Resources → Client Tool Repository.
  • Find the latest KSP version that matches your OS.
  • Click the download icon.

Once downloaded, install it just like any other Windows application.

2. Register the KSP Library

Now let's get it recognised by Windows. Open Command Prompt (with admin privileges), then run:

smctl windows ksp register

This command registers the DigiCert KeyLocker KSP with Windows CryptoAPI.

Also Read: Learn How to Renew a Code Signing Certificate

3. Check the KSP Installation

To make sure it is all configured properly, execute this command:

certutil.exe -csp "DigiCert Software Trust Manager KSP" -key -user

This confirms that your system is capable of verifying successfully with the DigiCert KeyLocker service. In case it does not crash, congrats! Your KSP is up, and you can sign safely.

4. Synchronise Certificates

Now, for your signing tools to actually access the private keys (stored safely in KeyLocker), you'll need to sync your certificates to the local store.

Don't worry, this doesn't move your private key. It stays secure in DigiCert's cloud. You're just syncing the certificate metadata.

Run this command:

smctl windows certsync

Then, open Certificate Manager to check:

certmgr.msc

Make sure you're viewing the correct user account. Each Windows account has its own certificate store. If you can see your certificate listed there, you're good to go.

5. Start Signing

Now comes the exciting part. Actually signing your files.

For example, to sign an executable:

signtool sign /n "Your Certificate Name" /fd SHA256 /tr http://timestamp.digicert.com /td SHA256 yourapp.exe

Your signing request goes securely through the KSP library to DigiCert KeyLocker, signs the hash, and returns the signature.

Reference

What is KSP Library? How to Configure DigiCert ® KeyLocker KSP Library?

Top comments (0)