Order an EV code signing certificate

Industry moved to RSA 3072-bit key minimum for code signing certificates

To comply with industry changes, DigiCert has made the following changes to our code signing certificate process:

  • Only issues RSA 3072-bit key or larger code signing certificates*
  • Uses new intermediate CA and root certificates to issue our code signing and EV code signing certificates: RSA and ECC

eToken and HSM changes

DigiCert supports two eTokens:

  • 5110 CC for RSA 4096-bit and ECC P-256-bit key certificates
  • 5110 FIPS for ECC P-256 and P-384-bit key certificates

HSM must

  • Support RSA 3072-bit or ECC P-256-bit keys sizes or larger
  • Be FIPS 140-2 Level 2 or Common Criteria EAL4+ compliant devices

*Note: All existing 2048-bit key code signing certificates issued before June 1, 2021, will remain active. You can continue to use these certificates to sign code until they expire.

Learn more about the change to 3072-bit key code signing certificates.

Before you begin

  • Prevalidate organization
    Prevalidate the organization you want to get an EV Code Signing certificate for. See Add an organization and Submit an organization for prevalidation.
    For an organization to appear on the Request an EV Code Signing Certificate order form, you must first submit the organization for prevalidation.
  • Generate CSR (HSM orders only)
    If you will install your EV Code Signing certificate on an HSM device, you must submit a certificate signing request (CSR) with your order.
    To remain secure, certificates must use an RSA 3072-bit or ECC P-256-bit key size or larger. Refer to your HSM provider's documentation to create the CSR for your request.

Order your EV Code Signing certificate

In the left main menu, hover over Request a Certificate. Under Code Signing Certificates, select EV Code Signing. Fill out the Request an EV Code Signing Certificate form and submit it.

Certificate Settings

  1. Organization

    In the dropdown, select the organization you are ordering the EV Code Signing certificate for. The organization name will appear on the EV code signing certificate.

  1. Organization Unit

    Adding an organization unit is optional. You can leave this box in the form blank.

If you include an organization unit in your order, DigiCert must validate it before your certificate can be issued.

  1. Signature Hash

    Unless you have a specific reason for choosing a different signature hash, DigiCert recommends using the default signature hash: SHA-256.

  1. Validity period

    Select a validity period for the certificate: 1 year, 2 years, or 3 years.

  1. Additional Renewal Message

    To create a renewal message for this certificate, type a message with information relevant for the certificate’s renewal.

  1. Additional Emails

    Enter the email addresses (comma separated) for the people you want to receive the certificate notification emails, such as certificate issuance, certificate renewals, etc.

  1. Auto-renew

    To set up automatic renewal for this certificate, check Auto-renew order 30 days before expiration.

    With auto-renew enabled, a new certificate order will be automatically submitted when the certificate nears its expiration date. If your certificate still has time remaining before it expires, DigiCert adds the remaining time from your current certificate to your new certificate (up to 39 months).

Provision Options

  1. Preconfigured Hardware Token

    DigiCert installs your EV CS certificate on a secure token and ships the token to you with instructions for how to activate it. See Currently Supported eTokens.

    Next, select a Shipping Method (Standard or Expedited). Then, add your shipping information: your name and the address you want us to send the token to.

  1. Use Existing Token

    After DigiCert issues your EV CS certificate, you need to install the certificate on your token.

    In the Platform dropdown, select the type of hardware token you plan to install your EV CS certificate on.

You must have a FIPS 140-2 Level 2 or Common Criteria EAL4+ compliant device. See Currently Supported eTokens.

  1. Install on HSM

    After DigiCert issues your EV CS certificate, install it on your HSM device.

    1. In the Select Platform dropdown, select the type of HSM device you plan to install your EV CS certificate on.
    2. Upload or paste your CSR in the Add Your CSR box.

Payment Information

  1. Select Payment Method

    Under Payment Information, select a payment method to pay for the certificate:

    1. Bill to Credit Card
      Don’t have a contract or don’t want to use the contract to pay for this certificate? Use a credit card to pay for the certificate.
      We authorize the card when the request is made. However, we only complete the transaction once we issue your certificate.
      If you have a contract enabled, check Exclude from contract terms.
    2. Bill to Account Balance
      Don’t have a contract or don’t want to use the contract to pay for this certificate? Bill the cost to your account balance.
      To deposit funds, click the Deposit link. This link takes you to another page inside your CertCentral account. Any information entered in the request form will not be saved.
      If you have a contract enabled, check Exclude from contract terms.
    3. Pay with Contract Terms
      Have a contract and want to use it to pay for the certificate? When you have a contract, it is the default payment method.

  1. Certificate Services Agreement

    Read through the agreement and check I agree to the Certificate Services Agreement.

  1. Click Submit Certificate Request.

What's next

Complete organization validation

Before your certificate can be issued, we need to validate your authority to order a certificate for the organization on your EV code signing certificate. A validation agent will call a verified phone number to speak with someone who represents you (the certificate requestor) and can confirm your authority:

  • Human resources
  • Manager
  • Technical contact

To complete the organization consent for your certificate order:

  • Answer the organization validation phone call (preferred method)
    After you submit your certificate order, make sure the organization contact, technical contact, and company receptionist are aware you’ve ordered an EV code signing certificate. Let them know that DigiCert will call a verified phone number to speak with one of them to make sure you have permission to order this certificate. This call usually takes place within 24 hours of the certificate order being placed.
  • Respond to the organization consent message
    If the DigiCert validation agent can’t reach someone who represents you at the verified phone number, they will leave a message that includes a callback phone number and a verification code. Make sure that organization or technical contact responds to the message and provides the verification code.
  • Schedule a time for a call back through the verified phone number
    If the DigiCert validation agent can’t reach someone who represents you at the verified phone number, they may send you an email to schedule a time for us to call back to complete the verification. You may use this link to schedule a time when the representative will be available to answer the call: https://digicert.simplybook.me/v2/#book.
    Appointments display in your local time. You don't need to convert the time.

Order approval

After DigiCert completes all validation required for your order, we send the EV CS verified contacts for the organization an email informing them that they need to approve the EV code signing certificate request. Only after we receive the approval, can we continue processing your order.

Certificate issuance

Once the validation process is complete, we will issue your certificate.

About

DigiCert is the world's leading provider of scalable TLS/SSL, IoT and PKI solutions for identity and encryption. The most innovative companies, including 89% of the Fortune 500 and 97 of the 100 top global banks, choose DigiCert for its expertise in identity and encryption for web servers and Internet of Things devices. DigiCert supports TLS and other digital certificates for PKI deployments at any scale through its certificate lifecycle management solution, CertCentral®. The company is recognized for its enterprise-grade certificate management platform, fast and knowledgeable customer support, and market-leading security solutions. For the latest DigiCert news and updates, visit digicert.com or follow @digicert.

©2020 DigiCert, Inc. All rights reserved. DigiCert, its logo and CertCentral are registered trademarks of DigiCert, Inc. Norton and the Checkmark Logo are trademarks of NortonLifeLock Inc. used under license. Other names may be trademarks of their respective owners.