Link Search Menu Expand Document
Gorilla Engine
Table of contents

How to Acquire a Code Signing Certificate for Windows (DigiCert)

This guide documents the step-by-step process to acquire and install a Code Signing certificate for Microsoft Windows from DigiCert.

Please note that we recommend using DigiCert for all professional Windows development. Please note that we recommend starting this process early on since the verification with your identity manager will take some time.

When to consider Certum: You should only opt for signing with Certum if minimizing costs is your primary requirement and you do not require automated continious integration support. Certum is significantly cheaper, but their signing process relies on manual intervensions like e.g., re-logins into the signing app on your build machine when processing build jobs.

Prerequisites

Before purchasing a DigiCert certificate, ensure you have the following:

  • Legal Entity Existence: Your organization must be a legally registered entity (e.g., LLC, GmbH, Inc.) verified in public government records.
  • Verified Contact: You will need a person within the organization who can answer a verification phone call on a publicly listed business phone number.

Step 1: Purchase the Certificate

Note: Since June 2023, industry standards require all code signing private keys to be stored on FIPS-compliant hardware. You cannot “download” a key to your desktop browser.

  1. Navigate to the DigiCert Code Signing Page.
  2. Select Certificate Type:
    • EV (Extended Validation): Recommended for kernel-mode drivers and immediate reputation with Microsoft SmartScreen.
    • OV (Organization Validation): Standard signing for applications.
  3. Select Delivery Method (Crucial Decision):
    • DigiCert KeyLocker (Cloud HSM): Recommended. The private key is stored in DigiCert’s cloud. You sign via an API/Client tool. This enables you to sign code from anywhere and easily integrate into CI/CD pipelines without plugging in a USB stick.
    • Hardware Token: DigiCert ships you a physical USB stick (SafeNet eToken). You must physically plug this into the computer to sign code.

    Note: If you own an already approved device, select “My Own Qualified Hardware Token”.

Step 2: Organization Validation

After payment, DigiCert must validate your identity. This is a manual process.

  1. Submit Documents: Log in to your CertCentral account. Check the “Tasks” list. You may need to upload business registration documents.
  2. Telephone Verification: DigiCert will call a verified public phone number associated with your business to confirm you requested the certificate.

Step 3: Installation & Setup

Follow the path below corresponding to the delivery method you chose in Step 1.

Path A: KeyLocker (Cloud / CI/CD)

Complete these steps in order. Each step links to the relevant DigiCert documentation.

1. Install KeyLocker Client Tools

Download and install the DigiCert KeyLocker Tools on your build machine. See KeyLocker Setup Guide — Download tools.

2. Generate credentials

From your DigiCert ONE account, create the following and keep them ready for step 4:

3. Set environment variables

Register the credentials from step 2 as system environment variables so that smctl and the KSP can authenticate. See Persistent environment variables (Windows).

Variable Value
SM_API_KEY Your API key
SM_CLIENT_CERT_FILE Full path to the .p12 certificate (e.g. C:\codesign\cert.p12)
SM_CLIENT_CERT_PASSWORD Certificate password
SM_HOST https://clientauth.one.digicert.com

Then add the KeyLocker Tools directory to your PATH:

set PATH=%PATH%;C:\Program Files\DigiCert\DigiCert Keylocker Tools

4. Sync the certificate

Run the following command to sync the cloud-hosted certificate into the local Windows certificate store:

smctl windows certsync --keypair-alias=<keypair-alias>

Replace <keypair-alias> with the alias obtained in step 2.

The output will contain the certificate fingerprint (thumbprint). Note it down — you will need it in Step 4 to configure Gorilla Compiler.

Automated setup

We provide an install.ps1 script that performs steps 3 – 4 automatically. The script can be found in the /tools/Gorilla Compiler - Digicert Helper folder of the SDK installation directory.

To run it, right-click PowerShell and select Run as Administrator. You can pass all values as arguments:

.\install.ps1 -SmApiKey "<api-key>" `
              -SmClientCertFile "C:\codesign\cert.p12" `
              -SmClientCertPassword "<cert-password>" `
              -KeypairAlias "<keypair-alias>"

Or simply run .\install.ps1 — the script will prompt for each value interactively.

On success, the script output will display the certificate fingerprint. Note it down for Step 4.

Path B: Hardware Token (USB)

Use this if you received a USB stick in the mail.

  1. Install Drivers: Download and install the SafeNet Authentication Client drivers.
  2. Plug in Token: Insert the USB token.
  3. Change Password: Open the SafeNet client. The default password is usually provided in the shipping email (often 1234567890). Change this immediately.
  4. Certificate Verification: If the token came pre-loaded, you are done. If you see an “Initialize” option in CertCentral, you may need to run the DigiCert Hardware Certificate Installer.

Step 4: Adding your certificate to Gorilla Compiler

Once set up, make sure you have downloaded the latest Gorilla Engine SDK and can log into the included Gorilla Compiler.

Locating the certificate fingerprint

KeyLocker (Path A): Use the fingerprint from the smctl windows certsync output in Step 3.

Hardware Token (Path B): Open the Microsoft Certificate Manager (certmgr.exe), locate your certificate under Personal > Certificates, and copy the fingerprint (thumbprint) from the certificate details.

The fingerprint looks like e.g. b94d27b9934d3e08a52e52d7da7dabfac484efe37a5380ee9088f7ace2efcde9.

Paste the fingerprint into Gorilla Compiler and fill in the remaining fields. Your signing setup is now complete.