DigiCert KeyLocker (cloud HSM) Order

DigiCert KeyLocker is a cloud-based HSM. It is used to generate and store keys that you can then use to sign code and applications. Thanks to KeyLocker, you can sign from anywhere and share the certificate between multiple people. You no longer need to share a single token with a stored Code Signing certificate.

 HSM   Cloud HSM (DigiCert ONE)
FIPS/CC   FIPS 140-2-2 a CC EAL4+ standards
1000   cryptooperations
<1 min   waiting time

Safe storage is required for all Code Signing certificates

The CA/B Forum requires that Code signing certificates’ private keys be stored on a device certified for FIPS 140-2 Level 2 or Common Criteria Level EAL4+ standards. Therefore, it is no longer possible to obtain a certificate in a PFX file, it can only be saved on an HSM or token.

The token solution is cheap and easy, but its use is incompatible with automation and team use. You have to enter the token password every time you sign, and there is no way around it even by using it on the server. Buying a hardware HSM is expensive and unnecessary for many companies because they will not use it. Fortunately, there is a way to solve key storage in a modern, simple and cheap way.

KeyLocker is a cloud key storage

KeyLocker is a simple service using the DigiCert ONE platform. Your Code signing certificate will be stored in the cloud together with the private key, and you will not have to worry about its security. It will be available to you anywhere.

Signing then takes place using libraries from DigiCert, which allow the signing application to access the HSM cloud. Only hash-signing is used, which is fast and efficient for data transfer.

Benefits of cloud HSM

DigiCert KeyLocker delivers:

  • Certificate storage meeting strict FIPS 140-2 Level 3 certification.
  • Key generation, its storage and protection, all without waiting for the token and its limitations.
  • A cloud service that allows you to access keys and sign from anywhere.
  • Seamless integration with automated CI/CD tools.
  • Each KeyLocker purchased allows you to create 1,000 signatures during the validity of the given CS certificate. If you need more, additional units can easily be purchased.
  • Thanks to KeyLocker, you can automate code signing, but most importantly, you do not need to purchase a hardware HSM. Buying an HSM is expensive and with DigiCert KeyLocker you save. Plus, you get the freedom to sign from anywhere.

    How you can get KeyLocker

    You can get DigiCert KeyLocker for Code Signing or for a Code Signing EV certificate. When ordering a Code Signing certificate, in addition to the token and HSM, you can also choose storage. For a small additional fee, KeyLocker will be activated and the issued certificate will already be uploaded to the KeyLocker account. You get access to it automatically after the certificate is issued.

    Ceník DigiCert KeyLocker price list

    KeyLocker is purchased as an additional service to the Code signing certificate. One KeyLocker means 1000 crypto operations; if you use them up, you can easily buy other units.

    To get KeyLocker, please email us.

    KeyLocker cloud HSM

    • Price when purchased from CA: $249
    • Allows you to perform 1000 signature operations
    • Automatically set up on DigiCert ONE account
    Write us

    Prices are without VAT.

    FAQ - Frequently Asked Questions:

    DigiCert ONE is a comprehensive PKI platform. Within the Software Trust Manager component, you can get a solution that enables comprehensive management of signing certificates, access and rights management, and many other functions. More information can be found on the Software Trust Manager product page.

    KeyLocker is a simple service focused on storing and accessing keys in the cloud. It does not bring you Software Trust Manager or its advanced features, it works simply. However, both services allow automatic signing and integration into CI/CD tools.
    KeyLocker allows you to perform 1000 crypto operations; a limit applies to signing. Signing one unique hash exhausts one crypto operation; therefore, you will not exhaust the crypto operation by repeatedly signing the same unchanged version of the file.
    When you exhaust the limit of signatures provided by KeyLocker for a specific Code Signing certificate, you can simply buy another KeyLocker and 1000 operations. You can purchase n-KeyLockers as needed for one Code signing certificate.
    You can find all the information in the KeyLocker documentation in the CI/CD integrations section.
    KeyLocker allows you to sign a variety of files, especially applications, executable files and libraries. You can find a complete list in the documentation.