Order your Document Signing for Individual certificate
CertCentral: Learn how to get your Document Signing for Individual certificate
With a Document Signing for Individual certificate, apply electronic signatures, assuring recipients that the document is from you and has not been altered. DigiCert document signing certificates are compatible with Adobe Acrobat, DocuSign, Microsoft Office, OpenOffice, and LibreOffice documents.
Before you begin
When ordering your Document Signing for Individual certificate, you must choose your key provisioning method. The provisioning method refers to where you will store the private key and certificate.
Key provisioning options
For the security of your Document Signing certificate, you must install and use your certificate from an approved device.
Hardware token: With this option, purchase a token from DigiCert or use your own.
DigiCert-provided hardware token—nonrefundable
After submitting your request, we ship the hardware token to the shipping address included in your order.
Use your own DigiCert-supported FIPS 140-2 Level 2 hardware token.
SafeNet/Gemalto eToken 5100: Supports RSA 2048 key size only
SafeNet/Gemalto eToken 5110: Supports RSA 2048, 3072, 4096 and ECC p-256 and p-384 key sizes
Use the DigiCert Trust Assistant to initialize your token, if needed, and install your certificate on it. See Certificate issuance below.
Hardware security module (HSM): With this option, use your own Common Criteria EAL4+ standard or FIPS 140-2 level 2 HSM.
Generate the private key on your HSM and add the certificate signing request (CSR) to your request. Refer to your HSM vendor instructions for generating the CSR.
Document Signing certificates support the following algorithms and key lengths:
RSA 2048, 3072, and 4096
ECC p-256 and p-384
DigiCert sends the certificate requestor an agreement email to verify that the private key is stored on an HSM certified as Common Criteria EAL4+ standard or FIPS 140-2 level 2 HSM or equivalent.
See Certificate issuance below.
Order a Document Signing for Individual certificate
In CertCentral, in the left menu, go to Request a Certificate > Document Signing Certificates > Document Signing for Individual.
On the Request Document Signing for Individual Certificate page, in the For menu, select the division to manage the certificate.
The For menu only appears if using Divisions in your account.
Certificate validity
In the Certificate Settings section, under Certificate validity, select a validity period for the certificate: 1 year, 2 years, 3 years, Custom expiration date, or Custom length.
Key provisioning method
Select the key provisioning method for your Document Signing for Individual certificate.
The provisioning method refers to where you will store the certificate and its private key. For the security of your Document Signing certificate, the certificate must be installed on and used from an approved device.
DigiCert-provided hardware token (nonrefundable)
Then, under Shipping address, add your shipping information: your name and the address where you want us to send the hardware token.
DigiCert ships a hardware token with instructions for installing the certificate on it.
Use existing token
After DigiCert issues your document signing certificate, install the certificate on your own hardware token.
You can only install your certificate on a DigiCert-supported hardware token:
SafeNet/Gemalto eToken 5100: Supports RSA 2048 key size only
SafeNet/Gemalto eToken 5110: Supports RSA 2048, 3072, 4096 and ECC p-256 and p-384 key sizes
Install on HSM
Then, under Was the private key generated by a Common Criteria EAL4+ standard or FIPS 140-2 level 2 HSM, select Yes.
DigiCert sends the certificate requestor an agreement email. This email is to ensure that a private key is stored on an HSM that is certified as Common Criteria EAL4+ standard or FIPS 140-2 level 2 HSM, or equivalent.
Only after the requester agrees to the private key protection requirement can DigiCert issue the certificate.
After DigiCert issues your document signing certificate, install it on the hardware security module (HSM) where you generated the private key and CSR.
Certificate details
Add the information about the subject individual to be included on the certificate. The subject individual is the holder of the certificate. Specific information about the individual will be included on the certificate.
You can add a new subject individual or an existing subject individual used previously.
Under Certificate details, select Add individual. In the Add subject individual window, complete the tasks below as needed.
Add a new subject individual
DigiCert must validate the subject individual before we can issue your certificate. Accurate information makes validating the individual easier, leading to faster certificate issuance. Verify that the details are correct, including spelling and punctuation.
Select Create new subject individual and then Next.
Enter the information below about the subject individual as required:
Given name
You may include a middle name and initials. Do not include titles or prefixes, such as "Dr.".
Surname
You may include generational suffixes, such as “Sr.” and “III”.
Preferred name (optional)
You may include a preferred name as the common name. You may include titles, prefixes, professional and academic suffixes, abbreviations, and accreditations.
Adding a preferred name is optional, and you can leave this field empty.
including a preferred name requires additional validation and may delay certificate issuance.
Job title (optional)
You may include the subject individual's job title on the certificate.
Adding a job title is optional, and you can leave this field empty.
Including a job title requires additional validation and may delay certificate issuance.
Country code
Country code for the individual's phone number.
Phone number
Phone number for the individual.
Country
Country where the individual resides.
Email
DigiCert uses this email address to process your request.
Note: This email does not appear on the certificate.
Verify the information is correct and select Add.
Add an existing subject individual
Select Use previous subject individual.
In the menu, select the subject individual.
Select Add.
Common name
Under Common name, select the name to include on the certificate.
First and last name
Preferred name / pseudonym
Advanced certificate options
By default, DigiCert uses the RSA 2048-bit key certificates with a SHA-256 signature hash and RSA signing algorithm. However, you can update the key type and size, and the signature hash as required to meet your company policy or digital certificate environment requirements.
Key type and size
DigiCert recommends using RSA 2048 unless you have a specific reason for using a different key type and/or size.
In the menu, select the key type (algorithm) and key size for generating your CSR and certificate:
RSA 2048, 3072, or 4096
ECC p-256 or p-384
Signature hash
By default, DigiCert issues RSA certificates with a SHA-256 signature hash and RSA signing algorithm. DigiCert recommends using the default RSA settings unless you have specific reasons for using a different key size.
In the menu, select the signature hash* you want to use for signing your documents.
SHA-256 with RSA
SHA-384 with RSA
SHA-512 with RSA
*Note: The selected hash is the signing algorithm for your document signing signatures. The document recipient uses the signature to verify the document signer and to confirm the document wasn't modified along the way.
ECC certificates
With ECC certificates, there is a one-to-one correlation between the signature hash and the signing algorithm.
When using the ECC p-256 key size, your certificate includes a SHA-256 signature hash with ECDSA signing algorithm.
When using the ECC p-384 as the key size, your certificate includes a SHA-384 signature hash with ECDSA signing algorithm.
Certificate usage
Add non-repudiation key usage
To add the non-repudiation key usage to your certificate, select this option.
Additional order options
Adding the information below is optional. None of it is required to issue your certificate.
Additional Renewal Message (optional)
To create a renewal message for this certificate, enter a renewal message with information that might be relevant to the certificate’s renewal.
Note: Comments and renewal messages are not included in the certificate.
Additional emails (optional)
Enter the email addresses of the people you want to receive the certificate issuance, expiring certificate, and expiring order notifications. Use a comma to separate addresses or enter them on separate lines.
These recipients do not manage the order. They only receive the certificate-related emails, such as certificate issuance, expiring certificate, and expiring order notifications.
Select payment method
Under Payment information, select a payment method to pay for the certificate.
Pay with credit card
We authorize the credit card when you make the request. However, we only complete the transaction once we issue your certificate.
Pay with contract terms
When you have a contract, it is the default payment method.
Pay with account balance
Bill the cost to your account balance. To deposit funds, select the Deposit link. Selecting the link takes you to another page inside your CertCentral account. Any information entered in the request form will not be saved.
Master Services Agreement
Read through the Master Services Agreement.
Select Submit Certificate Request.
By selecting Submit Certificate Request, you agree to the Master Service Agreement.
What’s next
CertCentral takes you to the certificate’s Order # details page, where you can see the status of your certificate order.
Complete the individual identity validation
Before we can issue you certificate, DigiCert must validate the subject individual on the certificate using one of the identity verification processes below.
Remote Identity Verification (RIV)
The RIV method allows you to complete the identity validation process at your convenience. Only available with some certificate issuance processes.
Face-to-face
The face-to-face method requires you to meet in person with an authorized professional who can verify you are who you say you are. The professionals authorized to verify your identity differ depending on where you reside.
Certificate issuance
Once the validation process is complete, we will issue your certificate.
DigiCert-provided hardware token (nonrefundable)
If you opted to have DigiCert send you a hardware token, we ship your token to the shipping address included in your request. On your certificate's order details page, you can track your hardware token shipment.
After receiving the DigiCert-provided hardware token and getting the PIN, return to CertCentral and download and install the DigiCert Trust Assistant. Then, when the certificate is ready, use the DigiCert Trust Assistant to install the certificate on your token. Learn more about the DigiCert Trust Assistant.
Your supported hardware token
If you opted to use your own supported hardware token, when the certificate is ready, return to CertCentral and use the DigiCert Trust Assistant to install the certificate on your token. Learn more about the DigiCert Trust Assistant.
Supported hardware security module (HSM)
If you opted to install your document signing certificate on a supported HSM, the process works as follows:
DigiCert sends the certificate requestor an agreement email to verify that the private key is stored on an HSM certified as Common Criteria EAL4+ standard or FIPS 140-2 level 2 HSM or equivalent.
DigiCert can only issue the certificate after the requester agrees to the private key protection requirement.
DigiCert emails the certificate requestor a copy of the certificate.
You can also download a copy of the certificate from CertCentral.
Install the certificate on your HSM. Refer to your HSM vendor instructions.
You can only use your certificate when installed on the computer/device where you generated the CSR and securely stored your private key.