Skip to main content

Order a Code Signing certificate

Important

The industry requires RSA 3072-bit key minimum for code signing certificates

To comply with industry changes, DigiCert has made the following changes to our code signing certificate process:

  • Only issues RSA 3072-bit key or larger code signing certificates*

  • Uses new intermediate CA and root certificates to issue our code signing certificates: RSA and ECC

*Note: All existing 2048-bit key code signing certificates issued before June 1, 2021, will remain active. You can continue to use these certificates to sign code until they expire.

Learn more about the change to 3072-bit key code signing certificates.

Before you begin

  • Generate CSR

    If you are using your Code Signing (CS) certificate with the Sun Java platform, you must submit a certificate signing request (CSR) with your order. However, you can include a CSR with your order for any platform.

    To remain secure, certificates must use an RSA 3072-bit or ECC P-256-bit key size or larger.

    Need help creating a CSR? See our Create CSR for a code signing certificate request instructions.

  • Validate organization

    Make sure the organization you want to associate your Code Signing (CS) certificate with has been validated for CS Organization validation. See Submit an organization for prevalidation.

  • Validate domain

    When adding an email address as the subject of a code signing certificate, the email address must include a validated domain associated with the organization included in your order. Only validated domains appear on the order form.

    For example, if you want to add john.doe@example.com, make sure example.com has been validated. See Domain prevalidation.

    Adding an email address is optional. Depending on how your account was set up, you may not be able to add an email address to your Code Signing certificate.

Order your CS certificate

  1. In the left main menu, hover over Request a Certificate then, under Code Signing Certificates, select Code Signing.

  2. Assign the request to a division

    In the For dropdown, select the division to manage the certificate. This dropdown only appears if your account uses Divisions.

Certificate Settings

  1. Add a CSR

    Upload or paste your CSR into the CSR box.

    The Sun Java Platform is the only platform that requires you to submit a CSR. For all other platforms, submitting a CSR is optional.

  2. Server platform

    In the dropdown, select the platform with which you are planning to use your certificate.

  3. Validity period

    Select a validity period for the certificate: 1 year, 2 years, or 3 years.

    If needed, you can customize the expiration date or certificate length. However, you cannot exceed the 39-month maximum code signing certificate validity.

  4. Auto-renew

    To set up automatic renewal for this code signing order, check Auto-renew order 30 days before expiration.

    With auto-renew enabled, DigiCert automatically submits a request to renew the order thirty days before it expires. Auto-renew is not available with credit card payments.

    Tip

    If your certificate still has time remaining before it expires, DigiCert adds the remaining time from your current certificate to your new certificate (up to 39 months).

Organization

  1. In the Organization dropdown, choose the organization you want to associate with your code signing certificate.

    Important

    If you choose an organization that is not validated for code signing certificates, DigiCert must validate the organization for code signing validation before we can issue your certificate.

  2. Additional emails (optional)

    Enter the email addresses (comma separated) you want to receive the certificate notification emails, such as certificate issuance and expiring certificate notifications.

    Tip

    Depending on your account settings, your administrator may require you to include at least one additional email.

Additional certificate options

The information below is optional. None of it is required to issue your certificate.

  1. Organization unit (optional)

    An OU is not required to issue your certificate. You can leave this box empty. When the box is empty, the issued certificate will not have an OU value.

    Important

    If you include an organization unit (OU) in your order, DigiCert must validate the OU before we can issue your certificate with the OU field in it.

  2. Subject Email (optional)

    Enter the email address you want to appear on the certificate.

    Including an email address on the certificate provides an additional layer of trust for end users when checking your code signing certificate.

    Important

    The email address must contain a validated domain associated with the organization included in the request, for example, email-username@validated-domain.

    1. In the Email username box, enter your email username.

    2. In the Email domain dropdown, select your email address domain.

      • We don't show a dropdown if the organization only has one validated domain assigned to it.

      • You cannot include a subject email if the organization does not have any validated domains assigned to it.

Additional order options

The information below is optional. None of it is required to issue your certificate.

  1. Comments to Administrator (optional)

    Enter any information your administrator might need for approving your request, about the purpose of the certificate, etc.

  2. Additional Renewal Message (optional)

    To create a renewal message for this certificate, add a message with information that might be relevant to the certificate’s renewal.

Payment Information

  1. Select Payment Method

    Under Payment Information, select a payment method to pay for the certificate:

    1. Bill to Credit Card

      Don’t have a contract or don’t want to use the contract to pay for this certificate? Use a credit card to pay for the certificate.

      Note

      We authorize the card when the request is made. However, we only complete the transaction once we issue your certificate. If you have a contract enabled, check Exclude from contract terms.

    2. Bill to Account Balance

      Don’t have a contract or don’t want to use the contract to pay for this certificate? Bill the cost to your account balance.

      To deposit funds, click the Deposit link.

      The Deposit link takes you to another page in your CertCentral account. Any information entered in the request form will not be saved.

      If you have a contract enabled, check Exclude from contract terms.

    3. Pay with Contract Terms

      Have a contract and want to use it to pay for the certificate? When you have a contract, it is the default payment method.

  2. Master Services Agreement

    Select the Master Services Agreement link to read through the agreement.

  3. Select Submit Certificate Request.

    Selecting Submit Certificate Request also means you agree to all the terms and conditions in the Master Services Agreement.

What's next

Important

DigiCert recommends that developers take precautions with the code signing process and protect the private key associated with their signing certificate. See Protect private keys: Code signing best practices.