>
    Strata Copilot
    Install and Configure the Code Sign Client
    Focus
    Focus
    1. Home
    2. Next‑Gen Trust Security
    3. Next-Gen Trust Security
    4. Next-Gen Trust Security Overview
    5. Introduction to the Code Signing Capability
    6. Configuring the Code Signing Capability
    7. Install and Configure the Code Sign Client
    Next‑Gen Trust Security

    Install and Configure the Code Sign Client

    Table of Contents

    Install and Configure the Code Sign Client

    The Code Sign Client is the command-line tool that developers, release engineers, and CI/CD systems use to sync Signing Key references from Next-Gen Trust Security to a signing workstation. The keys themselves always stay in their secure storage location (AWS KMS or Built-In Key Storage), and the use of the keys is governed by policies set in Next-Gen Trust Security.
    The Code Sign Client includes native sign and verify capabilities, but these are intended primarily for testing purposes. For production signing, integrate the client with your preferred signing application (such as signtool, jarsigner, or cosign).

    Available Clients

    The Code Sign Client is available in two forms:
    • PKCS#11 client (pkcs11config) -- available on Linux, macOS, and Windows
    • CSP/KSP client (cspconfig) -- available on Windows only
    Both clients provide the same signing capabilities and support the same command options. The primary difference is the underlying cryptographic provider they integrate with:
    • pkcs11config uses a PKCS#11 module for signing
    • cspconfig integrates with the Windows Cryptographic Service Provider (CSP) and Key Storage Provider (KSP) frameworks
    Most users and CI/CD systems can use the PKCS#11 client (pkcs11config) regardless of operating system. If you are signing on Windows and prefer to use the CSP/KSP ecosystem, you may use cspconfig instead. All examples in this documentation use pkcs11config.

    System Requirements

    Windows
    • .NET Framework 4.8
    • Windows 10 or later
    • Windows Server 2016 or later
    Linux (tested distributions)
    • Debian 9 and later
    • Ubuntu 16.04 and later
    • CentOS Stream 8 and later
    • Red Hat Enterprise Linux (RHEL) 7 and later
    macOS
    • Monterey 12 and later

    Download and Install

    You can download the Code Sign Client from the Next-Gen Trust Security UI.
    1. Sign in to Next-Gen Trust Security.
    2. Click Insights > Signing Keys.
    3. Select any Signing Key to open its details drawer.
    4. Select the Client installation tab.
    5. Choose the installer for your operating system (Windows, macOS, or Linux).
    Each platform-specific installer includes instructions for both GUI and command-line installation.

    Configure Host URLs

    When you authenticate using pkcs11config login, the host URLs are set automatically. If you need to explicitly set or correct the URLs after authentication, use the seturls command:
    pkcs11config seturls --hostname <tsg-id>.ngts.paloaltonetworks.com
    This sets all required URLs (authentication, HSM, and update service) based on your TSG endpoint.
    To verify your current URL configuration:
    pkcs11config option show

    Additional Resources

    For detailed documentation on proxy configuration, trace logging, the full CLI reference, and sample integrations, see the Code Sign Client documentation in Dev Central:

    © 2026 Palo Alto Networks, Inc. All rights reserved.