To Create a Built-in Account

1. Sign in to Next-Gen Trust Security.
2. Click System Settings > Built-in Accounts.
3. Click New.
4. In the Use Case section, select Code Sign Manager. Click Continue.
5. In the Details section, do the following:
   1. Give the built-in account a descriptive Name.
   2. Enter the number of days that this account will be valid for.
   3. Select an authentication method.
      What are the implications of each method?
      The difference between these two methods comes down to where the key pair is generated.
      • Auto-generate a keypair and download the private key -- The key pair is generated in the UI. You must copy and save the private key as a PEM file on the signing machine and use it to authenticate the Code Sign Client. This method is less secure because the private key is transmitted through the UI, but it allows you to log out and log back in without generating a new key pair.
      • Generate your own keypair and upload the public key -- The key pair is generated on the signing machine by the Code Sign Client. You then paste the public key into the UI. This method is more secure because the private key never leaves the signing machine, but logging out requires generating a new key pair to log in again.
6. Complete the remaining steps based on the authentication method you selected.
   Note: The command examples in this section use the pkcs11config utility. If you are using a different utility, adjust the commands accordingly.
   Auto-generate a keypair and download the private key
   1. Click Create.
   2. Copy the Private Key.
   3. On the signing machine, create a PEM file (such as key.pem) and paste the private key into that file. Save the file.
   4. Return to the UI. Click Finish. The Built-in Accounts inventory page opens.
   5. From the Built-in Accounts inventory page, copy the Client ID for this account.
   6. On the signing machine, run the following command:

      pkcs11config login --host <tsg-id>.ngts.paloaltonetworks.com --clientid <clientID> --keyfile <keyfile-name>

   Generate your own keypair and upload the public key
   1. On the signing machine, run the following command to generate a key pair:

      pkcs11config login --host <tsg-id>.ngts.paloaltonetworks.com --generate

      The public key displays on the client screen.
   2. Copy the displayed public key.
   3. Return to the UI. Click Continue. Paste the public key, and then click Finish. The Built-in Accounts inventory page opens.
   4. From the Built-in Accounts inventory page, copy the Client ID for this account.
   5. Return to the Code Sign Client and press Enter.
   6. Paste the Client ID, and then press Enter.
7. (Optional) Verify your configuration:

   pkcs11config option show

   Your result should look similar to the following:

   INFO: User configuration holds 9 values:
   Name                           │ Value
   ───────────────────────────────┼───────────────────────────────────────────────────
   ACCESS EXPIRES                 │ 1765225693
   AUTHENTICATION PRIVATE KEY PEM │ <365 characters redacted>
   HSM SERVER URL                 │ https://<tsg-id>.ngts.paloaltonetworks.com/vedhsm/
   ACCESS TOKEN                   │ <24 characters redacted>
   SUPPORTS API KEY               │ true
   AUTH SERVER URL                │ https://<tsg-id>.ngts.paloaltonetworks.com/
   CREDENTIAL EXPIRES             │ 1765311162
   CSC SERVER URL                 │ https://<tsg-id>.ngts.paloaltonetworks.com/cyberark-code-sign-client/
   CLIENT ID                      │ xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

What's Next