Skip to main content

Pedir un certificado de firma de código EV

Importante

El sector pasó a utilizar una clave RSA de 3072 bits como mínimo para los certificados de firma de código

Para cumplir con los cambios de la industria, DigiCert ha realizado los siguientes cambios en nuestro proceso de certificados de firma de código:

  • Solo emite certificados de firma de código RSA de 3072 bits o superiores*.

  • Utiliza nuevas CA intermedias y certificados raíz para emitir nuestros certificados de firma de código y de firma de código EV: RSA y ECC

Cambios en eToken y HSM

DigiCert admite dos tokens electrónicos:

  • 5110 CC para certificados de clave RSA de 4096 bits y ECC P de 256 bits

  • 5110 FIPS para certificados de clave ECC P-256 y P-384 bits

  • SafeNet eToken 5110+ FIPS for RSA 4096-bit and ECC P-256-bit key certificates.

HSM debe:

  • Admite tamaños de clave RSA de 3072 bits o ECC P-256 bits o superiores

  • Dispositivos compatibles con FIPS 140-2 Nivel 2+ o Common Criteria EAL4+

*Nota: Todos los certificados existentes de firma de código de 2048 bits emitidos antes del 1 de junio de 2021 seguirán activos. Puede seguir utilizando estos certificados para firmar códigos hasta que caduquen.

Más información sobre el cambio a los certificados de firma de código de clave de 3072 bits.

Antes de comenzar

  • Validación previa de la organizaciónValide previamente la organización para la cual quiere obtener un certificado EV de firma de código. Consulte Agregar una organización y Presentar una organización para su validación previa.

    Validación previa de la organizaciónValide previamente la organización para la cual quiere obtener un certificado EV de firma de código. Consulte Agregar una organización y Presentar una organización para su validación previa.

  • Generar una CSR (solo pedidos HSM)Si está reemitiendo su certificado de firma de código EV para un dispositivo HSM, debe enviar una solicitud de firma de certificado (CSR) con su solicitud.

    Generar una CSR (solo pedidos HSM)Si está reemitiendo su certificado de firma de código EV para un dispositivo HSM, debe enviar una solicitud de firma de certificado (CSR) con su solicitud.

    Para mantener la seguridad, los certificados deben utilizar un tamaño de clave RSA de 3072 bits o ECC P-256 bits o superior. Consulte la documentación de su proveedor de HSM a fin de crear la CSR para su solicitud.

Pedir su certificado EV de firma de código

  1. In the left main menu, hover over Request a Certificate. Under Code Signing Certificates, select EV Code Signing.

  2. On the Request EV Code Signing Certificate page, in the For dropdown, select the division to manage the certificate.

    The For dropdown only appears if your account uses Divisions.

Configuración de certificados

  1. Período de validez

    Seleccione un período de validez para el certificado: 1 año, 2 años o 3 años.

    If needed, you can customize the expiration date or certificate length. However, you cannot exceed the 39-month maximum EV code signing certificate validity.

  2. Renovación automática

    A fin de configurar la renovación automática para este certificado, seleccione Autorrenovar pedido 30 días antes del vencimiento.

    Con la renovación automática activada, se enviará automáticamente un nuevo pedido de certificado cuando este se acerque a su fecha de caducidad. Si todavía falta tiempo para que su certificado venza, DigiCert agrega el tiempo restante de su certificado vigente a su certificado nuevo (hasta 39 meses).

Importante

If your certificate still has time remaining before it expires, DigiCert adds the remaining time from your current certificate to your new certificate (up to 39 months).

Organization

  1. Organización

    Select Add organization. The organization name will appear on the EV code signing certificate.

    En el menú desplegable, elija la organización para la cual pide el certificado EV de firma de código. El nombre de la organización aparecerá en el certificado de firma de código EV.

    In the Add organization window, do one of the following:

    • Add an existing organization.

      1. Select An existing organization.

        In the dropdown, select the organization and then select Add.

        If you choose an organization not validated for EV Code Signing certificates or if the organization's EV code signing validation has expired, DigiCert must validate the organization for EV code signing validation before we can issue your certificate.

      2. Organization and technical contacts.

        DigiCert automatically adds the contacts assigned to the organization to the request form. To see the organization and technical contacts, select Show organization contacts.

      3. Verified contacts.

        • DigiCert automatically adds the assigned contacts to the request form if the organization has EV code signing verified contacts. To view, change selections, or add verified contacts, expand Verified contacts.

        • The Add contacts popup window opens if the organization has not assigned EV code signing verified contacts. In this window, you can add yourself, a user in your account, or a new contact as a verified contact. See Verified contacts below.

    • Add a new organization.

      1. Select A new organization and select Next.

      2. Under Organization address details, enter your organization's legal name, assumed name (optional), address, and phone number.

        DigiCert must validate the organization for EV code signing validation before we can issue your certificate.

      3. When ready, select Add.

    • Add an organization contact.

      In the Add organization window, add yourself or someone else from your account, or create a new organization contact.

      Importante

      The organization contact is whom we contact when validating the organization and verifying your authority to order a DigiCert certificate for the organization.

      They may also receive the following notifications:

      • Order status updates for certificates requested for their organization.

      • Domain status updates for domains associated with their organization.

      • Add yourself as the organization contact.

        Select Add me as the organization contact and then select Add or Next.

        1. If we have all your information, you will select Add.

        2. If we need more information, you will select Next, enter the missing information, and then select Add.

      • Add someone else as the organization contact.

        Select Add someone else as the organization contact. Then in the Add contact dropdown, select the contact or user and then select Add or Next.

        1. If we have the needed user information, you will select Add.

        2. If we need more user information, you will select Next, enter the missing information, and then select Add.

      • Create new contact.

        1. Select Add someone else as the organization contact.

        2. In the Add contact dropdown, select Create new contact and then select Next.

        3. Enter the needed user information and then select Add.

  2. Technical contact for the organization (optional)

    We may contact a technical contact for inquiries regarding certificate orders for the organization. They may receive the certificate lifecycle-related emails: certificate issued, reissued, and expiring.

    • Add yourself as the technical contact.

      Select Add me as the technical contact for the organization and then select Add or Next.

      1. If we have all your information, you will select Add.

      2. If we need more information, you will select Next, enter the missing information, and then select Add.

    • Add someone else as the technical contact.

      Select Add someone else as the technical contact for the organization. Then in the Add contact dropdown, select the contact or user and then select Add or Next.

      1. If we have the needed user information, you will select Add.

      2. If we need more user information, you will select Next, enter the missing information, and then select Add.

    • Create new contact.

      1. Select Add someone else as the technical contact for the organization.

      2. In the Add contact dropdown, select Create new contact and then select Next.

      3. Enter the needed user information and then select Add.

  3. Verified contacts

    A verified contact must represent the organization included in your certificate request. At least one EV code signing verified contact is required.

    To view, change selections, or add verified contacts, expand Verified contacts.

    • Select verified contacts.

      If the organization has multiple EV code signing verified contacts, you can select who receives the EV code signing order approval email.

      DigiCert sends the approval email to all selected, verified contacts, but only one needs to approve your order. Once the order is approved, DigiCert can issue your certificate. Selecting multiple verified contacts increases the likelihood of your order being approved quickly.

    • Add a verified contact.

      When adding a new verified contact, we will contact the organization directly to verify the individual's name, email, phone number, job title, and authority. Only after DigiCert validates a verified contact can they approve EV code signing orders for the organization.

      • Add yourself as the verified contact.

        1. Select Add me as a verified contact for the organization and then select Add or Next.

        2. If we have all your information, you will select Add.

        3. If we need more information, you will select Next, enter the missing information, and then select Add.

      • Add someone else as the verified contact.

        Select Add someone else as the verified contact for the organization. Then in the Add contact dropdown, select the contact or user and then select Add or Next.

        1. If we have the needed user information, you will select Add.

        2. If we need more user information, you will select Next, enter the missing information, and then select Add.

      • Create new contact.

        1. Select Add someone else as the verified contact for the organization.

        2. In the Add contact dropdown, select Create new contact and then select Next.

        3. Enter the needed information and then select Add.

  4. Correos electrónicos adicionales

    Ingrese las direcciones de correo electrónico (separadas con comas) para las personas que desea que reciban los correos electrónicos de notificación del certificado, como emisión del certificado, renovaciones de certificado, etc.

    Depending on your account settings, your administrator may require you to include at least one additional email.

Additional certificate options

The information below is optional. None of it is required to issue your EV code signing certificate.

  • Unidad de la organización

    Agregar una unidad de una organización es opcional. Puede dejar esta casilla del formulario en blanco.

    Agregar una unidad de una organización es opcional. Puede dejar esta casilla del formulario en blanco.

Opciones de aprovisionamiento

  • Provisioning options

    The provisioning method refers to where you will store the private key and certificate. For the security of your EV Code Signing certificate, the certificate must be installed on and used from an approved device.

    Select the storage device for your EV Code Signing certificate and its' private key.

    • DigiCert-provided hardware token.

      DigiCert ships you a secure token with instructions for installing the certificate on your token, so you can start signing code.

      Then, under Shipping address, add your shipping information: your name and the address where you want us to send the hardware token.

    • Use existing token.

      After DigiCert issues your EV code signing certificate, you need to install the certificate on your token.

      In the Platform dropdown, select the type of hardware token on which you plan to install your EV Code Signing certificate:

      • SafeNet eToken 5110 CC for RSA 4096-bit and ECC P-256-bit or higher key certificates.

      • SafeNet eToken 5110 FIPS for ECC P-256 and P-384-bit key certificates.

      • SafeNet eToken 5110+ FIPS for RSA 4096-bit and ECC P-256-bit or higher key certificates.

      Importante

      You must have a FIPS 140-2 Level 2 or Common Criteria EAL4+ compliant device. See Currently Supported eTokens. You cannot install the certificate on any device not on the list.

      If you don't have one of the approved tokens, please select the option to have a DigiCert-provided hardware token shipped to you. If you have any questions, please contact DigiCert Support.

    • Install on HSM

      After DigiCert issues your EV code signing certificate, install it on the HSM where you generated the private key and CSR.

      Select Yes under Was the private key generated by a Common Criteria EAL4+ standard or FIPS 140-2 level 2 HSM?

      Note that we will send the certificate requestor an agreement email. This email is to ensure that a private key is stored on an HSM that is certified as FIPS 140 Level 2, Common Criteria EAL 4+, or equivalent. DigiCert will only issue the certificate after the requester agrees to the private key protection requirement.

    Importante

    You must have a FIPS 140 Level 2, Common Criteria EAL 4+, or equivalent hardware security module (HSM) that supports at least 3072-bit keys.

    Select a different provisioning method if you don't have a compatible HSM. If you have any questions, please contact DigiCert Support.

Additional order options

The information below is optional. None of it is required to issue your certificate.

  1. Comments to Administrator (optional)

    Enter any information your administrator might need for approving your request, about the purpose of the certificate, etc.

  2. Mensaje adicional de renovación

    Para crear un mensaje de renovación para este certificado, escriba un mensaje con información pertinente para la renovación del certificado.

Información de pago

  1. Seleccionar método de pago

    En Información de pago, seleccione un método de pago para abonar el certificado:

    1. Facturar a la tarjeta de crédito

      ¿No tiene un contrato o quiere usarlo para pagar el certificado? Utilizar una tarjeta de crédito para abonar el certificado:

      Autorizamos la tarjeta cuando se hace la solicitud. No obstante, solo completamos la transacción una vez que emitimos su certificado.

      Si tiene un contrato vigente, marque Excluir de las condiciones del contrato.

    2. Facturar al saldo de la cuenta

      ¿No tiene un contrato o quiere usarlo para pagar el certificado? Pague el certificado con el saldo de su cuenta.

      Para depositar fondos, haga clic en el enlace Depositar. Este enlace lo redirigirá a otra página de su cuenta de CertCentral. No se guardará la información ingresada en el formulario de solicitud.

      Si tiene un contrato vigente, marque Excluir de las condiciones del contrato.

    3. Pagar con las condiciones del contrato

      ¿Tiene un contrato y quiere utilizarlo para pagar la solicitud de certificado? Cuando tiene un contrato, es el método de pago predeterminado.

  2. Acuerdo de servicio de certificados

    Lea el acuerdo y seleccione la opción Acepto el Acuerdo de servicio de certificados.

  3. Haga clic en Enviar la solicitud de certificado.

    Selecting Submit Certificate Request also means you agree to all the terms and conditions in the Master Services Agreement.

Qué sigue

DigiCert recommends that developers take precautions with the code signing process and protect the private key associated with their signing certificate. See Protect private keys: Code signing best practices.

En esta sección: