Skip to main content

Reissue your EV Code Signing certificate

Reissue an EV Code Signing certificate when you need to update certificate details, change the provisioning method, or replace a certificate with a compromised private key.

Important

All code signing private keys must be stored on hardware certified to FIPS 140-2 Level 2, Common Criteria EAL 4+, or equivalent. See Protect private keys.

Before you begin

  • The organization must have current EV CS — Code Signing Organization Extended Validation in your account. If validation has expired, DigiCert must re-validate the organization before issuing the reissued certificate.

  • A validated EV code signing verified contact must be available to approve the reissue.

  • All code signing private keys must be stored on hardware certified to FIPS 140-2 Level 2, Common Criteria EAL 4+, or equivalent. See Protect private keys and Code signing provisioning methods.

  • For HSM provisioning: generate the private key and CSR on the HSM before submitting the reissue. The CSR must use a minimum RSA 3072-bit or ECC P-256-bit key. Refer to your HSM provider's documentation to generate the CSR.

Reissue an EV code signing certificate

  1. In the CertCentral menu, go to Certificates > Orders.

  2. Select the order number for the code signing certificate to reissue.

  3. On the Order details page, in the Certificate actions menu, select Reissue certificate.

  4. On the Reissue certificate page, select a signature hash. DigiCert recommends SHA-256 unless you have a specific reason to select a different hash.

  5. Under Provisioning options, select a provisioning method.

    The provisioning method determines where the private key and certificate are stored, and what steps are required after issuance. The provisioning method does not need to match the original order. See Code signing provisioning methods for the full list of options and their requirements.

  6. Under Reason for reissue, specify the reason for the reissue.

  7. Select Submit request.

If reissue approval is required, DigiCert emails the code signing verified contacts for the organization. After a verified contact approves the request, DigiCert reissues the certificate.

Notice

Post-issuance steps depend on your provisioning method:

What's next

Download a code signing certificate to download the certificate from CertCentral for HSM installation