Blog

How to Sign Executables Using DigiCert KeyLocker CloudHSM

In today’s cybersecurity landscape, code signing is not just a best practice—it’s a necessity. Ensuring your software is authentic, untampered, and trusted by operating systems and end-users alike requires robust key protection mechanisms. Enter DigiCert KeyLocker, a cloud-based HSM (Hardware Security Module) solution that offers secure key storage and signing, all without the hassles of on-prem HSMs or USB tokens.

In this post, we’ll walk through how to sign Windows executables using DigiCert KeyLocker CloudHSM, and what makes this approach superior to traditional methods.

Why DigiCert KeyLocker?

Before jumping into the technical steps, let’s understand why organizations are adopting DigiCert KeyLocker:

Cloud-Native HSM: No need for physical hardware or secure rooms.
FIPS 140-2 Level 3 Compliance: Meets strict security standards for key management.
Integrated Access Control: Use role-based permissions to delegate who can sign and what they can sign.
Audit Logging: Track every signing event for compliance.
Zero Key Exportability: Your private keys never leave the HSM boundary.

Prerequisites

To sign executables using DigiCert KeyLocker, you'll need:

An active DigiCert Code Signing Certificate provisioned in KeyLocker.
Access to the DigiCert KeyLocker portal.
The DigiCert Signing Manager Client installed locally.
Your code signing tools (e.g., signtool.exe for Windows).

Step 1: Install the Signing Manager Client

DigiCert’s Signing Manager Client is your secure bridge between your development environment and the KeyLocker CloudHSM.

Download the Signing Manager Client from DigiCert:
https://www.digicert.com/account - Keep it nofollow

Install it using administrator privileges:

 msiexec /i SigningManagerClient.msi

Authenticate the client with your DigiCert account and enroll the client to access your key(s).

Step 2: Configure Your Environment

Once installed, configure the client to use your specific signing profile: smctl enroll

You’ll be prompted to log in and choose the signing certificate you want to use. The tool will securely link your local client to the cloud key, without ever exposing the private key locally.

Step 3: Use SignTool with DigiCert KeyLocker

If you're signing a Windows .exe or .dll file, you'll typically use Microsoft’s signtool.exe. With DigiCert KeyLocker, the signing process routes through the Signing Manager.

Here’s the command to sign an executable:

signtool sign /fd SHA256 /a /tr http://timestamp.digicert.com /td SHA256 /sm /n "Your Organization Name" yourapp.exe

Explanation:

/fd SHA256: File digest algorithm.
/a: Automatically selects the best certificate.
/tr: Timestamping server to ensure validity after cert expiry.
/td SHA256: Timestamp digest.
/sm: Sign with certificate from Windows Certificate Store (the Signing Manager presents the cloud cert here).
/n: Common name of your certificate.
yourapp.exe: The target file to sign.

After running this command, your executable is cryptographically signed using the private key stored securely in the KeyLocker CloudHSM.

Step 4: Verify the Signature

You can verify the signature with:

signtool verify /pa /v yourapp.exe

Look for the "Successfully verified" message and check that the certificate chain ends with DigiCert.

Best Practices

Use Timestamping: Always include a timestamp so the signature remains valid after certificate expiry.
Enable Audit Logging: Review logs in the DigiCert portal for security and compliance.
Use Role-Based Access: Restrict signing permissions to specific team members or CI/CD pipelines.
Rotate Access Credentials regularly and remove unused clients.

Final Thoughts

DigiCert KeyLocker offers a scalable, cloud-native solution for code signing that doesn’t compromise on security. By keeping your keys in a certified HSM and simplifying access through Signing Manager, it eliminates the risks of key theft, malware-based signing, and rogue insiders.

If you're modernizing your software supply chain or meeting stricter compliance standards like Windows Defender SmartScreen, SOC 2, or ISO 27001, DigiCert KeyLocker should be part of your toolkit.