Certificate auto-issuance
When the private key associated with your publicly trusted certificate is stored on an HSM, DigiCert is required by CA/B guidelines to confirm that the key is stored on an FIPS 140-2 or EAL4+ Compliant HSM device. This confirmation is mandatory, even when you generate and store your private key on DigiCert's HSM, which meets these requirements.
DigiCert sends an HSM confirmation email for every publicly trusted code signing certificate that you request. Your certificate cannot be issued if you do not complete this HSM confirmation. Delays in the issuance of your certificate may occur if the recipient of the email fails to click on the link and complete the confirmation process.
Note
The subject line of the HSM confirmation email is:
[Action Required] Private key protection requirements for your code signing (order #)
HSM agreement exemption
Provide a Code Signing Audit Letter for each organization in your account to be exempted from the HSM confirmation email process. The exemption ensures that your certificate auto-issues without unnecessary delays.
Exemption validity
The HSM agreement exemption is valid for:
Certificate type | Validity |
---|---|
Code signing | 825 days |
EV code signing | 13 months |
Request exemption
To request an HSM agreement exemption:
Contact DigiCert Support.
Request a PDF copy of the Code Signing Audit Letter.
Complete the form.
Tip
In question 4, note that your private key is stored in DigiCert® Software Trust Manager's HSM, which is FIPS 140-2 level 3 compliant.
Send the completed Code Signing Audit Letter to DigiCert Support.