support@codesigncert.com
How to Configure DigiCert KeyLocker on Windows (Step-by-Step Guide)
DigiCert KeyLocker is a cloud-based, FIPS-compliant HSM (Hardware Security Module) solution that simplifies code signing while keeping your private key secure in the cloud. For Windows developers, configuring KeyLocker ensures a compliant, secure, and scalable signing environment.
In this step-by-step guide, we’ll walk you through how to configure DigiCert KeyLocker on a Windows system—from requesting your certificate to signing code using KeyLocker.
What is DigiCert KeyLocker?
DigiCert KeyLocker is a cloud-hosted solution for securely managing private keys associated with code signing certificates. Instead of storing keys locally—which poses a security risk—KeyLocker keeps them encrypted in a DigiCert-managed cloud HSM.
Key Benefits:
- Cloud HSM Protection - Eliminates risks of local key theft or exposure.
- Centralized Key Management - Assign and control access to signing keys for team members or build systems.
- Secure Remote Signing - Sign code from anywhere with proper authorization.
- Compliance Ready - Meets modern CA/B Forum requirements for EV Code Signing Certificates and beyond.
Initial Requirements
Before you get started, make sure the following are in place:
- Active DigiCert CertCentral account with KeyLocker access.
- Purchased Standard or EV Code Signing Certificate with KeyLocker option.
- Administrator privileges on your Windows system.
- Compatible Windows OS (Windows 10, 11, Server 2016 or newer).
- Allow traffic through firewalls to connect to DigiCert cloud services.
Generate a KeyLocker Request on DigiCert
- Log in to CertCentral: https://www.digicert.com/account/login
- Navigate to Certificates
Click on the “Certificates” tab, then choose “Request a Certificate”. - Select Certificate Type
Choose EV or Standard Code Signing Certificate, then select KeyLocker as the key generation method. -
Provide Organization Details
- Submit legal business details.
- If required, complete organization validation or reuse an existing one.
- Submit & Wait for Approval
DigiCert may take 1-2 days to validate and approve your certificate request.
Install the DigiCert KeyLocker Client
Once approved, install the KeyLocker client to manage and use your cloud-hosted key.
- Download the Client
Go to Tools section in CertCentral and download the KeyLocker Windows client. -
System Requirements
- .NET Framework 4.7.2 or higher
- Windows PowerShell 5.1+
- Internet connection with access to DigiCert endpoints
-
Installation Steps
- Run the installer .exe
- Follow on-screen instructions.
- Reboot system (if prompted).
- Open PowerShell and run:
keylocker --version
- This verifies the installation was successful.
Configure KeyLocker on Windows
Authenticate with DigiCert
Use your DigiCert API key or CertCentral credentials:
keylocker login --api-key <your-api-key>Link Certificate to KeyLocker Client
Associate the approved certificate with your local environment:
keylocker list-certificatesGenerate or Import Key
Normally, DigiCert will auto-generate the key in the HSM. You just link it.
Verify Key Presence
Run:
keylocker list-keysThis should list your key with ACTIVE status.
Set Access Permissions
- Define which users or build agents can access the key via roles in CertCentral.
- Use RBAC (Role-Based Access Control) for auditing and restrictions.
Using KeyLocker to Sign Code on Windows
Configure SignTool or PowerShell
Use SignTool.exe, which comes with Windows SDK:
signtool sign /fd SHA256 /tr http://timestamp.digicert.com /td SHA256 /k <key-id> /kc DigiCertKeyLocker yourApp.exeReplace <key-id> with the actual key identifier from your KeyLocker setup.
Integrate with CI/CD
You can easily plug KeyLocker into:
- Azure DevOps pipelines
- GitHub Actions
- Jenkins
- TeamCity
Use secure environment variables to pass API keys to signing jobs.
Common Troubleshooting
|
Issue |
Fix |
|
Key not found |
Check keylocker list-keys and confirm login and permissions. |
|
Auth failure |
Re-authenticate with valid API key or credentials. |
|
Timestamp error |
Use DigiCert trusted timestamp URL: http://timestamp.digicert.com |
Recommended Best Practices
- Use RBAC to manage who can sign code.
- Enable logging to track signing events.
- Set certificate renewal reminders before expiry.
- Never export or download private keys — rely solely on KeyLocker cloud HSM.
Conclusion
DigiCert KeyLocker transforms the code signing experience for Windows developers by offering:
- Centralized cloud-based security
- Streamlined signing across teams
- Full compliance with modern security policies
By following the steps outlined above, you can confidently configure and use DigiCert KeyLocker to securely sign software—whether manually or via automation tools.
Optional Add-Ons
FAQs
Q: Do I need a hardware token with KeyLocker?
A: No. KeyLocker replaces hardware tokens with cloud-based HSM.
Q: Can I use KeyLocker with multiple machines?
A: Yes, once installed and authenticated, you can use it across trusted systems.
Resources
Categories
Latest Post
- How to Configure DigiCert KeyLocker on Windows (Step-by-Step Guide)
- How to Use YubiKey for Mac Code Signing?
- How to Sign Executables Using DigiCert KeyLocker CloudHSM
- How to Sign an EXE File Using the Code Signing Process
- 12 Security Tips to Prevent Downloading Malicious Code
- Steps to Install Root and Intermediate Certificates on YubiKey
- How to Generate a Token-Based Code Signing Certificate?
- “No Profile for Team” – Quick Guide to Fix Code Signing Error
- Sign Java .Jar Files with A Hardware Token-Based Code Signing
- What is YubiKey in Code Signing Certificate?
Customers Reviews
4.8 Overall Satisfaction Rating
Delivery Mode
FIPS-140 Level 2 USB or Existing HSM
Secure Key Storage
Stored on an External Physical Device
Issuance Time
3 to 5 Business Days