Order your Document Signing for Organization certificate

CertCentral: Learn how to get your Document Signing for Organization certificate

With a Document Signing for Organization certificate, apply electronic seals, certifying the document’s origin, authenticity, and integrity. DigiCert document signing certificates are compatible with Adobe Acrobat, DocuSign, Microsoft Office, OpenOffice, and LibreOffice documents.

Before you begin

Key provisioning options

When ordering your Document Signing for Organization certificate, you must select your key provisioning method. The provisioning method refers to where you store the private key and certificate. For the security of your document signing certificate, you must install and use your certificate from an approved device.

Hardware token: With this option, buy a token from DigiCert or use your own:
- DigiCert-provided hardware token—nonrefundable
  When you submit the request, we send the hardware token to the mailing address included in your order.
- Use your own DigiCert-supported FIPS 140-2 Level 2 hardware token
  - SafeNet/Gemalto eToken 5100: Supports RSA 2048 key size
  - SafeNet/Gemalto eToken 5110: Supports RSA 2048, 3072, 4096 and ECC p-256 and p-384 key sizes
- Use the DigiCert Trust Assistant to initialize your token, if needed, and install your certificate on it. See the Certificate issuance section in this article.
Hardware security module (HSM): With this option, use your own Common Criteria EAL4+ standard or FIPS 140-2 level 2 HSM.
- Generate the private key on your HSM and add the certificate signing request (CSR) to your request. Refer to your HSM vendor instructions for generating the CSR.
- Document Signing certificates support the following algorithms and key lengths:
  - RSA 2048, 3072, and 4096
  - ECC p-256 and p-384
- DigiCert sends the certificate requester an agreement email. This email is to verify the private key is stored on an HSM certified as Common Criteria EAL4+ standard or FIPS 140-2 level 2 HSM.
- See the Certificate issuance section in this article.

Organization validation

Before DigiCert can issue your Document Signing for Organization certificate, we must validate the organization for DS - Document Signing Validation. Organization validation is valid for 825 days. See How do we validate your organization.

Use one of the following options to validate your organization:

Prevalidate the organization.
CertCentral features an organization prevalidation process that allows you to validate your organization before ordering certificates. Doing the organization validation ahead of time allows for quicker certificate issuance. See Submit an organization for prevalidation.
Validate the organization as part of the order process.
If adding a new organization or one with expired DS - Document Signing Validation, DigiCert does the organization validation as part of the order process.

Order you Document Signing for Organization certificate

In CertCentral, in the left menu, go to Request a Certificate > Document Signing Certificates Document Signing for Organization.
On the Request Document Signing for Organization Certificate page, in the For menu, select the division to manage the certificate.
The For menu appears if using Divisions in your account.
Certificate validity
In the Certificate Settings section, under Certificate validity, select a validity period for the certificate: 1 year, 2 years, 3 years, Custom expiration date, or Custom length.
Key provisioning method
Select the key provisioning method for your Document Signing for Individual certificate.
The provisioning method refers to where you store the certificate and its private key. For the security of your Document Signing certificate, the certificate must be installed on and used from an approved device.
- DigiCert-provided hardware token (nonrefundable)
  Then, under Shipping address, add your mailing information: your name and the address where you want us to send the hardware token.
  DigiCert sends a hardware token with instructions for installing the certificate on it.
- Use existing token
  When DigiCert issues your document signing certificate, install the certificate on your own DigiCert-supported hardware token:
  - SafeNet/Gemalto eToken 5100: Supports RSA 2048 key size
  - SafeNet/Gemalto eToken 5110: Supports RSA 2048, 3072, 4096 and ECC p-256 and p-384 key sizes
- Install on an HSM
  When DigiCert issues your document signing certificate, install it on the HSM where you generated the private key and certificate signing request (CSR).
  1. Select Yes under Was the private key generated by a Common Criteria EAL4+ standard or FIPS 140-2 level 2 HSM?
  2. In the Add your CSR box, upload your CSR or add it to the box.
    Document signing certificates must use an RSA key a minimum of 2048 bits in length to remain secure.
    Your CSR must include the -----BEGIN NEW CERTIFICATE REQUEST----- and -----END NEW CERTIFICATE REQUEST----- tags.
  DigiCert sends the certificate requester an agreement email. This email is to ensure the private key is stored on an HSM certified as Common Criteria EAL4+ standard or FIPS 140-2 level 2 HSM.
  DigiCert can’t issue the certificate unless the requester agrees to the private key protection requirement.

Organization

You can add an existing organization from your account or a new organization. If you add a new organization, it’s added to CertCentral.

Under Organization, select Add an organization. In the Add organization window, complete one of the following tasks as needed:

Add an existing organization
1. Select An existing organization.
2. In the menu, select the organization and then select Add.
  If adding a new organization or one with expired DS - Document Signing Validation, DigiCert does the organization validation as part of the order process.
3. Organization and technical contacts
  DigiCert automatically adds the contacts assigned to the organization to the request form. To see the organization and technical contacts, select Show organization contacts.

Add a new organization

Accurate organization information makes validating your organization easier, leading to faster certificate issuance. Verify organization details are correct, including spelling and punctuation.

Select A new organization and select Next.

Organization address details

Enter the following organization information as needed.

Legal name	Organization name exactly as it appears in corporate registries, such as local government registration records.
Assumed name (optional)	Assumed name or doing business as name. You don’t need to include an assumed name. You can leave this box empty. Note: Adding an assumed name requires more validation, which may delay organization validation and certificate issuance.
Country	Country where the organization is legally found.
Address 1	The address where the organization is legally found.
Address 2 (optional)	More address in formation, such as a Suite #. You can leave this box empty.
City (optional)	City where the organization is legally found. You don’t have to include a city. You can leave this box empty.
State / Province / Region	State, province, region where the organization is legally found.
Postal code (optional)	Postal code where the organization is legally found.

Organization phone number
DigiCert must call a verified organization phone number to confirm your authority to order a certificate for the organization. We verify this phone number against online third-party address listing sources like Google Business.
Country code
Country code for the organization's phone number
Phone number
Organization's phone number.
Learn how we confirm your authority.
Verify you entered the information correctly and then, select Add.

Organization contact
The organization contact is the person we contact when validating the organization and verifying your authority to order a DigiCert certificate for the organization. They may also receive the following notifications: Order status updates and domain status updates for requests and domains for their organization.
In the Add contacts window, add yourself, add someone else from your account, or create a new organization contact.
1. Add yourself as the organization contact.
  Select Add me as the organization contact and then select Add or Next.
  - If we have all your information, select Add.
  - If we need more information, select Next, enter the missing data, and then select Add.
    Usually, you must add a phone number that we can use to contact you and your job title.
2. Add someone else as the organization contact.
  - Select Add someone else as the organization contact.
  - Then, in the Add contact menu, select the contact or user and then select Add or Next.
    If we have the needed user information, select Add.
    If we need more user information, select Next, enter the missing data, and then select Add.
    Usually, you must add a phone number that we can use to contact the person and their job title.
3. Create a new contact.
  - Select Add someone else as the organization contact.
  - In the Add contact menu, select Create new contact and then select Next.
  - Enter the required user information: email, first and last name, phone number, and job title.
  - Select Add.
Technical contact
The technical contact is the person we may for inquiries regarding certificate orders for the organization. They may receive the certificate lifecycle-related emails: certificate issued, reissued, and expiring.
Add a technical contact (optional)
1. Under Organization Info, select Show organization contacts.
2. Select Add technical contact (Optional).
3. Add yourself as the technical contact.
  - Select Add me as the technical contact for the organization and then select Add or Next.
    If we have all your information, select Add.
    If we need more information, select Next, enter the missing data, and then select Add.
    Usually, you must add a phone number that we can use to contact you and your job title.
4. Add someone else as the technical contact.
  - Select Add someone else as the technical contact for the organization.
  - In the Add contact menu, select the contact or user and then select Add or Next.
    If we have the needed user information, select Add.
    If we need more user information, select Next, enter the missing data, and then select Add.
    Usually, you must add a phone number that we can use to contact the person and their job title.
5. Create a new contact.
  - Select Add someone else as the technical contact for the organization.
  - In the Add contact menu, select Create new contact and then select Next.
  - Enter the required user information: email, first and last name, phone number, and job title.
  - Select Add.

Advanced certificate options
By default, DigiCert uses the RSA 2048-bit key certificates with a SHA-256 signature hash and RSA signing algorithm. However, you can update the key type and size, and the signature hash as required to meet your company policy or digital certificate environment requirements.
1. Key type and size
  If you select Install on HSM, you don’t see this option.
  DigiCert recommends using RSA 2048 unless you have a specific reason for using a different key type or size.
  In the menu, select the key type (algorithm) and key size for generating your CSR and certificate:
  - RSA 2048, 3072, or 4096
  - ECC p-256 or p-384
2. Signature hash
  By default, DigiCert issues RSA certificates with a SHA-256 signature hash and RSA signing algorithm. DigiCert recommends using the default RSA settings unless you have specific reasons for using a different key size.
  In the menu, select the signature hash* you want to use for signing your documents.
  - SHA-256 with RSA
  - SHA-384 with RSA
  - SHA-512 with RSA
  *Note: The selected hash is the signing algorithm for your document signing signatures. The document recipient uses the signature to verify the document signer and to confirm the document wasn't modified along the way.
  ECC certificates
  With ECC certificates, there’s a one-to-one correlation between the signature hash and the signing algorithm.
  - When using the ECC p-256 key size, your certificate includes a SHA-256 signature hash with ECDSA signing algorithm.
  - When using the ECC p-384 as the key size, your certificate includes a SHA-384 signature hash with ECDSA signing algorithm.
3. Organization unit (optional)
  Enter the organization unit (OU) with which you want to associate the certificate and signatures. If you include an OU in your order, DigiCert must validate it before we can issue your certificate with the OU field.
  An OU isn’t required to issue your certificate. You can leave this box empty. When the box is empty, the issued certificate doesn't have an OU value.
4. Certificate usage
  Add non-repudiation key usage
  To add the non-repudiation key usage to your certificate, select this option.
Additional order options
Adding any following of the information is optional. None of it’s required to issue your certificate.
1. Additional Renewal Message (optional)
  To create a renewal message for this certificate, enter a renewal message with information that might be relevant to the certificate’s renewal.
  Note: Comments and renewal messages aren’t included in the certificate.
2. Additional emails (optional)
  Enter the email addresses of the people you want to receive the certificate issuance, expiring certificate, and expiring order notifications. Use a comma to separate addresses or enter them on separate lines.
  These recipients don't manage the order. They receive all the certificate-related emails.
Select payment method
Under Payment information, select a payment method to pay for the certificate.
- Pay with credit card
  We authorize the credit card when you make the request. However, we don't finish the transaction until we issue your certificate.
- Pay with contract terms
  When you have a contract, it is the default payment method.
- Pay with account balance
  Bill the cost to your account balance. To deposit funds, select the Deposit link. Selecting the link takes you to another page inside your CertCentral account. Any information entered in the request form isn't saved.
Master Services Agreement
Read through the Master Services Agreement.
Select Submit Certificate Request.
By selecting Submit Certificate Request, you agree to the Master Service Agreement.

What's next

CertCentral takes you to the certificate’s Order # details page, where you can see the status of your certificate order.

Complete organization validation

DigiCert must validate your authority to order a certificate for the organization on your certificate order. To do this, we call a verified phone number to speak with someone who represents the certificate requester, such as the organization or technical contact.

To get organization consent for your certificate order:

Answer the organization/validation phone call—preferred method.
When you submit your certificate order, ensure the organization contact, technical contact, and company receptionist know you’ve ordered a Document Signing for Organization certificate. Let them know DigiCert calls a verified phone number to speak with one of them to finish the organization validation. This phone call usually takes place within 24 hours of the order being placed.
Respond to the organization consent message.
If DigiCert can’t reach someone who represents you at the verified phone number, they leave a message with a call-back number and verification code. Make sure that the organization or technical contact responds to the message and provides the verification code.

Certificate issuance

When the validation process is complete, DigiCert issues your certificate.

DigiCert-provided hardware token (nonrefundable)
If you opted to have DigiCert send you a hardware token, we send our token to the mailing address included in your request. On your certificate's order details page, you can track your hardware token shipment.
When you receive the DigiCert-provided hardware token and get the PIN, return to CertCentral and download and install the DigiCert Trust Assistant. Then, when the certificate is ready, use the DigiCert Trust Assistant to install the certificate on your token. Learn more about the DigiCert Trust Assistant.
Your supported hardware token
If you opted to use your own supported hardware token, when the certificate is ready, return to CertCentral and use the DigiCert Trust Assistant to install the certificate on your token. Learn more about the DigiCert Trust Assistant.
Supported hardware security module (HSM)
If you opted to install your document signing certificate on a supported HSM, the process works as follows:
- DigiCert sends the certificate requester an agreement email. This email is to verify the private key is stored on an HSM certified as Common Criteria EAL4+ standard or FIPS 140-2 level 2 HSM.
  DigiCert can't issue the certificate unless the requester agrees to the private key protection requirement.
- DigiCert emails the certificate requester a copy of the certificate.
  You can also download a copy of the certificate from CertCentral.
- Install the certificate on your HSM. Refer to your HSM vendor instructions.
  To use your certificate, you must install it on the HSM where you generated the private key and certificate signing request (CSR).

In this section: