Skip to content

Create a service account

Using a service account with Code Sign Manager enables automated, non-human code signing operations where the service account acts as an authorized signer. This allows applications, CI/CD pipelines, or other automated systems to sign code or artifacts without requiring user API keys.

This article is specific to setting up a service account for Code Sign Manager. If you haven't set up a service account for code signing before, going through the service account tutorial first may be helpful.

Before you begin

  • You will need a team that can be assigned as the owning team on the service account.
  • The Code Sign Client will need to be installed and available on the signing workstation.

To configure a service account for Code Sign Manager

  1. Sign in to Certificate Manager - SaaS.

  2. Click Settings > Service Accounts.

  3. Click New.

  4. In the Use Case section, select Code Sign Manager. Click Continue.

  5. In the Details section, do the following:

    1. Give the service account a descriptive Name. This name will appear as an Authorized Signer you can select when creating a Project.
    2. Select the Owning Team.
    3. Enter the number of days that this account will be valid for.

    4. Select an authentication method.

      What are the implications of each method?

      The difference between these two methods comes down to how you want to generate the key pair.

      • Auto-generate a keypair and download the private key - This method generates a key pair in the UI. Once generated, you'll copy the private key, save it as a pem file on the Code Sign Client, and then use that file to authenticate the Code Sign Client.

      • Generate your own keypair and upload the public key - This method generates a key pair using the Code Sign Client. You will then copy the public key and paste it into the UI in the next step.

    5. Select the Scope for this service account. Currently, the Codesign Service Account Authorized Signer Scope is the only scope available.

    6. Click Continue.

  6. Complete the Credentials section. The steps to complete this section will depend on which authentication method you selected above.

    Note

    The command examples in this section use the pkcs11config utility and the U.S. region URL for the host. If you're using a different utility or are in a different region, adjust the commands as applicable.

    Auto-generate a keypair and download the private key

    1. From the Credentials section, copy the Private Key.
    2. On the Code Sign Client, create a PEM (such as key.pem) file and paste the private key into that file. Save the file.
    3. Return to the UI, and click Finish. The Service Accounts inventory page opens.
    4. From the Service Accounts inventory page, copy the Client ID for this service account.
    5. Return to the Code Sign Client, and run the following command: 
      pkcs11config login --host api.venafi.cloud --clientid <clientID> --keyfile <keyfile-name>

    Generate your own keypair and upload the public key

    1. From the Code Sign Client, run the following command to generate a key pair: 

      pkcs11config login --host api.venafi.cloud --generate

      The public key displays on the client screen.

    2. Copy the public key.

    3. Return to the UI. In the Credentials section, paste the public key, and then click Finish. The Service Accounts inventory page opens.
    4. From the Service Accounts inventory page, copy the Client ID for this service account.
    5. Return to the Code Sign Client and press Enter.
    6. Paste the Client ID, and then press Enter.

  7. (Optional) Verify your configuration:

    pkcs11config option show

    Your result should look similar to the following: 

    INFO: User configuration holds 9 values:
Name                           │ Value
───────────────────────────────┼───────────────────────────────────────────────────
ACCESS EXPIRES                 │ 1765225693
AUTHENTICATION PRIVATE KEY PEM │ <365 characters redacted>
HSM SERVER URL                 │ https://api.venafi.cloud/vedhsm/
ACCESS TOKEN                   │ <24 characters redacted>
SUPPORTS API KEY               │ true
AUTH SERVER URL                │ https://api.venafi.cloud/
CREDENTIAL EXPIRES             │ 1765311162
CSC SERVER URL                 │ https://dl.venafi.cloud/cyberark-code-sign-client/
CLIENT ID                      │ xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

What's next

Next, assign the service account to a Project by creating a project or adding it to an existing one. Continue with Create a Code Sign Project.