Get rid of the token and start signing in the cloud

Feb 9, 2024 | Jindřich Zechmeister

All customers using Code Signing certificates are well aware that obtaining and storing them is only possible with a token or HSM. Now finally comes relief and the ability to get rid of the token forever; at the same time, you don't have to invest in an expensive hardware HSM. The option to automate signing is the icing on the cake

KeyLocker means a revolution in signing

Signing using cloud and hash-signing methods was previously reserved for DigiCert ONE and Software Trust Manager. However, for most customers, this service is like using a "sledgehammer to crack a nut" as it offers unnecessarily many options. Acquiring it is more complicated because you need to estimate the number of signatures per year and license that amount. Lastly, DigiCert ONE is not financially accessible to everyone.

Therefore, a simple yet robust service that you automatically receive with the purchased certificate, where you don't have to worry about anything, makes much more sense. You can start signing immediately after the certificate issuance. Introducing the new DigiCert KeyLocker.

KeyLocker provides you with:

  • Storage certified according to the FIPS 140-2 Level 3 standard
  • Key generation, protection, and signing without the need to wait for a token delivery.
  • A cloud service that allows remote signing or sharing the certificate with colleagues working elsewhere.
  • Seamless integration with popular CI/CD pipelines.
  • Each KeyLocker allows you to generate up to 1,000 signatures during the certificate's validity period. This limit can be increased by purchasing additional units.

The signing process does not change for you and remains exactly the same. So, there is no reason to stick with an outdated token and sign everything manually.

Finally, you can automate signing

Just as TLS certificates are used on every website, every software developer signs their work to publish it and make applications trustworthy for customers. Nowadays, agile development prevails in companies, where developers deliver new updates and features to customers daily. Therefore, it's crucial to automatically sign all outputs to ensure not only their origin but also their immutability (integrity) and thus credibility.

With a certificate stored on a token, automation of signing is not possible because entering the token's password is required for each signature. Furthermore, you need to have the token physically available, and signing over remote desktop does not work. Tokens have long been causing headaches for all software developers, primarily delaying them.

In contrast, signing with KeyLocker can be integrated into your existing CI/CD pipeline and fully automated. DigiCert has prepared plugins for major platforms - Azure DevOps, GitHub, and Jenkins. More information can be found on the plugins page; there are also integration scripts available. If you are concerned about increased data transfers over the network for large applications, you don't have to worry; the application does not move to DigiCert entirely over the network, only its hash (fingerprint). This makes signing fast.

Get KeyLocker along with the certificate

Obtaining KeyLocker is easy - just choose KeyLocker as the certificate location (provisioning) when ordering a Code Signing certificate. After requesting the certificate, you will automatically receive an invitation to a new KeyLocker account in DigiCert ONE. However, after ordering and issuing the certificate, you will not receive a token, but you will find the certificate in KeyLocker service. Therefore, you have the certificate available immediately after issuance and don't have to wait for the token delivery. Nothing will slow you down in signing.

An article Signing with KeyLocker cloud HSM will serve as a guide in your initial steps with the new service and help you with signing operations.

The new era of digital code signing is here, so don't hesitate and join the satisfied KeyLocker users.

Additional resources and information:

  1. KeyLocker service documentation available at
  2. Help article on signing with KeyLocker available at Signing with KeyLocker cloud HSM

Ing. Jindřich Zechmeister
TLS certificate specialist
Certificated Sales Expert Plus
e-mail: jindrich.zechmeister(at)