Skip to main content

重新發行您的 Code Signing 憑證

瞭解如何重新發行您的 Code Signing 憑證

New private key storage requirements

On May 30, 2023, DigiCert updated our private key storage requirements for code signing certificate private keys, per industry standards. All private keys for code signing certificates must be stored on hardware certified as FIPS 140-2 Level 2, Common Criteria EAL 4+, or equivalent.

For more information, see our knowledge base articles:

在您開始前

Important

業界轉移到適用於代碼簽署憑證的基本 RSA 3072 位元金鑰

為了因應業界的變更,DigiCert 我們的代碼簽署憑證程序做出以下的變更:

  • 僅發行 RSA 3072 位元金鑰或更大的代碼簽署憑證*

  • 使用新的中繼 CA 和根憑證發行代碼簽署和 EV 代碼簽署憑證:RSA 和 ECC

瞭解更多有關 3072 位元金鑰代碼簽署憑證的變更的資訊

如果您正重新發行使用於 Sun Java 平台的 Code Signing (CS) 憑證與 Sun Java 平台,您必須連同您的訂單提交憑證簽署要求 (CSR)。但您可以連同您的要求納入用於任何平台的 CSR。

為了保持安全,憑證必須使用 RSA 3072 位元或 ECC P-256 位或更大的金鑰。如需與建立不同作業系統和平台的 CSR 有關的說明,請參閱建立代碼簽署憑證要求的 CSR

Only HSM devices require you to submit a CSR with your request. The Code Signing secure token provisioning methods don't include an option for submitting a CSR.

重新發行您的 CS 憑證

  1. 在您的 CertCentral 帳戶的左側主功能表中,按一下憑證 > 訂單

  2. 在「訂單」頁面上,按一下您要重新發行 Code Signing 憑證的「訂單編號」連結。

  3. 訂單詳細資料頁面的憑證動作下拉清單中,選取重新發行憑證

  4. 若您沒有選擇不同簽章雜湊的特定原因,DigiCert 建議使用預設的簽章雜湊:SHA-256

    1. 簽署雜湊

      若您沒有選擇不同簽章雜湊的特定原因,DigiCert 建議使用預設的簽章雜湊:SHA-256

    2. Provisioning method

      The provisioning method refers to where you will store the private key and certificate. For the security of your Code Signing certificate, the certificate must be installed on and used from an approved device.

      Select the storage device for your Code Signing certificate and its' private key.

      • DigiCert-provided hardware token (nonrefundable)

        DigiCert ships you a secure token with instructions for installing the certificate on your token, so you can start signing code.

        Then, under Shipping address, add your shipping information: your name and the address where you want us to send the hardware token.

      • Use existing token

        After DigiCert issues your code signing certificate, you need to install the certificate on your token.

        In the Platform dropdown, select the type of hardware token on which you plan to install your Code Signing certificate:

        • SafeNet eToken 5110 CC (940) for RSA 4096-bit and ECC P-256-bit or higher key certificates.

        • SafeNet eToken 5110 FIPS for ECC P-256 and P-384-bit key certificates.

        • SafeNet eToken 5110+ FIPS for RSA 4096-bit and ECC P-256-bit or higher key certificates.

        • SafeNet eToken 5110+ CC (940B) for ECC P-256-bit key certificates.

        Important

        You must have a FIPS 140-2 Level 2 or Common Criteria EAL4+ compliant device listed above. You cannot install the certificate on any device not on the list.

        Please select DigiCert-provided hardware token to have a token shipped to you. If you have questions, please contact DigiCert Support.

      • Install on HSM

        After DigiCert issues your code signing certificate, install it on the HSM where you generated the private key and CSR.

        Select Yes under Was the private key generated by a Common Criteria EAL4+ standard or FIPS 140-2 level 2 HSM?

        Note that we will send the certificate requestor an agreement email. This email is to ensure that a private key is stored on an HSM that is certified as FIPS 140-2 Level 2, Common Criteria EAL 4+, or equivalent. DigiCert will only issue the certificate after the requester agrees to the private key protection requirement.

      Important

      You must have a FIPS 140-2 Level 2, Common Criteria EAL 4+, or equivalent hardware security module (HSM) that supports at least 3072-bit keys.

      Select a different provisioning method if you don't have a compatible HSM. If you have any questions, please contact DigiCert Support.

    3. 重新發行的原因

      說明重新發行憑證的原因。

  5. 按一下要求重新發行

下一步是什麼

Approval for your Code Signing certificate reissue may be required

If a reissue approval is required, we email the Code Signing verified contacts for the organization, informing them that they need to approve the certificate reissue request. Once we receive their approval, we'll reissue your Code Signing certificate.

Certificate issuance

Once the validation is complete and the order is verified-contact approved, we will issue your certificate. Then you can install your certificate on your hardware token or HSM.

: