Skip to main content

Order your Document Signing for Business – Group certificate

CertCentral: Learn how to get your Document Signing for Business – Group certificate

With a Document Signing for Business – Group certificate, apply electronic seals, certifying the document’s origin, authenticity, and integrity. DigiCert document signing certificates are compatible with Adobe Acrobat, DocuSign, Microsoft Office, OpenOffice, and LibreOffice documents.

Before you begin

Key provisioning options

When ordering your Document Signing for Business – Group certificate, you must choose your key provisioning method. The provisioning method refers to where you will store the private key and certificate. For the security of your Document Signing certificate, you must install and use your certificate from an approved device.

  • Hardware token: With this option, purchase a token from DigiCert or use your own:

    • DigiCert-provided hardware token—nonrefundable

      After submitting your request, we ship the hardware token to the shipping address included in your order.

    • Use your own DigiCert-supported FIPS 140-2 Level 2 hardware token

      • SafeNet/Gemalto eToken 5100: Supports RSA 2048 key size only

      • SafeNet/Gemalto eToken 5110: Supports RSA 2048, 3072, 4096 and ECC p-256 and p-384 key sizes

    • Use the DigiCert Trust Assistant to initialize your token, if needed, and install your certificate on it. See Certificate issuance below.

  • Hardware security module (HSM): With this option, use your own Common Criteria EAL4+ standard or FIPS 140-2 level 2 HSM.

    • Generate the private key on your HSM and add the certificate signing request (CSR) to your request. Refer to your HSM vendor instructions for generating the CSR.

    • Document Signing certificates support the following algorithms and key lengths:

      • RSA 2048, 3072, and 4096

      • ECC p-256 and p-384

    • DigiCert sends the certificate requestor an agreement email to verify that the private key is stored on an HSM certified as Common Criteria EAL4+ standard or FIPS 140-2 level 2 HSM or equivalent.

    • See Certificate issuance below.

Organization validation

Before DigiCert can issue your Document Signing for Business – Group certificate, we must validate the organization for DS - Document Signing Validation. Organization validation is valid for 825 days. See How do we validate your organization.

Use one of the following options to validate your organization:

  • Prevalidate the organization.

    CertCentral features an organization prevalidation process that allows you to validate your organization before ordering certificates. Completing the organization validation ahead of time allows for quicker certificate issuance. See Submit an organization for prevalidation.

  • Validate the organization as part of the order process.

    If you add a new organization or an organization with expired DS - Document Signing Validation, DigiCert will complete the organization validation as part of the order process.

Order you Document Signing for Business – Group certificate

  1. In CertCentral, in the left menu, go to Request a Certificate > Document Signing Certificates Document Signing for Business – Group.

  2. On the Request Document Signing for Business – Group Certificate page, in the For menu, select the division to manage the certificate.

    The For menu only appears if using Divisions in your account.

  3. Certificate validity

    In the Certificate Settings section, under Certificate validity, select a validity period for the certificate: 1 year, 2 years, 3 years, Custom expiration date, or Custom length.

  4. Key provisioning method

    Select the key provisioning method for your Document Signing for Individual certificate.

    The provisioning method refers to where you will store the certificate and its private key. For the security of your Document Signing certificate, the certificate must be installed on and used from an approved device.

    • DigiCert-provided hardware token (nonrefundable)

      Then, under Shipping address, add your shipping information: your name and the address where you want us to send the hardware token.

      DigiCert ships a hardware token with instructions for installing the certificate on it.

    • Use existing token

      After DigiCert issues your document signing certificate, install the certificate on your own hardware token.

      You can only install your certificate on a DigiCert-supported hardware token:

      • SafeNet/Gemalto eToken 5100: Supports RSA 2048 key size only

      • SafeNet/Gemalto eToken 5110: Supports RSA 2048, 3072, 4096 and ECC p-256 and p-384 key sizes

    • Install on an HSM

      Then, under Was the private key generated by a Common Criteria EAL4+ standard or FIPS 140-2 level 2 HSM, select Yes.

      • DigiCert sends the certificate requestor an agreement email. This email is to ensure that a private key is stored on an HSM that is certified as Common Criteria EAL4+ standard or FIPS 140-2 level 2 HSM, or equivalent.

      • Only after the requester agrees to the private key protection requirement can DigiCert  issue the certificate.

      • After DigiCert issues your document signing certificate, install it on the hardware security module (HSM) where you generated the private key and CSR.

  5. Organization

    You can add an existing organization from your account or a new organization. If you add a new organization, it will be added to CertCentral.

    Under Organization, select Add an organization. In the Add organization window, complete one of the following tasks as needed:

    1. Add an existing organization

      1. Select An existing organization.

      2. In the menu, select the organization and then select Add.

        If you choose an organization not validated for DS - Document Signing Validation or the organization's validation has expired, DigiCert must validate the organization before we issue your certificate.

      3. Organization and technical contacts

        DigiCert automatically adds the contacts assigned to the organization to the request form. To see the organization and technical contacts, select Show organization contacts.

    2. Add a new organization

      Accurate organization information makes validating your organization easier, leading to faster certificate issuance. Verify organization details are correct, including spelling and punctuation.

      1. Select A new organization and select Next.

      2. Organization address details

        Enter the following organization information as needed.

        Legal name

        Organization name exactly as it appears in corporate registries, such as local government registration records.

        Assumed name (optional)

        Assumed name or doing business as name. You do not need to include an assumed name. You can leave this box empty.

        Note: Adding an assumed name requires additional validation, which may delay organization validation and certificate issuance.

        Country

        Country where the organization is legally located.

        Address 1

        The address where the organization is legally located.

        Address 2 (optional)

        Additional address in formation, such as a Suite #. You can leave this box empty.

        City (optional)

        City where the organization is legally located.

        You do not have to include a city. You can leave this box empty.

        State / Province / Region

        State, province, region where the organization is legally located.

        Postal code (optional)

        Postal code where the organization is legally located.

      3. Organization phone number

        DigiCert must call a verified organization phone number to confirm your authority to order a certificate for the organization. We verify this phone number against online third-party address listing sources like Google Business.

        Country code

        Country code for the organization's phone number

        Phone number

        Organization's phone number.

        Learn how we confirm your authority.

      4. Verify you entered the information correctly and then, select Add.

    3. Organization contact

      The organization contact is the person we contact when validating the organization and verifying your authority to order a DigiCert certificate for the organization. They may also receive the following notifications: Order status updates for certificates requested for their organization and Domain status updates for domains associated with their organization.

      In the Add contacts window, add yourself, add someone else from your account, or create a new organization contact.

      1. Add yourself as the organization contact.

        Select Add me as the organization contact and then select Add or Next.

        • If we have all your information, select Add.

        • If we need more information, select Next, enter the missing data, and then select Add.

          Usually, you must add a phone number that we can use to contact you and your job title.

      2. Add someone else as the organization contact.

        1. Select Add someone else as the organization contact.

        2. Then, in the Add contact menu, select the contact or user and then select Add or Next.

          • If we have the needed user information, select Add.

          • If we need more user information, select Next, enter the missing data, and then select Add.

            Usually, you must add a phone number that we can use to contact the person and their job title.

      3. Create a new contact.

        1. Select Add someone else as the organization contact.

        2. In the Add contact menu, select Create new contact and then select Next.

        3. Enter the required user information: email, first and last name, phone number, and job title.

        4. Seletct Add.

    4. Technical contact

      The technical contact is the person we may for inquiries regarding certificate orders for the organization. They may receive the certificate lifecycle-related emails: certificate issued, reissued, and expiring.

      Add a technical contact (optional)

      1. Under Organization Info, select Show organization contacts.

      2. Select Add technical contact (Optional).

      3. Add yourself as the technical contact.

        • Select Add me as the technical contact for the organization and then select Add or Next.

          • If we have all your information, select Add.

          • If we need more information, select Next, enter the missing data, and then select Add.

            Usually, you must add a phone number that we can use to contact you and your job title.

      4. Add someone else as the technical contact.

        1. Select Add someone else as the technical contact for the organization.

        2. In the Add contact menu, select the contact or user and then select Add or Next.

          • If we have the needed user information, select Add.

          • If we need more user information, select Next, enter the missing data, and then select Add.

            Usually, you must add a phone number that we can use to contact the person and their job title.

      5. Create a new contact.

        1. Select Add someone else as the technical contact for the organization.

        2. In the Add contact menu, select Create new contact and then select Next.

        3. Enter the required user information: email, first and last name, phone number, and job title.

        4. Selecct Add.

  6. Advanced certificate options

    By default, DigiCert uses the RSA 2048-bit key certificates with a SHA-256 signature hash and RSA signing algorithm. However, you can update the key type and size, and the signature hash as required to meet your company policy or digital certificate environment requirements.

    1. Key type and size

      DigiCert recommends using RSA 2048 unless you have a specific reason  for using a different key type and/or size.

      In the menu, select the key type (algorithm) and key size for generating your CSR and certificate:

      • RSA 2048, 3072, or 4096

      • ECC p-256 or p-384

    2. Signature hash

      By default, DigiCert issues RSA certificates with a SHA-256 signature hash and RSA signing algorithm. DigiCert recommends using the default RSA settings unless you have specific reasons for using a different key size.

      In the menu, select the signature hash* you want to use for signing your documents.

      • SHA-256 with RSA

      • SHA-384 with RSA

      • SHA-512 with RSA

      *Note: The selected hash is the signing algorithm for your document signing signatures. The document recipient uses the signature to verify the document signer and to confirm the document wasn't modified along the way.

      ECC certificates

      With ECC certificates, there is a one-to-one correlation between the signature hash and the signing algorithm.

      • When using the ECC p-256 key size, your certificate includes a SHA-256 signature hash with ECDSA signing algorithm.

      • When using the ECC p-384 as the key size, your certificate includes a SHA-384 signature hash with ECDSA signing algorithm.

    3. Certificate usage

      Add non-repudiation key usage

      To add the non-repudiation key usage to your certificate, select this option.

  7. Additional order options

    Adding any of the information below is optional. None of it is required to issue your certificate.

    1. Additional Renewal Message (optional)

      To create a renewal message for this certificate, enter a renewal message with information that might be relevant to the certificate’s renewal.

      Note: Comments and renewal messages are not included in the certificate.

    2. Additional emails (optional)

      Enter the email addresses of the people you want to receive the certificate issuance, expiring certificate, and expiring order notifications. Use a comma to separate addresses or enter them on separate lines.

      These recipients don't manage the order. They only receive all the certificate-related emails.

  8. Select payment method

    Under Payment information, select a payment method to pay for the certificate.

    • Pay with credit card

      We authorize the credit card when you make the request. However, we only complete the transaction once we issue your certificate.

    • Pay with contract terms

      When you have a contract, it is the default payment method.

    • Pay with account balance

      Bill the cost to your account balance. To deposit funds, select the Deposit link. Selecting the link takes you to another page inside your CertCentral account. Any information entered in the request form will not be saved.

  9. Master Services Agreement

    Read through the Master Services Agreement.

  10. Select Submit Certificate Request.

    By selecting Submit Certificate Request, you agree to the Master Service Agreement.

What's next

CertCentral takes you to the certificate’s Order # details page, where you can see the status of your certificate order.

Complete organization validation

DigiCert must validate and authenticate your authority to order a certificate for the organization on your certificate order. To do this, we will call a verified phone number to speak with someone who represents you, the certificate requestor, such as the organization or technical contact.

To get organization consent for your certificate order:

  • Answer the organization/validation phone call—preferred method*.

    • After you submit your certificate order, ensure that the organization contact, technical contact, and company receptionist know you’ve ordered a Document Signing for Business – Group certificate.

    • Let them know DigiCert will call a verified phone number to speak with one of them to complete organization validation/authentication.

    • This phone call usually takes place within 24 hours of the order being placed.

  • Respond to the organization consent message.

    • If the DigiCert validation agent can’t reach someone who represents you at the verified phone number, they will leave a message with a call-back phone number and a verification code.

    • Make sure that the organization or technical contact responds to the message and provides the verification code.

Certificate issuance

Once the validation process is complete, we will issue your certificate.

  • DigiCert-provided hardware token (nonrefundable)

    If you opted to have DigiCert send you a hardware token, we ship your token to the shipping address included in your request. On your certificate's order details page, you can track your hardware token shipment.

    After receiving the DigiCert-provided hardware token and getting the PIN, return to CertCentral and download and install the DigiCert Trust Assistant. Then, when the certificate is ready, use the DigiCert Trust Assistant to install the certificate on your token. Learn more about the DigiCert Trust Assistant.

  • Your supported hardware token

    If you opted to use your own supported hardware token, when the certificate is ready, return to CertCentral and use the DigiCert Trust Assistant to install the certificate on your token. Learn more about the DigiCert Trust Assistant.

  • Supported hardware security module (HSM)

    If you opted to install your document signing certificate on a supported HSM, the process works as follows:

    • DigiCert sends the certificate requestor an agreement email to verify that the private key is stored on an HSM certified as Common Criteria EAL4+ standard or FIPS 140-2 level 2 HSM or equivalent.

      DigiCert can only issue the certificate after the requester agrees to the private key protection requirement.

    • DigiCert emails the certificate requestor a copy of the certificate.

      You can also download a copy of the certificate from CertCentral.

    • Install the certificate on your HSM. Refer to your HSM vendor instructions.

      You can only use your certificate when installed on the computer/device where you generated the CSR and securely stored your private key.

: