Skip to main content

Renew your Document Signing for Individual, Employee, or Organization certificate

Learn how to renew your Document Signing for Individual, Employee, or Organization certificate.

Before you begin

Organization validation

Are you renewing a Document Signing for Employee or Document Signing for Organization certificate?

Make sure the organization validation for the organization included in your certificate is still valid. The organization validation is valid for 825 days.

If the organization validation has expired, use one of the following options to validate your organization:

  • Prevalidate the organization

    CertCentral features an organization prevalidation process that allows you to validate your organization before ordering certificates. Doing the organization validation ahead of time allows for quicker certificate issuance. See Submit an organization for prevalidation.

  • Validate the organization as part of the order process

    If adding a new organization or one with expired DS - Document Signing Validation, DigiCert does the organization validation as part of the renewal process.

Key provisioning option: Hardware security module (HSM)

Are you installing your document signing certificate on an HSM device?

Then, use your own Common Criteria EAL4+ standard or FIPS 140-2 level 2 HSM and submit a certificate signing request (CSR) with your renewal.

Generate the private key on your HSM and add the certificate signing request (CSR) to your renewal request. Refer to your HSM vendor instructions for generating the CSR.

Document Signing certificates support the following algorithms and key lengths:

  • RSA 2048, 3072, and 4096

  • ECC p-256 and p-384

Renew your document signing certificate

  1. In CertCentral, in the left menu, go to Certificates > Orders.

  2. On the Orders page, select the Order # of the document signing certificate you want to renew.

  3. On the Order details page, in the Certificate actions menu, select Renew.

  4. On the certificate Renew page, update the renewal form as needed, including selecting a new previsioning method if required.

  5. Provisioning methods

    The provisioning method refers to where you store the certificate and its private key. For the security of your document signing certificate, the certificate must be installed on and used from an approved device.

    Select the key provisioning method for your document signing certificate.

    • DigiCert-provided hardware token (nonrefundable)

      DigiCert sends a hardware token with instructions for installing the certificate on it.

      Under Shipping address, add your mailing information: your name and the address where you want us to send the hardware token.

    • Use existing token

      When DigiCert issues your document signing certificate, install the certificate on your own DigiCert-supported hardware token:

      • SafeNet/Gemalto eToken 5100: Supports RSA 2048 key size

      • SafeNet/Gemalto eToken 5110: Supports RSA 2048, 3072, 4096, and ECC p-256 and p-384 key sizes

    • Install on an HSM

      When DigiCert issues your document signing certificate, install it on the HSM where you generated the private key and certificate signing request (CSR).

      1. Select Yes under Was the private key generated by a Common Criteria EAL4+ standard or FIPS 140-2 level 2 HSM?

      2. In the Add your CSR box, upload your CSR or add it to the box.

        Document signing certificates must use an RSA key a minimum of 2048 bits in length to remain secure.

        Your CSR must include the -----BEGIN NEW CERTIFICATE REQUEST----- and -----END NEW CERTIFICATE REQUEST----- tags.

      DigiCert sends the certificate requester an agreement email. This email is to ensure the private key is stored on an HSM certified as Common Criteria EAL4+ standard or FIPS 140-2 level 2 HSM.

      DigiCert can’t issue the certificate unless the requester agrees to the private key protection requirement.

  6. When ready, select Submit request.

What’s next

CertCentral takes you to the certificate’s Order # details page, where you can see the status of your certificate order.

Individual identity validation: Document signing for individual certificate

Before issuing your certificate, DigiCert must validate the subject individual on the certificate using one of the following identity verification processes.

  • Remote identity verification (RIV)

    The RIV method allows you to do the identity validation process at your convenience. This method isn't available with all certificate issuance processes.

  • Face-to-face

    The face-to-face method requires you to meet in person with an authorized professional who can verify you’re who you say you are. The professionals authorized to verify your identity differ depending on where you reside.

Complete organization validation: Document Signing for Employee and Organization certificates

DigiCert must verify your authority to order a certificate for the organization on your certificate. To do this, we call a verified phone number to speak with someone representing the certificate requester, such as the organization or technical contact.

To get organization consent for your certificate order:

  • Answer the organization/validation phone call—preferred method.

    When you submit your certificate order, ensure that the organization contact, technical contact, and company receptionist know you’ve ordered a document signing certificate. Let them know DigiCert calls a verified phone number to speak with one of them to finish organization validation/authentication. This phone call usually takes place within 24 hours of the order being placed.

  • Respond to the organization consent message.

    If DigiCert can’t reach someone representing you at the verified phone number, they leave a message with a call-back number and a verification code. Make sure the organization or technical contact responds to the message and provides the verification code.

Certificate issuance

When the validation process is complete, DigiCert issues your certificate.

  • Own supported hardware token

    If you opted to use your own supported hardware token, when the certificate is ready, return to CertCentral and use the DigiCert Trust Assistant to install the certificate on your token. Learn more about the DigiCert Trust Assistant.

  • DigiCert-provided hardware token (nonrefundable)

    If you opted to have DigiCert send you a hardware token, we send your token to the mailing address included in your request. You can track your hardware token shipment on your certificate's order details page.

    When you receive the DigiCert-provided hardware token and get the PIN, return to CertCentral and download and install the DigiCert Trust Assistant. Then, when the certificate is ready, use the DigiCert Trust Assistant to install the certificate on your token. Learn more about the DigiCert Trust Assistant.

  • Supported hardware security module (HSM)

    If you opted to install your document signing certificate on a supported HSM, the process works as follows:

    • DigiCert sends the certificate requester an agreement email. This email is to verify the private key is stored on an HSM certified as Common Criteria EAL4+ standard or FIPS 140-2 level 2 HSM.

      DigiCert can't issue the certificate unless the requester agrees to the private key protection requirement.

    • DigiCert emails the certificate requester a copy of the certificate.

      You can also download a copy of the certificate from CertCentral.

    • Install the certificate on your HSM. Refer to your HSM vendor instructions.

      To use your certificate, you must install it on the HSM where you generated the private key and certificate signing request (CSR).

In questa sezione: