Industry moved to RSA 3072-bit key minimum for code signing certificates
To comply with industry changes, DigiCert has made the following changes to our code signing certificate process:
eToken and HSM changes
DigiCert supports two eTokens:
*Note: All existing 2048-bit key code signing certificates issued before June 1, 2021, will remain active. You can continue to use these certificates to sign code until they expire.
In the left main menu, hover over Request a Certificate. Under Code Signing Certificates, select EV Code Signing. Fill out the Request an EV Code Signing Certificate form and submit it.
In the dropdown, select the organization you are ordering the EV Code Signing certificate for. The organization name will appear on the EV code signing certificate.
Adding an organization unit is optional. You can leave this box in the form blank.
If you include an organization unit in your order, DigiCert must validate it before your certificate can be issued.
Unless you have a specific reason for choosing a different signature hash, DigiCert recommends using the default signature hash: SHA-256.
Select a validity period for the certificate: 1 year, 2 years, or 3 years.
Additional Renewal Message
To create a renewal message for this certificate, type a message with information relevant for the certificate’s renewal.
Enter the email addresses (comma separated) for the people you want to receive the certificate notification emails, such as certificate issuance, certificate renewals, etc.
To set up automatic renewal for this certificate, check Auto-renew order 30 days before expiration.
With auto-renew enabled, a new certificate order will be automatically submitted when the certificate nears its expiration date. If your certificate still has time remaining before it expires, DigiCert adds the remaining time from your current certificate to your new certificate (up to 39 months).
Preconfigured Hardware Token
DigiCert installs your EV CS certificate on a secure token and ships the token to you with instructions for how to activate it. See Currently Supported eTokens.
Next, select a Shipping Method (Standard or Expedited). Then, add your shipping information: your name and the address you want us to send the token to.
Use Existing Token
After DigiCert issues your EV CS certificate, you need to install the certificate on your token.
In the Platform dropdown, select the type of hardware token you plan to install your EV CS certificate on.
You must have a FIPS 140-2 Level 2 or Common Criteria EAL4+ compliant device. See Currently Supported eTokens.
Install on HSM
After DigiCert issues your EV CS certificate, install it on your HSM device.
Select Payment Method
Under Payment Information, select a payment method to pay for the certificate:
Certificate Services Agreement
Read through the agreement and check I agree to the Certificate Services Agreement.
Click Submit Certificate Request.
Before your certificate can be issued, we need to validate your authority to order a certificate for the organization on your EV code signing certificate. A validation agent will call a verified phone number to speak with someone who represents you (the certificate requestor) and can confirm your authority:
To complete the organization consent for your certificate order:
After DigiCert completes all validation required for your order, we send the EV CS verified contacts for the organization an email informing them that they need to approve the EV code signing certificate request. Only after we receive the approval, can we continue processing your order.
Once the validation process is complete, we will issue your certificate.