Skip to main content

Order an EV Code Signing certificate

Important

The industry requires RSA 3072-bit key minimum for EV code signing certificates

To comply with new industry requirements, DigiCert made the following changes to our EV code signing certificate process

  • Only issues RSA 3072-bit key or larger EV code signing certificates*

  • Uses new intermediate CA and root certificates to issue our EV code signing certificates: RSA and ECC

eToken and HSM changes

DigiCert supports two eTokens:

  • SafeNet eToken 5110 CC for RSA 4096-bit and ECC P-256-bit key certificates

  • SafeNet eToken 5110 FIPS for ECC P-256 and P-384-bit key certificates

  • SafeNet eToken + FIPS

HSM must:

  • Support RSA 3072-bit or ECC P-256-bit keys sizes or larger

  • Be FIPS 140-2 Level 2+ or Common Criteria EAL4+ compliant devices

*Note: All existing 2048-bit key code signing certificates issued before June 1, 2021, will remain active. You can continue to use these certificates to sign code until they expire.

Learn more about the change to 3072-bit key code signing certificates.

Before you begin

  • Make sure the organization with which you want to associate your EV Code Signing (CS) certificate has been validated for EV CS – Code Signing Organization Extended Validation. See Submit an organization for prevalidation.

    Make sure the organization with which you want to associate your EV Code Signing (CS) certificate has been validated for EV CS – Code Signing Organization Extended Validation. See Submit an organization for prevalidation.

    For an organization to appear on the Request an EV Code Signing Certificate order form, you must first submit the organization for prevalidation.

  • Are you installing your EV Code Signing certificate on an HSM device? Then you must submit a certificate signing request (CSR) with your order.

    Are you installing your EV Code Signing certificate on an HSM device? Then you must submit a certificate signing request (CSR) with your order.

    To remain secure, certificates must use an RSA 3072-bit or ECC P-256-bit key size or larger. Need help creating a CSR? See our Create CSR for a code signing certificate request instructions.

    Important

    CSRs must be generated on the HSM.

Order your EV Code Signing certificate

  1. In the left main menu, hover over Request a Certificate. Under Code Signing Certificates, select EV Code Signing.

  2. Assign the request to a division

    In the For dropdown, select the division to manage the certificate. This dropdown only appears if your account uses Divisions.

Certificate Settings

  1. Validity period

    Select a validity period for the certificate: 1 year, 2 years, or 3 years.

    If needed, you can customize the expiration date or certificate length. However, you cannot exceed the 39-month maximum EV code signing certificate validity

  2. Auto-renew

    To set up automatic renewal for this EV code signing certificate, check Auto-renew order 30 days before expiration.

    With auto-renew enabled, DigiCert automatically submits a request to renew the EV Code Signing order thirty days before it expires. Auto-renew is not available with credit card payments.

    Tip

    If your certificate still has time remaining before it expires, DigiCert adds the remaining time from your current certificate to your new certificate (up to 39 months).

Organization

  1. Organization

    In the Organization dropdown, choose the organization you want to associate with your code signing certificate.

    The organization name will appear on the EV code signing certificate.

    Important

    If you choose an organization not validated for EV Code Signing certificates, DigiCert must validate the organization for EV code signing validation before we can issue your certificate.

  2. Additional emails (optional)

    Enter the email addresses (comma separated) you want to receive the certificate notification emails, such as certificate issuance and expiring certificate notifications.

    Tip

    Depending on your account settings, your administrator may require you to include at least one additional email.

Additional certificate options

  • Organization unit (optional)

    Adding an organization unit (OU) is optional. An OU is not required to issue your certificate. When you leave this box is empty, the certificate issued will not have an OU value.

    Note

    DigiCert must validate the organization unit in your order before we can issue your certificate with the OU field on it.

Order Settings

Provisioning options

Choose the storage device for your EV Code Signing certificate.

For the security of your EV Code Signing certificate, the certificate must be installed on and used from an approved device.

  1. Preconfigured Hardware Token

    DigiCert installs your EV code signing certificate on a secure token and ships it to you with instructions for activating it. See Currently Supported eTokens.

    Then, under Shipping address, add your shipping information: your name and the address where you want us to send the hardware token.

  2. Use Existing Token

    After DigiCert issues your EV code signing certificate, you need to install the certificate on your token.

    In the Platform dropdown, select the type of hardware token on which you plan to install your EV CS certificate.

    Important

    You must have a FIPS 140-2 Level 2 or Common Criteria EAL4+ compliant device. See Currently Supported eTokens.

    You will not be able to install the certificate on any device that is not on the list. If you don't have one of the approved tokens, please select the option to have a preconfigured hardware token shipped to you.

    If you have any questions, please contact DigiCert Support.

  3. Install on HSM

    After DigiCert issues your EV code signing certificate, install it on your HSM device.

    In the Add Your CSR box, upload or paste your CSR.

    Important

    You must have a FIPS 140 Level 2, Common Criteria EAL 4+, or equivalent hardware security module (HSM) that supports at least 3072-bit keys.

    Select a different provisioning method if you don't have a compatible HSM. If you have any questions, please contact DigiCert Support.

Additional order options

The information below is optional. None of it is required to issue your certificate.

  1. Comments to Administrator (optional)

    Enter any information your administrator might need for approving your request, about the purpose of the certificate, etc.

  2. Additional Renewal Message (optional)

    To create a renewal message for this certificate, add a message with information that might be relevant to the certificate’s renewal.

Payment Information

  1. Select Payment Method

    Under Payment Information, select a payment method to pay for the certificate:

    1. Bill to Credit Card

      Don’t have a contract or don’t want to use the contract to pay for this certificate? Use a credit card to pay for the certificate.

      We authorize the card when the request is made. However, we only complete the transaction once we issue your certificate.

      If you have a contract enabled, check Exclude from contract terms.

    2. Bill to Account Balance

      Don’t have a contract or don’t want to use the contract to pay for this certificate? Bill the cost to your account balance.

      To deposit funds, select the Deposit link. This link takes you to another page inside your CertCentral account. Any information entered in the request form will not be saved.

      If you have a contract enabled, check Exclude from contract terms.

    3. Pay with Contract Terms

      Have a contract and want to use it to pay for the certificate? When you have a contract, it is the default payment method.

  2. Master Services Agreement

    Select the Master Services Agreement link to read through the agreement.

  3. Select Submit Certificate Request.

    Selecting Submit Certificate Request also means you agree to all the terms and conditions in the Master Services Agreement.

What's next

Important

DigiCert recommends that developers take precautions with the code signing process and protect the private key associated with their signing certificate. See Protect private keys: Code signing best practices.