EVコードサイニング証明書をオーダーする
重要
業界では、コードサイニング証明書の最小鍵強度がRSA 3072ビットに移行されました。
業界規定の変更に適合するため、デジサートはコードサイニング証明書プロセスを以下のように変更しました。
鍵がRSA 3072ビット以上のコードサイニング証明書のみを発行する*
コードサイニング証明書とEVコードサイニング証明書の発行に新しいRSAとECCの中間CA証明書とルート証明書を使用する
デジサートは、以下の2つのeTokenをサポートしています。
RSA 4096ビットおよびECCP-256ビットの鍵証明書用の5110 CC
ECC P-256およびP-384ビットの鍵証明書用の5110 FIPS
SafeNet eToken 5110+ FIPS for RSA 4096-bit and ECC P-256-bit key certificates.
SafeNet eToken 5110+ CC (940B) for ECC P-256-bit key certificates.
HSMには以下の要件があります。
RSA 3072ビットまたはECC P-256ビット以上の鍵長をサポートすること
FIPS 140-2レベル2以上、またはCommon Criteria EAL4以上に準拠するデバイスであること
開始する前に
組織を事前検証するEVコードサイニング証明書を取得する組織を事前検証します。「組織を追加する」および「組織の事前検証を申請する」を参照してください。
組織を事前検証するEVコードサイニング証明書を取得する組織を事前検証します。「組織を追加する」および「組織の事前検証を申請する」を参照してください。
CSRを生成する(HSMオーダーのみ)HSMデバイスにEVコードサイニング証明書をインストールする場合は、オーダーと共に証明書署名要求(CSR)を送信する必要があります。
CSRを生成する(HSMオーダーのみ)HSMデバイスにEVコードサイニング証明書をインストールする場合は、オーダーと共に証明書署名要求(CSR)を送信する必要があります。
セキュリティを維持するため、証明書はRSA 3072ビットまたはECC P-256ビット以上の鍵長を使用する必要があります。申請用のCSRを作成するには、HSMプロバイダーのドキュメントを参照してください。
EVコードサイニング証明書をオーダーする
In the left main menu, hover over Request a Certificate. Under Code Signing Certificates, select EV Code Signing.
On the Request EV Code Signing Certificate page, in the For dropdown, select the division to manage the certificate.
The For dropdown only appears if your account uses Divisions.
証明書の設定
有効期限
証明書の有効期限を1年、2年、または3年から選択します。
If needed, you can customize the expiration date or certificate length. However, you cannot exceed the 39-month maximum EV code signing certificate validity.
自動更新
この証明書の自動更新をセットアップするには、[有効期限日の30日前にオーダーを自動更新する]にチェックを入れます。
自動更新が有効になっていると、この証明書の有効期間終了日が間近になった時点で、新しい証明書オーダーが自動的に送信されます。証明書の有効期間がまだ残っている場合、デジサートは現行の証明書の残った期間を新しい証明書に追加します(最大39ヵ月)。
重要
If your certificate still has time remaining before it expires, DigiCert adds the remaining time from your current certificate to your new certificate (up to 39 months).
Organization
組織
Select Add organization. The organization name will appear on the EV code signing certificate.
ドロップダウンから、EVコードサイニング証明書をオーダーする組織を選択します。組織名は、EVコードサイニング証明書に表示されます。
In the Add organization window, do one of the following:
Add an existing organization.
Select An existing organization.
In the dropdown, select the organization and then select Add.
If you choose an organization not validated for EV Code Signing certificates or if the organization's EV code signing validation has expired, DigiCert must validate the organization for EV code signing validation before we can issue your certificate.
Organization and technical contacts.
DigiCert automatically adds the contacts assigned to the organization to the request form. To see the organization and technical contacts, select Show organization contacts.
Verified contacts.
DigiCert automatically adds the assigned contacts to the request form if the organization has EV code signing verified contacts. To view, change selections, or add verified contacts, expand Verified contacts.
The Add contacts popup window opens if the organization has not assigned EV code signing verified contacts. In this window, you can add yourself, a user in your account, or a new contact as a verified contact. See Verified contacts below.
Add a new organization.
Select A new organization and select Next.
Under Organization address details, enter your organization's legal name, assumed name (optional), address, and phone number.
DigiCert must validate the organization for EV code signing validation before we can issue your certificate.
When ready, select Add.
Add an organization contact.
In the Add organization window, add yourself or someone else from your account, or create a new organization contact.
重要
The organization contact is whom we contact when validating the organization and verifying your authority to order a DigiCert certificate for the organization.
They may also receive the following notifications:
Order status updates for certificates requested for their organization.
Domain status updates for domains associated with their organization.
Add yourself as the organization contact.
Select Add me as the organization contact and then select Add or Next.
If we have all your information, you will select Add.
If we need more information, you will select Next, enter the missing information, and then select Add.
Add someone else as the organization contact.
Select Add someone else as the organization contact. Then in the Add contact dropdown, select the contact or user and then select Add or Next.
If we have the needed user information, you will select Add.
If we need more user information, you will select Next, enter the missing information, and then select Add.
Create new contact.
Select Add someone else as the organization contact.
In the Add contact dropdown, select Create new contact and then select Next.
Enter the needed user information and then select Add.
Technical contact for the organization (optional)
We may contact a technical contact for inquiries regarding certificate orders for the organization. They may receive the certificate lifecycle-related emails: certificate issued, reissued, and expiring.
Add yourself as the technical contact.
Select Add me as the technical contact for the organization and then select Add or Next.
If we have all your information, you will select Add.
If we need more information, you will select Next, enter the missing information, and then select Add.
Add someone else as the technical contact.
Select Add someone else as the technical contact for the organization. Then in the Add contact dropdown, select the contact or user and then select Add or Next.
If we have the needed user information, you will select Add.
If we need more user information, you will select Next, enter the missing information, and then select Add.
Create new contact.
Select Add someone else as the technical contact for the organization.
In the Add contact dropdown, select Create new contact and then select Next.
Enter the needed user information and then select Add.
Verified contacts
A verified contact must represent the organization included in your certificate request. At least one EV code signing verified contact is required.
To view, change selections, or add verified contacts, expand Verified contacts.
Select verified contacts.
If the organization has multiple EV code signing verified contacts, you can select who receives the EV code signing order approval email.
DigiCert sends the approval email to all selected, verified contacts, but only one needs to approve your order. Once the order is approved, DigiCert can issue your certificate. Selecting multiple verified contacts increases the likelihood of your order being approved quickly.
Add a verified contact.
When adding a new verified contact, we will contact the organization directly to verify the individual's name, email, phone number, job title, and authority. Only after DigiCert validates a verified contact can they approve EV code signing orders for the organization.
Add yourself as the verified contact.
Select Add me as a verified contact for the organization and then select Add or Next.
If we have all your information, you will select Add.
If we need more information, you will select Next, enter the missing information, and then select Add.
Add someone else as the verified contact.
Select Add someone else as the verified contact for the organization. Then in the Add contact dropdown, select the contact or user and then select Add or Next.
If we have the needed user information, you will select Add.
If we need more user information, you will select Next, enter the missing information, and then select Add.
Create new contact.
Select Add someone else as the verified contact for the organization.
In the Add contact dropdown, select Create new contact and then select Next.
Enter the needed information and then select Add.
追加のEメール
証明書発行、証明書更新などの証明書通知Eメールを送信する人のEメールアドレスをカンマで区切って入力します。
Depending on your account settings, your administrator may require you to include at least one additional email.
Additional certificate options
The information below is optional. None of it is required to issue your EV code signing certificate.
組織部門
組織部門の追加はオプションです。フォームのボックスは空のままにしておくことができます。
組織部門の追加はオプションです。フォームのボックスは空のままにしておくことができます。
プロビジョニングオプション
Provisioning options
The provisioning method refers to where you will store the private key and certificate. For the security of your EV Code Signing certificate, the certificate must be installed on and used from an approved device.
Select the storage device for your EV Code Signing certificate and its' private key.
DigiCert-provided hardware token (nonrefundable)
DigiCert ships a secure token with instructions for installing the certificate on your token. So you can start signing code.
Then, under Shipping address, add your shipping information: your name and the address where you want us to send the hardware token.
Use existing token
After DigiCert issues your EV code signing certificate, install the certificate on your token.
In the Platform dropdown, select the type of hardware token on which you plan to install your EV Code Signing certificate:
SafeNet eToken 5110 CC (940) for RSA 4096-bit and ECC P-256-bit or higher key certificates.
SafeNet eToken 5110 FIPS for ECC P-256 and P-384-bit key certificates.
SafeNet eToken 5110+ FIPS for RSA 4096-bit and ECC P-256-bit or higher key certificates.
SafeNet eToken 5110+ CC (940B) for ECC P-256-bit key certificates.
重要
You must have a FIPS 140-2 Level 2 or Common Criteria EAL4+ compliant device listed above. You cannot install the certificate on any device not on the list.
Need an approved token?
Please select DigiCert-provided hardware token to have a token shipped to you. If you have questions, please contact DigiCert Support.
Install on HSM
After DigiCert issues your EV code signing certificate, install it on the HSM where you generated the private key and CSR.
Select Yes under Was the private key generated by a Common Criteria EAL4+ standard or FIPS 140-2 level 2 HSM?
Note that we will send the certificate requestor an agreement email. This email ensures the private key is stored on an HSM certified as FIPS 140 Level 2, Common Criteria EAL 4+, or equivalent. DigiCert will only issue the certificate after the requester agrees to the private key protection requirement.
重要
You must have a FIPS 140-2 Level 2 or Common Criteria EAL4+, or equivalent hardware security module (HSM) that supports at least 3072-bit keys.
Don't have a compatible HSM?
Please select a different provisioning method. If you have questions, please contact DigiCert Support.
DigiCert KeyLocker (Cloud HSM)
KeyLocker is an automated cloud storage service where you can store your private key and code signing certificate. Access them anytime from anywhere to sign your code. Learn more.
DigiCert also offers Software Trust Manager, an enterprise-level code signing solution. Contact your account representative to determine if your organization could benefit from Software Trust Manager. Learn more.
Additional order options
The information below is optional. None of it is required to issue your certificate.
Comments to Administrator (optional)
Enter any information your administrator might need for approving your request, about the purpose of the certificate, etc.
追加の更新メッセージ
この証明書の更新メッセージを作成するには、証明書の更新に関連する情報が含まれるメッセージを入力します。
支払い情報
支払い方法を選択する
[支払い情報]で、証明書の代金を支払うための支払い方法を選択します。
クレジットカードに請求する
契約がない、またはこの証明書の支払いに契約を使用したくない場合は、クレジットカードを使用して証明書の代金を支払います。
デジサートは、申請が行われたときにカードを認証します。ただし、トランザクションが完了されるのは、証明書の発行後のみになります。
契約を有効にしている場合は、[契約条件から除外する]にチェックを入れます。
請求先をアカウント残高にする
契約がない、またはこの証明書の支払いに契約を使用したくない場合は、コストの請求先をアカウント残高にします。
資金を入金するには、[デポジットファンド]リンクをクリックします。このリンクは、CertCentralアカウントの別のページを開きます。申請フォームに入力した情報は保存されません。
契約を有効にしている場合は、[契約条件から除外する]にチェックを入れます。
契約条件に従って支払う
契約があり、証明書に支払いに契約を使用したい場合は、契約がある場合は、これがデフォルトの支払い方法になります。
証明書サービス契約
契約書を最後まで読んでから、[証明書サービス契約に同意します]にチェックを入れます。
[証明書申請を送信する]をクリックします。
Selecting Submit Certificate Request also means you agree to all the terms and conditions in the Master Services Agreement.
次のステップ
DigiCert recommends that developers take precautions with the code signing process and protect the private key associated with their signing certificate. See Protect private keys: Code signing best practices.