Skip to main content

Reissue your Code Signing certificate

Reissue an EV Code Signing certificate when you need to update certificate details, change the provisioning method, or replace a certificate with a compromised private key.

Important

All code signing private keys must be stored on hardware certified to FIPS 140-2 Level 2, Common Criteria EAL 4+, or equivalent. See Protect private keys.

Before you begin

  • The organization must have current EV CS — Code Signing Organization Extended Validation in your account. If validation has expired, DigiCert must revalidate the organization before issuing the reissued certificate.

  • A validated EV code signing verified contact must be available to approve the reissue.

  • All code signing private keys must be stored on hardware certified to FIPS 140-2 Level 2, Common Criteria EAL 4+, or equivalent. See Protect private keys and Code signing provisioning methods.

  • For HSM provisioning: generate the private key and CSR on the HSM before submitting the reissue. The CSR must use a minimum RSA 3072-bit or ECC P-256-bit key. Refer to your HSM provider's documentation to generate the CSR.

Reissue an EV code signing certificate

  1. In the CertCentral menu, go to Certificates > Orders.

  2. Select the order number for the code signing certificate to reissue.

  3. On the Order details page, in the Certificate actions menu, select Reissue certificate.

  4. On the Reissue certificate page, select a signature hash. DigiCert recommends SHA-256 unless you have a specific reason to select a different hash.

  5. Under Provisioning options, select a provisioning method.

    The provisioning method does not need to match the original order. See Code signing provisioning methods for the full list of options and their requirements.

  6. Under Reason for reissue, specify the reason for the reissue.

  7. Select Submit request.

If reissue approval is required, DigiCert emails the code signing verified contacts for the organization. After a verified contact approves the request, DigiCert reissues the certificate.

Notice

Post-issuance steps depend on your provisioning method:

  • DigiCert-provided hardware token: DigiCert installs the certificate on the token and ships it to the address provided during the request.

  • Own supported hardware token: Download the certificate from your CertCentral account and install it on your token.

  • HSM: Download the certificate from your CertCentral account and install it on the HSM. See Download a code signing certificate.

What's next

Renew your code signing certificate to renew an expiring Code Signing or EV Code Signing certificate order

In deze sectie: