重新發行 EV Code Signing 憑證

瞭解如何重新發行您的 Extended Validation (延伸驗證，EV) Code Signing 憑證

Important

業界轉移到適用於代碼簽署憑證的基本 RSA 3072 位元金鑰

為了因應業界的變更，DigiCert 對我們的代碼簽署憑證程序做出以下的變更：

僅發行 RSA 3072 位元金鑰或更大的代碼簽署憑證*
使用新的中繼 CA 和根憑證發行代碼簽署和 EV 代碼簽署憑證：RSA 和 ECC

DigiCert 支援兩種 eToken：

適用於 RSA 4096 位元和 ECC P-256 位元憑證的 5110 CC
適用於 ECC P-256 和 P-384 位元憑證的 5110 FIPS
SafeNet eToken 5110+ FIPS for RSA 4096-bit and ECC P-256-bit key certificates.
SafeNet eToken 5110+ CC (940B) ECC P-256-bit key certificates.

HSM 必須：

支援 RSA 3072 位元或 ECC P-256 位元大小或更大的金鑰
是 FIPS 140-2 Level 2+ 或 Common Criteria EAL4+ 相容裝置

瞭解更多有關 3072 位元金鑰代碼簽署憑證的變更的資訊。

在您開始前

Are you reissuing your EV Code Signing certificate for an HSM device?

如果您正在重新發行您用於 HSM 裝置的 EV Code Signing 憑證，您必須連同您的要求提交憑證簽署要求 (CSR)。為了保持安全，憑證必須使用 RSA 3072 位元或 ECC P-256 位或更大的金鑰。若要建立適用於您的要求的 CSR，請參閱您的 HSM 供應商的文件。

為了保持安全，憑證必須使用至少 2048 位元大小的金鑰。若要建立適用於您的要求的 CSR，請參閱您的 HSM 供應商的文件。

重新發行您的 EV CS 憑證

在您的 CertCentral 帳戶的左側主功能表中，前往憑證 > 訂單。
在「訂單」頁面上的訂單編號欄中，按一下用於您要重新發行的 EV Code Signing 憑證的快速檢視連結。
在訂單編號詳細資料面板中 (在右側)，按一下重新發行憑證。
僅 HSM 裝置 – 如果您正在使用安全權杖，請跳到步驟 5。
1. 簽署雜湊
  若您沒有選擇不同簽章雜湊的特定原因，DigiCert 建議使用預設的簽章雜湊：SHA-256。
2. Provisioning method
  The provisioning method refers to where you will store the private key and certificate. For the security of your EV Code Signing certificate, the certificate must be installed on and used from an approved device.
  Select the storage device for your EV Code Signing certificate and its' private key.
  - DigiCert-provided hardware token (nonrefundable)
    DigiCert ships you a secure token with instructions for installing the certificate on your token, so you can start signing code.
    Then, under Shipping address, add your shipping information: your name and the address where you want us to send the hardware token.
  - Use existing token
    After DigiCert issues your EV code signing certificate, you need to install the certificate on your token.
    In the Platform dropdown, select the type of hardware token on which you plan to install your EV Code Signing certificate:
    SafeNet eToken 5110 CC (940) for RSA 4096-bit and ECC P-256-bit or higher key certificates.
    SafeNet eToken 5110 FIPS for ECC P-256 and P-384-bit key certificates.
    SafeNet eToken 5110+ FIPS for RSA 4096-bit and ECC P-256-bit or higher key certificates.
    SafeNet eToken 5110+ CC (940B) for ECC P-256-bit key certificates.
    Important
    You must have a FIPS 140-2 Level 2 or Common Criteria EAL4+ compliant device listed above. You cannot install the certificate on any device not on the list.
    Need an approved token?
    Please select DigiCert-provided hardware token to have a token shipped to you. If you have questions, please contact DigiCert Support.
  - Install on HSM
    After DigiCert issues your EV code signing certificate, install it on the HSM where you generated the private key and CSR.
    Select Yes under Was the private key generated by a Common Criteria EAL4+ standard or FIPS 140-2 level 2 HSM?
    Note that we will send the certificate requestor an agreement email. This email is to ensure that a private key is stored on an HSM that is certified as FIPS 140-2 Level 2, Common Criteria EAL 4+, or equivalent. DigiCert will only issue the certificate after the requester agrees to the private key protection requirement.
  Important
  You must have a FIPS 140-2 Level 2, Common Criteria EAL 4+, or equivalent hardware security module (HSM) that supports at least 3072-bit keys.
  Select a different provisioning method if you don't have a compatible HSM. If you have any questions, please contact DigiCert Support.
3. Reason for reissue
  In the box, enter the reason for the certificate reissue.
按一下要求重新發行。

下一步是什麼

Approval for your EV Code Signing certificate reissue may be required

If a reissue approval is required, we email the EV Code Signing verified contacts for the organization, informing them that they need to approve the certificate reissue request. Once we receive their approval, we'll reissue your EV Code Signing certificate.

Certificate issuance

Once the validation is complete and the order is verified-contact approved, we will issue your certificate. Then you can install your certificate on your hardware token or HSM.

DigiCert-provided hardware token (nonrefundable)
If you opted to have DigiCert send you a secure token, we ship your token with instructions for installing the certificate on your token, so you can start signing code. See our knowledge base article for Installing your DigiCert® Code Signing Certificate onto a Secure Token.
Your own supported hardware token
If you opted to use your own supported secure token, see our knowledge base article for Installing your DigiCert® Code Signing Certificate onto a Secure Token.
A supported HSM device
If you opted to install your EV code signing certificate on a supported HSM, download the certificate from your CertCentral account to install it on the HSM. See Download a code signing certificate from your account.