Skip to main content

订购代码签名证书

New private key storage requirements

On May 30, 2023, DigiCert updated our private key storage requirements for code signing certificate private keys, per industry standards. All private keys for code signing certificates must be stored on hardware certified as FIPS 140 Level 2, Common Criteria EAL 4+, or equivalent.

For more information, see our knowledge base articles:

在开始之前

重要

对代码签名证书的行业要求改为最低 RSA 3072 位密钥

为了遵守更改后的行业要求,DigiCert 对我们的代码签名证书流程进行了以下更改:

  • 仅颁发最低 RSA 3072 位密钥的代码签名证书*

  • 使用新的中间证书 CA 和根证书颁发代码签名和 EV 代码签名证书:RSA 和 ECC

详细了解 3072 位密钥代码签名证书的更改

  • 预验证组织

    确保您要关联代码签名 (CS) 证书的组织已针对 CS 组织验证进行预验证。在组织下拉列表中,我们只列出具有 CS 组织验证的组织。请参阅提交组织以进行预验证

  • 预验证域

    添加电子邮件地址作为代码签名证书的使用者时,电子邮件地址必须包括已验证的域。例如,如果您要添加 john.doe@example.com,则必须对 example.com 进行预验证。请参阅域预验证。仅经过预验证的域显示在订购单上。

    For example, if you want to add john.doe@example.com, make sure example.com has been validated. See Domain prevalidation.

    Adding an email address is optional. Depending on how your account was set up, you may be unable to add an email address to your Code Signing certificate.

  • 生成 CSR

    如果您要在 Sun Java 平台上使用代码签名 (CS) 证书,必须通过订单提交证书签名请求 (CSR)。但是,您可以在订单中包含任何平台的 CSR。

    为了保持安全,证书必须使用最低 RSA 3072 位或 ECC P-256 位密钥大小。如需查找关于为不同的操作系统和平台创建 CSR 的说明,请参阅为代码签名证书请求创建 CSR

订购 CS 证书

  1. In the left main menu, hover over Request a Certificate , then under Code Signing Certificates, select Code Signing.

  2. On the Request a Code Signing Certificate page, in the For dropdown, select the division to manage the certificate.

    The For dropdown only appears if your account uses Divisions.

证书设置

  1. 有效期

    选择证书的有效期:1 年、2 年或 3 年。

    If needed, you can customize the expiration date or certificate length. However, you cannot exceed the 39-month maximum code signing certificate validity.

  2. 签名哈希

    To set up automatic renewal for this code signing order, check Auto-renew order 30 days before expiration.

    除非您有特定的原因选择其他签名哈希,否则 DigiCert 建议使用默认签名哈希:SHA-256

    提示

    If your certificate still has validity remaining before it expires, DigiCert adds the remaining validity to your new certificate (up to 39 months).

Organization

  1. Add an organization.

    Select Add organization

    You can add an existing organization from your account or a new organization. The new organization will be added to your account. However, DigiCert must complete the code signing validation for the selected or new organization before we can issue your certificate.

    In the Add organization window, the following task as needed::

    • Add an existing organization.

      1. Select An existing organization.

        In the dropdown, select the organization and then select Add.

        If you choose an organization not validated for Code Signing certificates or if the organization's code signing validation has expired, DigiCert must validate the organization for code signing validation before we can issue your certificate.

      2. Organization and technical contacts.

        DigiCert automatically adds the contacts assigned to the organization to the request form. To see the organization and technical contacts, select Show organization contacts.

      3. Verified contacts.

        • DigiCert automatically adds the assigned contacts to the request form if the organization has code signing verified contacts. To view, change selections, or add verified contacts, expand Verified contacts.

        • The Add contacts popup window opens if the organization does not have assigned code signing verified contacts. In this window, you can add yourself, a user in your account, or a new contact as a verified contact. See Verified contacts below.

    • Add a new organization.

      1. Select A new organization and select Next.

      2. Under Organization address details, enter your organization's legal name, assumed name (optional), address, and phone number.

        DigiCert must validate the organization for code signing validation before we can issue your certificate.

      3. When ready, select Add.

    • Add an organization contact.

      In the Add organization window, add yourself or someone else from your account, or create a new organization contact.

      重要

      The organization contact is whom we contact when validating the organization and verifying your authority to order a DigiCert certificate for the organization.

      They may also receive the following notifications:

      • Order status updates for certificates requested for their organization.

      • Domain status updates for domains associated with their organization.

      • Add yourself as the organization contact.

        Select Add me as the organization contact and then select Add or Next.

        1. If we have all your information, you will select Add.

        2. If we need more information, you will select Next, enter the missing information, and then select Add.

      • Add someone else as the organization contact.

        Select Add someone else as the organization contact. Then in the Add contact dropdown, select the contact or user and then select Add or Next.

        • If we have the needed user information, you will select Add.

        • If we need more user information, you will select Next, enter the missing information, and then select Add.

      • Create new contact.

        1. Select Add someone else as the organization contact.

        2. In the Add contact dropdown, select Create new contact and then select Next.

        3. Enter the needed user information and then select Add.

  2.  Technical contact for the organization (optional)

    We may contact a technical contact for inquiries regarding certificate orders for the organization. They may receive the certificate lifecycle-related emails: certificate issued, reissued, and expiring.

    • Add yourself as the technical contact.

      Select Add me as the technical contact for the organization and then select Add or Next.

      1. If we have all your information, you will select Add.

      2. If we need more information, you will select Next, enter the missing information, and then select Add.

    • Add someone else as the technical contact.

      Select Add someone else as the technical contact for the organization. Then in the Add contact dropdown, select the contact or user and then select Add or Next.

      1. If we have the needed user information, you will select Add.

      2. If we need more user information, you will select Next, enter the missing information, and then select Add.

    • Create new contact.

      1. Select Add someone else as the technical contact for the organization.

      2. In the Add contact dropdown, select Create new contact and then select Next.

      3. Enter the needed user information and then select Add.

  3. Verified contacts.

    A verified contact must represent the organization included in your certificate request. At least one EV code signing verified contact is required.

    To view, change selections, or add verified contacts, expand Verified contacts.

    • Select verified contacts.

      If the organization has multiple EV code signing verified contacts, you can select who receives the EV code signing order approval email.

      DigiCert sends the approval email to all selected, verified contacts, but only one needs to approve your order. Once the order is approved, DigiCert can issue your certificate. Selecting multiple verified contacts increases the likelihood of your order being approved quickly.

    • Add a verified contact.

      When adding a new verified contact, we will contact the organization directly to verify the individual's name, email, phone number, job title, and authority. Only after DigiCert validates a verified contact can they approve EV code signing orders for the organization.

      • Add yourself as the verified contact.

        Select Add me as a verified contact for the organization and then select Add or Next.

        1. If we have all your information, you will select Add.

        2. If we need more information, you will select Next, enter the missing information, and then select Add.

      • Add someone else as the verified contact.

        Select Add someone else as the verified contact for the organization. Then in the Add contact dropdown, select the contact or user and then select Add or Next.

        1. If we have the needed user information, you will select Add.

        2. If we need more user information, you will select Next, enter the missing information, and then select Add.

      • Create new contact.

        1. Select Add someone else as the verified contact for the organization.

        2. In the Add contact dropdown, select Create new contact and then select Next.

        3. Enter the needed information and then select Add.

  4. Additional emails (optional)

    Enter the email address you want to receive the certificate issuance, expiring certificate, and expiring order notifications. Separate addresses with commas or enter them on different lines.

    Depending on your account settings, your administrator may require you to include at least one additional email.

Order Settings

  • Provisioning options

    The provisioning method refers to where you will store the private key and certificate. For the security of your Code Signing certificate, the certificate must be installed on and used from an approved device.

    Select the storage device for your Code Signing certificate and its' private key.

    • DigiCert-provided hardware token

      DigiCert ships a secure token with instructions for installing the certificate on your token. So you can start signing code.

      Then, under Shipping address, add your shipping information: your name and the address where you want us to send the hardware token.

    • Use existing token

      After DigiCert issues your code signing certificate, install the certificate on your token.

      In the Platform dropdown, select the type of hardware token on which you plan to install your Code Signing certificate:

      • SafeNet eToken 5110 CC (940) for RSA 4096-bit and ECC P-256-bit or higher key certificates.

      • SafeNet eToken 5110 FIPS for ECC P-256 and P-384-bit key certificates.

      • SafeNet eToken 5110+ FIPS for RSA 4096-bit and ECC P-256-bit or higher key certificates.

      • SafeNet eToken 5110+ CC (940B) for ECC P-256-bit key certificates.

      重要

      You must have a FIPS 140-2 Level 2 or Common Criteria EAL4+ compliant device. See Currently Supported eTokens. You cannot install the certificate on any device not on the list.

      Need an approved token?

      Please select DigiCert-provided hardware token to have a token shipped to you. If you have questions, please contact DigiCert Support.

    • Install on HSM

      After DigiCert issues your code signing certificate, install it on the HSM where you generated the private key and CSR.

      Select Yes under Was the private key generated by a Common Criteria EAL4+ standard or FIPS 140-2 level 2 HSM?

      Note that we will send the certificate requestor an agreement email. This email is to ensure that a private key is stored on an HSM that is certified as FIPS 140 Level 2, Common Criteria EAL 4+, or equivalent. DigiCert will only issue the certificate after the requester agrees to the private key protection requirement.

      重要

      You must have a FIPS 140 Level 2, Common Criteria EAL 4+, or equivalent hardware security module (HSM) that supports at least 3072-bit keys.

      Don't have a compatible HSM?

      Please select a different provisioning method. If you have any questions, please contact DigiCert Support.

    • DigiCert KeyLocker (Cloud HSM)

      KeyLocker is an automated cloud storage service where you can store your private key and code signing certificate. Access them anytime from anywhere to sign your code. Learn more.

      DigiCert also offers Software Trust Manager, an enterprise-level code signing solution. Contact your account representative to determine if your organization could benefit from Software Trust Manager. Learn more.

Additional certificate options

The information below is optional. None of it is required to issue your certificate.

  1. 组织单位

    Enter the organization unit (OU) with which you want to associate the certificate and signatures. If you include an OU in your order, DigiCert must validate the OU before we can issue your certificate with the OU field in it.

    添加组织单位是可选的。此框可以为空。

  2. 使用者电子邮件(仅限 CertCentral 企业/合作伙伴帐户)

    Enter the email address you want to appear on the certificate. The email address must contain a validated domain associated with the organization included in the request, for example, email-username@validated-domain.

    Including an email address on the certificate is not required to issue your certificate. However, adding an email address provides an additional layer of trust for end users when checking your code signing certificate.

    1. 展开显示可用域并为您的电子邮件地址选择域。您提供的电子邮件地址必须具有已验证的域。

    2. 可选择性地添加需要在代码签名证书上显示为使用者的电子邮件地址。

      • We don't show a dropdown if the organization only has one validated domain assigned to it.

      • You cannot include a subject email if the organization does not have any validated domains assigned to it.

订单选项

The information below is optional. None of it is required to issue your certificate.

  1. Comments to Administrator (optional)

    Enter any information your administrator might need for approving your request, about the purpose of the certificate, etc.

  2. Additional Renewal Message (optional)

    To create a renewal message for this certificate, add a message with information relevant to the certificate's renewal.

付款信息

  1. 选择付款方式

    付款信息下,选择为证书付款的付款方式:

    1. 将帐单计入信用卡

      没有合同且不希望使用合同为证书付款?使用信用卡为证书付款。

      We authorize the card when the request is made. However, we only complete the transaction once we issue your certificate. If you have a contract enabled, check Exclude from contract terms.

    2. 将帐单计入帐户余额

      没有合同且不希望使用合同为证书付款?从您的帐户余额中扣费。

      如需充值,请单击充值链接。

      The Deposit link takes you to another page in your CertCentral account. Any information entered in the request form will not be saved.

      If you have a contract enabled, check Exclude from contract terms.

    3. 按照合同条款付款

      您是否有合同且希望使用它为证书付款?如果您有合同,这是默认的付款方式。

  2. 证书服务协议

    选择证书服务协议。阅读协议,然后选中我同意证书服务协议

  3. 选择提交证书请求

    需要审批时,组织的已验证的 CS 联系人将收到一封电子邮件,告知其需要批准证书请求。

接下来

DigiCert recommends that developers take precautions with the code signing process and protect the private key associated with their signing certificate. See Protect private keys: Code signing best practices.