Reissue your Code Signing certificate

Learn how to reissue your Code Signing certificate

Industry moved to RSA 3072-bit key minimum for code signing certificates

To comply with industry changes, DigiCert has made the following changes to our code signing certificate process:

  • Only issues RSA 3072-bit key or larger code signing certificates*
  • Uses new intermediate CA and root certificates to issue our code signing and EV code signing certificates: RSA and ECC

eToken and HSM changes

DigiCert supports two eTokens:

  • 5110 CC for RSA 4096-bit and ECC P-256-bit key certificates
  • 5110 FIPS for ECC P-256 and P-384-bit key certificates

HSM must

  • Support RSA 3072-bit or ECC P-256-bit keys sizes or larger
  • Be FIPS 140-2 Level 2 or Common Criteria EAL4+ compliant devices

*Note: All existing 2048-bit key code signing certificates issued before June 1, 2021, will remain active. You can continue to use these certificates to sign code until they expire.

Learn more about the change to 3072-bit key code signing certificates.

Before you begin

If you are reissuing your Code Signing (CS) certificate for the Sun Java platform, you must submit a certificate signing request (CSR) with your request. However, you can include a CSR with your request for any platform.

To remain secure, certificates must use an RSA 3072-bit or ECC P-256-bit key size or larger. To find instructions about creating a CSR for different operating systems and platforms, see Create CSR for a code signing certificate request.

Reissue your CS certificate

  1. In your CertCentral account, in the left main menu, click Certificate > Orders.

  1. On the Orders page, click the order number link for the Code Signing certificate you want to reissue.

  1. On the Order details page, in the Certificate Actions dropdown, select Reissue Certificate.

  1. Add Your CSR

    Upload or paste your CSR in the Add Your CSR box.

The Sun Java Platform is the only platform that requires you to submit a CSR with your request. For all other platforms, submitting a CSR is optional.

  1. Signature Hash

    Unless you have a specific reason for choosing a different signature hash, DigiCert recommends using the default signature hash: SHA-256.

  1. Server Platform

    Select the platform you want to use your reissued certificate with.

  1. Reason for Reissue

    Specify the reason for the certificate reissue.

  1. Click Request Reissue.

What's next

An approval for your CS certificate reissue may be required. If an approval is required, the CS verified contact for the organization is sent an email informing them that they need to approve the certificate reissue request. Once we receive their approval, we'll reissue your Code Signing certificate.

After we reissue your certificate, you'll need to install it. See our Install a Code Signing certificate instructions.