Renew a code signing certificate

Code signing certificate renewal made easy

Need to renew your DigiCert Code Signing certificate? Follow the steps below to renew your certificate.

Industry moved to RSA 3072-bit key minimum for code signing certificates

To comply with industry changes, DigiCert has made the following changes to our code signing certificate process:

  • Only issues RSA 3072-bit key or larger code signing certificates*
  • Uses new intermediate CA and root certificates to issue our code signing and EV code signing certificates: RSA and ECC

eToken and HSM changes

DigiCert supports two eTokens:

  • 5110 CC for RSA 4096-bit and ECC P-256-bit key certificates
  • 5110 FIPS for ECC P-256 and P-384-bit key certificates

HSM must

  • Support RSA 3072-bit or ECC P-256-bit keys sizes or larger
  • Be FIPS 140-2 Level 2 or Common Criteria EAL4+ compliant devices

*Note: All existing 2048-bit key code signing certificates issued before June 1, 2021, will remain active. You can continue to use these certificates to sign code until they expire.

Learn more about the change to 3072-bit key code signing certificates.

STEP 1: Generate a new CSR (optional)

If a certificate signing request (CSR) is required for your renewal order, best practice is to generate a new CSR when renewing a certificate. To remain secure, certificates must use an RSA 3072-bit or ECC P-256-bit key size or larger.

Code signing

  • Required: The Sun Java Platform is the only platform you are required to submit a CSR for.
  • Optional: For all other platforms, a CSR is not required. However, you can submit a CSR for any platform.

EV code signing

  • Required: If you are installing the certificate on an HSM, a CSR is required.

STEP 2: Sign into your account

Sign in to your CertCentral account.

STEP 3: Fill out the renewal form

Fill out the certificate renewal order form.

Note: After you submit the renewal order, DigiCert will perform a quick cross-check verification. If your organization’s information was changed in the CSR, you may need to provide new documentation to verify the changes.

CertCentral

  1. In the left main menu, click Certificates > Expiring Certificates.
  2. On the Expiring Certificates page, next to the certificate that needs to be renewed, click Renew Now.

A certificate doesn't appear on the Expiring Certificates page until 90 days before it expires.

STEP 4: DigiCert issues the code signing certificate

Once approved, we send an email to the certificate contact with certificate installation instructions.

If you submitted a CSR, we send the renewed certificate to the certificate contact in an email. You can also download the renewed certificate in your CertCentral account.

STEP 5: Install your renewed certificate

Use the instructions in the email to install and configure the new certificate. If you submitted a CSR, on your server or HSM, install the new certificate.

For more information about installing code signing and EV code signing certificates, see our Code Signing Support page.

About

DigiCert is the world's leading provider of scalable TLS/SSL, IoT and PKI solutions for identity and encryption. The most innovative companies, including 89% of the Fortune 500 and 97 of the 100 top global banks, choose DigiCert for its expertise in identity and encryption for web servers and Internet of Things devices. DigiCert supports TLS and other digital certificates for PKI deployments at any scale through its certificate lifecycle management solution, CertCentral®. The company is recognized for its enterprise-grade certificate management platform, fast and knowledgeable customer support, and market-leading security solutions. For the latest DigiCert news and updates, visit digicert.com or follow @digicert.

©2020 DigiCert, Inc. All rights reserved. DigiCert, its logo and CertCentral are registered trademarks of DigiCert, Inc. Norton and the Checkmark Logo are trademarks of NortonLifeLock Inc. used under license. Other names may be trademarks of their respective owners.