Learn how to renew your Document Signing for Individual, Business – Employee, or Business – Group certificate.
Are you renewing a Document Signing for Business – Employee or Document Signing for Business – Group certificate?
Make sure the organization validation for the organization included in your certificate is still valid. Note that organization validation is valid for 825 days.
If the organization validation has expired, use one of the following options to validate your organization:
Prevalidate the organization
CertCentral features an organization prevalidation process that allows you to validate your organization before ordering certificates. Completing the organization validation ahead of time allows for quicker certificate issuance. See Submit an organization for prevalidation.
Validate the organization as part of the order process
If you add a new organization or an organization with expired DS - Document Signing Validation, DigiCert will complete the organization validation as part of the renewal process.
Are you installing your document signing certificate on an HSM device?
With this option, you must use your own Common Criteria EAL4+ standard or FIPS 140-2 level 2 HSM and submit a certificate signing request (CSR) with your renewal.
Generate the private key on your HSM and add the certificate signing request (CSR) to your renewal request. Refer to your HSM vendor instructions for generating the CSR.
Document Signing certificates support the following algorithms and key lengths:
RSA 2048, 3072, and 4096
ECC p-256 and p-384
In CertCentral, in the left menu, go to Certificates > Orders.
On the Orders page, select the Order # of the document signing certificate you want to renew.
On the Order details page, in the Certificate actions menu, select Renew.
On the certificate's Renew page, update the renewal form as needed, including selecting a new previsioning method if required.
Provisioning methods
The provisioning method refers to where you will store the certificate and its private key. For the security of your Document Signing certificate, the certificate must be installed on and used from an approved device.
Select the key provisioning method for your document signing certificate.
DigiCert-provided hardware token (nonrefundable)
Under Shipping address, add your shipping information: your name and the address where you want us to send the hardware token.
DigiCert ships a hardware token with instructions for installing the certificate.
Use existing token
After DigiCert issues your document signing certificate, install the certificate on your own hardware token.
You can only install your certificate on a DigiCert-supported hardware token:
SafeNet/Gemalto eToken 5100: Supports RSA 2048 key size only
SafeNet/Gemalto eToken 5110: Supports RSA 2048, 3072, 4096, and ECC p-256 and p-384 key sizes
Install on an HSM
Under Was the private key generated by a Common Criteria EAL4+ standard or FIPS 140-2 level 2 HSM, select Yes.
DigiCert sends the certificate requestor an agreement email. This email ensures that a private key is stored on an HSM certified as Common Criteria EAL4+ standard or FIPS 140-2 level 2 HSM, or equivalent.
Only after the requester agrees to the private key protection requirement can DigiCert issue the certificate.
After DigiCert issues your document signing certificate, install it on the hardware security module (HSM) where you generated the private key and CSR.
When ready, select Submit request.
CertCentral takes you to the certificate’s Order # details page, where you can see the status of your certificate order.
Before issuing your certificate, DigiCert must validate the subject individual on the certificate using one of the identity verification processes below.
Remote Identity Verification (RIV)
The RIV method allows you to complete the identity validation process at your convenience. Only available with some certificate issuance processes.
Face-to-face
The face-to-face method requires you to meet in person with an authorized professional who can verify you are who you say you are. The professionals authorized to verify your identity differ depending on where you reside.
DigiCert must validate and authenticate your authority to order a certificate for the organization on your certificate order. To do this, we will call a verified phone number to speak with someone representing you, the certificate requestor, such as the organization or technical contact.
To get organization consent for your certificate order:
Answer the organization/validation phone call—preferred method*.
After you submit your certificate order, ensure that the organization contact, technical contact, and company receptionist know you’ve ordered a Document Signing for Business – Employee or Business – Group certificate.
Let them know DigiCert will call a verified phone number to speak with one of them to complete organization validation/authentication.
This phone call usually takes place within 24 hours of the order being placed.
Respond to the organization consent message.
If the DigiCert validation agent can’t reach someone representing you at the verified phone number, they will leave a message with a call-back phone number and a verification code.
Make sure that the organization or technical contact responds to the message and provides the verification code.
Once the validation process is complete, we will issue your certificate.
Own supported hardware token
If you opted to use your own supported hardware token, when the certificate is ready, return to CertCentral and use the DigiCert Trust Assistant to install the certificate on your token. Learn more about the DigiCert Trust Assistant.
DigiCert-provided hardware token (nonrefundable)
If you opted to have DigiCert send you a hardware token, we ship your token to the shipping address included in your request. You can track your hardware token shipment on your certificate's order details page.
After receiving the DigiCert-provided hardware token and getting the PIN, return to CertCentral and download and install the DigiCert Trust Assistant. Then, when the certificate is ready, use the DigiCert Trust Assistant to install the certificate on your token. Learn more about the DigiCert Trust Assistant.
Supported hardware security module (HSM)
If you opted to install your document signing certificate on a supported HSM, the process works as follows:
DigiCert sends the certificate requestor an agreement email to verify that the private key is stored on an HSM certified as Common Criteria EAL4+ standard or FIPS 140-2 level 2 HSM or equivalent.
DigiCert can only issue the certificate after the requester agrees to the private key protection requirement.
DigiCert emails the certificate requestor a copy of the certificate.
You can also download a copy of the certificate from CertCentral.
Install the certificate on your HSM. Refer to your HSM vendor instructions.
You can only use your certificate when installed on the computer/device where you generated the CSR and securely stored your private key.