Code signing provisioning methods
The provisioning method determines where the private key and certificate are stored. The method selected during an order, reissue, or renewal affects CSR requirements and the steps needed after the certificate is issued.
Provisioning method | CSR required | Key storage | Post-issuance action |
|---|---|---|---|
DigiCert-provided hardware token | No | DigiCert-shipped token | Install certificate when token arrives |
Own supported hardware token | No | Your certified token | Download certificate and install on token |
Hardware security module (HSM) | Yes | Your certified HSM | Download certificate and install on HSM |
DigiCert KeyLocker | No | DigiCert cloud HSM | Access certificate in KeyLocker |
DigiCert-provided hardware token
DigiCert ships a pre-configured secure token to the address provided during the order. No CSR is required. The token is nonrefundable.
After issuance, DigiCert installs the certificate on the token and ships it with installation instructions.
Own supported hardware token
Install the certificate on your own certified hardware token after issuance. No CSR is required. Select your token model in the Platform menu during the order.
DigiCert supports the following hardware tokens:
Token model | Compatible key type |
|---|---|
SafeNet eToken 5110 CC (940) | RSA 4096-bit, ECC P-256-bit |
SafeNet eToken 5110 FIPS | ECC P-256-bit |
SafeNet eToken 5110 FIPS | RSA 4096-bit, ECC P-256-bit |
SafeNet eToken 5110 + CC (940B) | ECC P-256-bit |
SafeNet eToken 5110 + CC (940C) | RSA 4096-bit, ECC P-256-bit |
Important
Your token must be certified to FIPS 140-2 Level 2 or Common Criteria EAL 4+. Certificates cannot be installed on devices not on this list. To obtain an approved token, select DigiCert-provided hardware token during your order.
After issuance, install the certificate on your token.
Hardware security module (HSM)
Generate the private key and CSR on the HSM before submitting your order. The CSR must use a minimum RSA 3072-bit or ECC P-256-bit key and include the -----BEGIN NEW CERTIFICATE REQUEST----- and -----END NEW CERTIFICATE REQUEST----- tags.
During the order, confirm that the private key was generated on a device certified to FIPS 140-2 Level 2, Common Criteria EAL 4+, or equivalent, and upload the CSR.
Important
Your HSM must support at least 3072-bit keys and be certified to FIPS 140-2 Level 2, Common Criteria EAL 4+, or equivalent. DigiCert sends an agreement email to the certificate requester confirming the private key protection requirement. DigiCert cannot issue the certificate until the requester responds to this email.
After issuance, download the certificate from CertCentral and install it on the HSM. See Download a code signing certificate.
DigiCert KeyLocker
DigiCert stores the private key and certificate in KeyLocker, an automated cloud HSM service. No CSR is required. Access the certificate from anywhere to sign code.
Each certificate includes 1,000 signatures on initial order or renewal. Purchase additional signatures as needed.
Notice
DigiCert also offers Software Trust Manager, an enterprise-level code signing solution. Contact your account representative to determine whether Software Trust Manager is suitable for your organization.