@sgn_GSI i did a quick scan of DigiCert's web site for KeyLocker: https://knowledge.digicert.com/solution/digicert-keylocker
Sounds like KeyLocker performs in the same role as the USB token - as in, KeyLocker wld hold the private keys but in the cloud. Note step 9: "Your certificate is issued and associated with the key generated and stored in KeyLocker"...
so probably a similar workflow as with a USB - once u sign up w/KeyLocker, they say u get a certificate without private keys that u then use for signing (I assume it goes in the store? same as w a USB) and the actual request for the private key during signing wld most likely trigger the call to the KeyLocker?
The designated "KeyLocker lead" is, I guess, whoever has the password allowing sign in to the KeyLocker (step 10) and who, presumably, is responsible for the signing.
Looks like they charge u for each signing (in batches of 1000) tho rather than a one time purchase cost of a USB based token or similar hardware device (w/ unlimited use until the certificate expires). However, there is the convenience of not needing a physical USB or smart card or other device.
Obviously, with these new workflows, automated signing/unattended signing is prob going to be a problem as signing cld require a pwd/PIN each time (whether KeyLocker or USB). With KeyLocker it sounds like u have to be careful too if u r running multiple builds w/signing as u cld quicky burn through your 1000 signings limit.