Order your Document Signing for Employee certificate
CertCentral: Learn how to get your Document Signing for Employee certificate
With a Document Signing for Employee certificate, apply electronic signatures. Your signature assures recipients that the document is from an employee or company representative and hasn’t been altered. DigiCert document signing certificates are compatible with Adobe Acrobat, DocuSign, Microsoft Office, OpenOffice, and LibreOffice documents.
Before you begin
Key provisioning options
When ordering your Document Signing for Individual certificate, you must select your key provisioning method. The provisioning method refers to where you store the private key and certificate. For the security of your document signing certificate, you must install and use your certificate from an approved device.
Hardware token: With this option, buy a token from DigiCert or use your own:
DigiCert-provided hardware token—nonrefundable
When you submit your request, we send the hardware token to the address included in your order.
Use your own DigiCert-supported FIPS 140-2 Level 2 hardware token
SafeNet/Gemalto eToken 5100: Supports RSA 2048 key size
SafeNet/Gemalto eToken 5110: Supports RSA 2048, 3072, 4096 and ECC p-256 and p-384 key sizes
Use the DigiCert Trust Assistant to initialize your token, if needed, and install your certificate on it. See the Certificate issuance section of this article.
Hardware security module (HSM): With this option, use your own Common Criteria EAL4+ standard or FIPS 140-2 level 2 HSM.
Generate the private key on your HSM and add the certificate signing request (CSR) to your request. Refer to your HSM vendor instructions for generating the CSR.
Document Signing certificates support the following algorithms and key lengths:
RSA 2048, 3072, and 4096
ECC p-256 and p-384
DigiCert sends the certificate requester an agreement email. This email is to ensure your private key is stored on an HSM certified as Common Criteria EAL4+ standard or FIPS 140-2 level 2 HSM, or equivalent.
See the Certificate issuance section of this article.
Organization validation
Before DigiCert can issue your Document Signing for Employee certificate, we must validate the organization for DS - Document Signing Validation. Organization validation is valid for 825 days. See How do we validate your organization.
Use one of the following options to validate your organization:
Prevalidate the organization.
CertCentral features an organization prevalidation process that allows you to validate your organization before ordering certificates. Doing the organization validation ahead of time allows for quicker certificate issuance. See Submit an organization for prevalidation.
Validate the organization as part of the order process.
If adding a new organization or one with expired DS - Document Signing Validation, DigiCert does the organization validation as part of the order process.
Organization attestation requirement
When you add a subject individual, your organization attests the individual is a valid employee or company representative and is included in official company registries. In other words, your organization is the registration authority for the individuals ordering these certificates. DigiCert validates your organization, not the individuals.
Order a Document Signing for Employee certificate
In CertCentral, in the left menu, go to Request a Certificate > Document Signing Certificates > Document Signing for Employee.
On the Request Document Signing for Employee Certificate page, in the For menu, select the division to manage the certificate.
The For menu appears if using Divisions in your account.
Certificate validity
In the Certificate Settings section, under Certificate validity, select a validity period for the certificate: 1 year, 2 years, 3 years, Custom expiration date, or Custom length.
Key provisioning method
The provisioning method refers to where you store the certificate and its private key. For the security of your Document Signing certificate, the certificate must be installed on and used from an approved device.
Select the key provisioning method for your Document Signing for Individual certificate.
DigiCert-provided hardware token (nonrefundable)
DigiCert sends a hardware token with instructions for installing the certificate on it
Then, under Shipping address, add your mailing information: your name and the address where you want us to send the hardware token.
Use existing token
When DigiCert issues your document signing certificate, you must install the certificate on your own DigiCert-supported hardware token.
DigiCert-supported hardware tokens:
SafeNet/Gemalto eToken 5100: Supports RSA 2048 key size
SafeNet/Gemalto eToken 5110: Supports RSA 2048, 3072, 4096 and ECC p-256 and p-384 key sizes
Install on an HSM
When DigiCert issues your document signing certificate,To
Select Yes under Was the private key generated by a Common Criteria EAL4+ standard or FIPS 140-2 level 2 HSM?
In the Add your CSR box, upload your CSR or add it to the box.
Document signing certificates must use an RSA key a minimum of 2048 bits in length to remain secure
Your CSR must include the
-----BEGIN NEW CERTIFICATE REQUEST-----and-----END NEW CERTIFICATE REQUEST-----tags.
DigiCert sends the certificate requester an agreement email. This email is to ensure your private key is stored on an HSM certified as Common Criteria EAL4+ standard or FIPS 140-2 level 2 HSM, or equivalent.
DigiCert can’t issue the certificate unless the requester agrees to the private key protection requirement
Organization
You can add an existing organization from your account or a new organization. If you add a new organization, it’s added to CertCentral.
Under Organization, select Add an organization. In the Add organization window, complete one of the following tasks as needed:
Add an existing organization
Select An existing organization.
In the menu, select the organization and then select Add.
If using an organization not validated for DS - Document Signing Validation or the one with expired validation, DigiCert validates the organization as part of the certificate issuance process.
Organization and technical contacts
DigiCert automatically adds the contacts assigned to the organization to the request form. To see the organization and technical contacts, select Show organization contacts.
Add a new organization
Accurate organization information makes validating your organization easier, leading to faster certificate issuance. Verify organization details are correct, including spelling and punctuation.
Select A new organization and select Next.
Organization address details
Enter the following organization information as needed.
Legal name
Organization name exactly as it appears in corporate registries, such as local government registration records.
Assumed name (optional)
Assumed name or doing business as name. You don’t need to include an assumed name. You can leave this box empty.
Note: Adding an assumed name requires more validation, which may delay organization validation and certificate issuance.
Country
Country where the organization is legally found.
Address 1
The address where the organization is legally found.
Address 2 (optional)
More address in formation, such as a Suite #. You can leave this box empty.
City (optional)
City where the organization is legally found.
You don’t have to include a city. You can leave this box empty.
State / Province / Region
State, province, region where the organization is legally found.
Postal code (optional)
Postal code where the organization is legally found.
Organization phone number
DigiCert must call a verified organization phone number to confirm your authority to order a certificate for the organization. We verify this phone number against online third-party address listing sources like Google Business.
Country code
Country code for the organization's phone number
Phone number
Organization's phone number.
Verify you entered the information correctly and then, select Add.
Organization contact
The organization contact is the person we contact when validating the organization and verifying your authority to order a DigiCert certificate for the organization. They may also receive the following notifications: Order status updates and domain status updates for their organization.
In the Add contacts window, add yourself, add someone else from your account, or create a new organization contact.
Add yourself as the organization contact.
Select Add me as the organization contact and then select Add or Next.
If we have all your information, select Add.
If we need more information, select Next, enter the missing data, and then select Add.
Usually, you must add a phone number that we can use to contact you and your job title.
Add someone else as the organization contact.
Select Add someone else as the organization contact.
Then, in the Add contact menu, select the contact or user and then select Add or Next.
If we have the needed user information, select Add.
If we need more user information, select Next, enter the missing data, and then select Add.
Usually, you must add a phone number that we can use to contact the person and their job title.
Create a new contact.
Select Add someone else as the organization contact.
In the Add contact menu, select Create new contact and then, select Next.
Enter the required user information: email, first and last name, phone number, and job title.
Select Add.
Technical contact
The technical contact is the person we may for inquiries regarding certificate orders for the organization. They may receive the certificate lifecycle-related emails: certificate issued, reissued, and expiring.
Add a technical contact (optional)
Under Organization Info, select Show organization contacts.
Select Add technical contact (Optional).
Add yourself as the technical contact.
Select Add me as the technical contact for the organization and then select Add or Next.
If we have all your information, select Add.
If we need more information, select Next, enter the missing data, and then select Add.
Usually, you must add a phone number that we can use to contact you and your job title.
Add someone else as the technical contact.
Select Add someone else as the technical contact for the organization.
In the Add contact menu, select the contact or user and then select Add or Next.
If we have the needed user information, select Add.
If we need more user information, select Next, enter the missing data, and then select Add.
Usually, you must add a phone number that we can use to contact the person and their job title.
Create a new contact.
Select Add someone else as the technical contact for the organization.
In the Add contact menu, select Create new contact and then, select Next.
Enter the required user information: email, first and last name, phone number, and job title.
Select Add.
Certificate details
Add the information about the subject individual. The subject individual is the holder of the certificate and specific information about the them is included on the certificate.
You can add a new subject individual or an existing subject individual used previously.
Under Certificate details, select Add individual. Then, in the Add subject individual window, do the following tasks as needed.
Add a new subject individual
DigiCert must validate the subject individual before we can issue your certificate. Accurate information makes validating the individual easier, leading to faster certificate issuance. Verify that the details are correct, including spelling and punctuation.
Select Create new subject individual and then select Next.
Enter the following. information about the subject individual as required:
Given name
You may include a middle name and initials. Don’t include titles or prefixes, such as "Dr.".
Surname
You may include generational suffixes, such as “Sr.” and “III.”.
Job title (optional)
You may include the subject individual's job title on the certificate.
Adding a job title is optional, and you can leave this field empty.
Including a job title requires more validation and may delay certificate issuance.
Country code
Country code for the individual's phone number.
Phone number
Phone number for the individual.
Country
Country where the individual resides.
Email
DigiCert uses this email address to process your request.
Note: This email doesn’t appear on the certificate.
Verify the information is correct and select Add.
Add an existing subject individual
Select Use previous subject individual.
In the menu, select the subject individual.
Select Add.
Advanced certificate options
By default, DigiCert uses the RSA 2048-bit key certificates with a SHA-256 signature hash and RSA signing algorithm. However, you can update the key type and size, and the signature hash as required to meet your company policy or digital certificate environment requirements.
Key type and size
If you select Install on HSM, you don’t see this option.
DigiCert recommends using RSA 2048 unless you have a specific reason for using a different key type or size.
In the menu, select the key type (algorithm) and key size for generating your CSR and certificate:
RSA 2048, 3072, or 4096
ECC p-256 or p-384
Signature hash
By default, DigiCert issues RSA certificates with a SHA-256 signature hash and RSA signing algorithm. DigiCert recommends using the default RSA settings unless you have specific reasons for using a different key size.
In the menu, select the signature hash* you want to use for signing your documents.
SHA-256 with RSA
SHA-384 with RSA
SHA-512 with RSA
*Note: The selected hash is the signing algorithm for your document signing signatures. The document recipient uses the signature to verify the document signer and to confirm the document wasn't modified along the way.
ECC certificates
With ECC certificates, there’s a one-to-one correlation between the signature hash and the signing algorithm.
When using the ECC p-256 key size, your certificate includes a SHA-256 signature hash with ECDSA signing algorithm.
When using the ECC p-384 as the key size, your certificate includes a SHA-384 signature hash with ECDSA signing algorithm.
Organization unit (optional)
Enter the organization unit (OU) with which you want to associate the certificate and signatures. If you include an OU in your order, DigiCert must validate it before we can issue your certificate with the OU field.
An OU isn’t required to issue your certificate. You can leave this box empty. When the box is empty, the issued certificate doesn't have an OU value.
Certificate usage
Add non-repudiation key usage
To add the non-repudiation key usage to your certificate, select this option.
Additional order options
Adding any of the following information is optional. None of it’s required to issue your certificate.
Additional Renewal Message (optional)
To create a renewal message for this certificate, enter a renewal message with information that might be relevant to the certificate’s renewal.
Note: Comments and renewal messages aren’t included in the certificate.
Additional emails (optional)
Enter the email addresses of the people you want to receive the certificate issuance, expiring certificate, and expiring order notifications. Use a comma to separate addresses or enter them on separate lines.
These recipients don't manage the order. They receive all the certificate-related emails.
Select payment method
Under Payment information, select a payment method to pay for the certificate.
Pay with credit card
We authorize the credit card when you make the request. However, we don't finish the transaction until we issue your certificate.
Pay with contract terms
When you have a contract, it is the default payment method.
Pay with account balance
Bill the cost to your account balance. To deposit funds, select the Deposit link. Selecting the link takes you to another page inside your CertCentral account. Any information entered in the request form isn't saved.
Master Services Agreement
Read through the Master Services Agreement.
Select Submit Certificate Request.
By selecting Submit Certificate Request, you agree to the Master Service Agreement.
What's next
CertCentral takes you to the certificate’s Order # details page, where you can see the status of your certificate order.
Complete organization validation
DigiCert must validate and authenticate your authority to order a certificate for the organization on your certificate order. To do this, we call a verified phone number to speak with someone who represents the certificate requester, such as the organization or technical contact.
To get organization consent for your certificate order:
Answer the organization/validation phone call—preferred method.
When done submitting your certificate order, ensure the organization contact, technical contact, and company receptionist know you've ordered a Document Signing for Employee certificate. Tell them DigiCert calls a verified phone number to speak with one of them to ensure you have permission to order this certificate. This call usually occurs within 24 hours of the certificate order being placed.
Respond to the organization consent message.
If the DigiCert validation agent can't reach someone representing you at the verified phone number, they leave a message. The message includes a callback phone number and a verification code. Make sure that organization or technical contact responds to the message and provides the verification code.
Schedule a time for a call back through the verified phone number.
If the DigiCert validation agent can't reach someone who represents you at the verified phone number, they may email you. The email ask you to schedule a time for us to call back to finish the verification.
Certificate issuance
When the validation process is complete, we issue your certificate.
DigiCert-provided hardware token (nonrefundable)
If you opted to have DigiCert send you a hardware token, we send your token to the mailing address included in your request. On your certificate's order details page, you can track your hardware token shipment.
When you receive the DigiCert-provided hardware token and get the PIN, return to CertCentral and download and install the DigiCert Trust Assistant. Then, when the certificate is ready, use the DigiCert Trust Assistant to install the certificate on your token. Learn more about the DigiCert Trust Assistant.
Your supported hardware token
If you opted to use your own supported hardware token, when the certificate is ready, return to CertCentral and use the DigiCert Trust Assistant to install the certificate on your token. Learn more about the DigiCert Trust Assistant.
Supported hardware security module (HSM)
If you opted to install your document signing certificate on a supported HSM, the process works as follows:
DigiCert sends the certificate requester an agreement. The email is to verify your private key is stored on an HSM certified as Common Criteria EAL4+ standard or FIPS 140-2 level 2 HSM.
DigiCert can't issue the certificate unless the requester agrees to the private key protection requirement.
DigiCert emails the certificate requester a copy of the certificate.
You can also download a copy of the certificate from CertCentral.
Install the certificate on your HSM. Refer to your HSM vendor instructions.
To use your certificate, you must install it on the HSM where you generated the private key and certificate signing request (CSR).