Windows Credential Configuration for DigiCert KeyLocker & SMCTL

Prerequisites

Before starting the credential setup process, ensure the following components are in place. Each one plays a specific role in establishing a secure connection between your Windows environment and DigiCert's signing infrastructure.

DigiCert ONE Host Environment

The DigiCert ONE Host Environment serves as the centralized connection point between your local system and DigiCert's cloud services. It defines the API endpoint that your SMCTL client communicates with during signing and certificate management operations. A typical endpoint looks like https://one.digicert.com. This host address tells SMCTL where to send requests for certificate issuance, key management, and signing operations through the DigiCert ONE infrastructure.

DigiCert ONE API Key

The API key functions as an authentication token. When the SMCTL client connects to DigiCert KeyLocker, it presents this key to verify your identity and authorize access to your account. Think of it as a machine-readable password that grants controlled access to your DigiCert ONE resources.

You can generate an API key through the DigiCert ONE dashboard. Once generated, treat it with the same level of protection you would give any sensitive credential. Anyone with access to this key can potentially interact with your DigiCert account programmatically.

DigiCert ONE Client Authentication Certificate and Password

This certificate establishes mutual authentication between your local system and DigiCert's servers. While the API key verifies who you are, the client authentication certificate verifies that your machine itself is authorized to communicate with DigiCert's infrastructure.

The certificate is typically saved in .pem or .pfx format and is protected by a password. Both the certificate file and its password should be stored securely with access restricted to authorized users only. Unauthorized access to this certificate could allow someone to initiate signing operations from an unapproved system.

DigiCert KeyLocker Client

The KeyLocker client bridges your Windows environment to DigiCert's cloud-based Hardware Security Module (HSM). It integrates with the Windows Key Storage Provider (KSP), allowing your system to reference private keys stored securely in DigiCert's infrastructure without ever downloading them to your local machine.

This architecture ensures that your cryptographic keys never leave DigiCert's protected environment, maintaining both security and compliance requirements for code signing operations.

Administrative Access on Windows

Administrative privileges are required because the setup process involves modifying system-level settings such as environment variables, certificate stores, and credential entries. Without administrative access, installing the KeyLocker client, storing credentials through Windows Credential Manager, and syncing certificates will either fail or produce restricted configurations that prevent successful signing.

Recommended: How to Configure DigiCert KeyLocker on Windows?

Steps to Set Up Credentials

1. Choose a Credential Storage Method

DigiCert supports four methods for storing credentials on Windows. Each method balances convenience and security differently, so the right choice depends on your environment and workflow.

• Windows Credential Manager is the most secure option for interactive use. It encrypts credentials under your Windows user profile, making them accessible only when you are logged in. This is the recommended approach for most users.
• Properties File stores credentials in a .properties file that SMCTL reads automatically. This method is better suited for automated signing workflows and CI/CD build systems where interactive login is not practical.
• Temporary Environment Variables exist only for the duration of your current terminal session. Once you close the window, the variables disappear. This is appropriate for one-time signing tasks or isolated sessions where credentials should not persist.
• Persistent Environment Variables are stored permanently in your system environment. This method is generally discouraged because the values are visible to anyone with access to your system's environment configuration, creating an unnecessary security exposure.

2. Store Credentials Using Windows Credential Manager

Windows Credential Manager encrypts your credentials and ties access to your Windows user account. This prevents credentials from being stored in plain text anywhere on the system.

Open either Command Prompt or PowerShell with administrator privileges. Run the following command to add your credentials:

cmdkey /add:digicert.one /user:<username> /pass:<api_key_or_password>

To verify that the credentials were stored correctly, navigate to Control Panel → Credential Manager → Windows Credentials. Your DigiCert entry should appear in the list.

This method ensures that your API key and certificate password remain encrypted at rest and are only accessible under your authenticated Windows session.

3. Set Up Temporary Environment Variables

For short-lived signing sessions, you can define environment variables directly in your PowerShell or Command Prompt window. These variables exist only within that session and are automatically discarded when the window closes.

$env:DIGICERT_ONE_HOST = "https://one.digicert.com"
$env:DIGICERT_ONE_API_KEY = "<your_api_key>"
$env:DIGICERT_ONE_CLIENT_CERT_PATH = "C:\Certs\client_auth_cert.pem"
$env:DIGICERT_ONE_CLIENT_CERT_PASSWORD = "<your_password>"

This approach works well in secure build pipelines or on isolated virtual machines that are reset after each deployment cycle. Because the variables are never written to disk, there is no residual credential exposure after the session ends.

4. Use a Properties File for Automated Systems

In CI/CD environments or automated build systems where no one is present to enter credentials interactively, a properties file provides a practical alternative.

Create a file named smctl.properties in a secure directory. The default location SMCTL checks is:

C:\Users\<Username>\.signingmanager\smctl.properties

Add the following content to the file:

DIGICERT_ONE_HOST=https://one.digicert.com
DIGICERT_ONE_API_KEY=<your_api_key>
DIGICERT_ONE_CLIENT_CERT_PATH=C:\Certs\client_auth_cert.pem
DIGICERT_ONE_CLIENT_CERT_PASSWORD=<your_password>

After saving the file, restrict its permissions so that only the specific Windows user account running the build process has read access. This prevents other users or services on the same machine from reading your credentials.

This method integrates well with automated pipelines where code signing is embedded as a build step and human interaction during the process is not feasible.

5. Why Persistent Environment Variables Are Not Recommended

While it is technically possible to store credentials permanently using the setx command, doing so creates a significant security risk. Persistent environment variables are visible to anyone who can access the system's environment configuration through System Properties or the command line.

Storing sensitive values like API keys and certificate passwords in persistent environment variables means they remain exposed indefinitely, even across reboots and user sessions. This method should only be considered in fully isolated, non-production environments where the machine has no exposure to unauthorized users.

6. Verify Your Configuration

After completing the credential setup using any of the methods above, verify that everything is working correctly by running an SMCTL command. For example:

smctl keypair list

If the configuration is successful, SMCTL will connect to DigiCert KeyLocker and return a list of available key pairs associated with your account.

If the command fails or returns an authentication error, check the SMCTL log files for detailed diagnostic information. Logs are located at:

C:\Users\<Username>\.signingmanager\logs

The log entries will indicate which credential source SMCTL attempted to use during execution - whether it pulled from the Windows Credential Manager, a properties file, or environment variables. This information is helpful for identifying misconfigurations or credential storage conflicts when multiple methods are present on the same system.

Source - How to Setup Credentials for Windows to Use DigiCert KeyLocker & SMCTL?