Skip to main content

订购代码签名证书

重要

对代码签名证书的行业要求改为最低 RSA 3072 位密钥

为了遵守更改后的行业要求,DigiCert 对我们的代码签名证书流程进行了以下更改:

  • 仅颁发最低 RSA 3072 位密钥的代码签名证书*

  • 使用新的中间证书 CA 和根证书颁发代码签名和 EV 代码签名证书:RSA 和 ECC

*注意:在 2021 年 6 月 1 日之前颁发的所有现有的 2048 位密钥代码签名证书将仍然有效。在证书过期之前,您可以继续使用这些证书对代码签名。

详细了解 3072 位密钥代码签名证书的更改

在开始之前

  • 生成 CSR

    如果您要在 Sun Java 平台上使用代码签名 (CS) 证书,必须通过订单提交证书签名请求 (CSR)。但是,您可以在订单中包含任何平台的 CSR。

    为了保持安全,证书必须使用最低 RSA 3072 位或 ECC P-256 位密钥大小。如需查找关于为不同的操作系统和平台创建 CSR 的说明,请参阅为代码签名证书请求创建 CSR

    Need help creating a CSR? See our Create CSR for a code signing certificate request instructions.

  • 预验证组织

    确保您要关联代码签名 (CS) 证书的组织已针对 CS 组织验证进行预验证。在组织下拉列表中,我们只列出具有 CS 组织验证的组织。请参阅提交组织以进行预验证

  • 预验证域

    添加电子邮件地址作为代码签名证书的使用者时,电子邮件地址必须包括已验证的域。例如,如果您要添加 john.doe@example.com,则必须对 example.com 进行预验证。请参阅域预验证。仅经过预验证的域显示在订购单上。

    For example, if you want to add john.doe@example.com, make sure example.com has been validated. See Domain prevalidation.

    Adding an email address is optional. Depending on how your account was set up, you may not be able to add an email address to your Code Signing certificate.

订购 CS 证书

  1. In the left main menu, hover over Request a Certificate then, under Code Signing Certificates, select Code Signing.

  2. Assign the request to a division

    In the For dropdown, select the division to manage the certificate. This dropdown only appears if your account uses Divisions.

证书设置

  1. CSR

    上传 CSR 或将 CSR 粘贴在 CSR 框中。

    The Sun Java Platform is the only platform that requires you to submit a CSR. For all other platforms, submitting a CSR is optional.

  2. 组织单位

    添加组织单位是可选的。此框可以为空。

  3. 有效期

    选择证书的有效期:1 年、2 年或 3 年。

    If needed, you can customize the expiration date or certificate length. However, you cannot exceed the 39-month maximum code signing certificate validity.

  4. 签名哈希

    To set up automatic renewal for this code signing order, check Auto-renew order 30 days before expiration.

    除非您有特定的原因选择其他签名哈希,否则 DigiCert 建议使用默认签名哈希:SHA-256

    提示

    If your certificate still has time remaining before it expires, DigiCert adds the remaining time from your current certificate to your new certificate (up to 39 months).

Organization

  1. In the Organization dropdown, choose the organization you want to associate with your code signing certificate.

    重要

    If you choose an organization that is not validated for code signing certificates, DigiCert must validate the organization for code signing validation before we can issue your certificate.

  2. Additional emails (optional)

    Enter the email addresses (comma separated) you want to receive the certificate notification emails, such as certificate issuance and expiring certificate notifications.

    提示

    Depending on your account settings, your administrator may require you to include at least one additional email.

Additional certificate options

The information below is optional. None of it is required to issue your certificate.

  1. 组织单位

    添加组织单位是可选的。此框可以为空。

    重要

    如果您的订单中包括组织单位,DigiCert 需要进行验证后,我们才能颁发证书。

  2. 使用者电子邮件(仅限 CertCentral 企业/合作伙伴帐户)

    Enter the email address you want to appear on the certificate.

    Including an email address on the certificate provides an additional layer of trust for end users when checking your code signing certificate.

    重要

    The email address must contain a validated domain associated with the organization included in the request, for example, email-username@validated-domain.

    1. 展开显示可用域并为您的电子邮件地址选择域。您提供的电子邮件地址必须具有已验证的域。

    2. 可选择性地添加需要在代码签名证书上显示为使用者的电子邮件地址。

      • We don't show a dropdown if the organization only has one validated domain assigned to it.

      • You cannot include a subject email if the organization does not have any validated domains assigned to it.

订单选项

The information below is optional. None of it is required to issue your certificate.

  1. Comments to Administrator (optional)

    Enter any information your administrator might need for approving your request, about the purpose of the certificate, etc.

  2. Additional Renewal Message (optional)

    To create a renewal message for this certificate, add a message with information that might be relevant to the certificate’s renewal.

付款信息

  1. 选择付款方式

    付款信息下,选择为证书付款的付款方式:

    1. 将帐单计入信用卡

      没有合同且不希望使用合同为证书付款?使用信用卡为证书付款。

      注意

      当提出请求时,我们为卡片授权。但是,我们只能在颁发您的证书后才能完成交易。如果您启用了合同,则需勾选“从合同条款中排除”旁边的方框。

    2. 将帐单计入帐户余额

      没有合同且不希望使用合同为证书付款?从您的帐户余额中扣费。

      如需充值,请单击充值链接。

      The Deposit link takes you to another page in your CertCentral account. Any information entered in the request form will not be saved.

      If you have a contract enabled, check Exclude from contract terms.

    3. 按照合同条款付款

      您是否有合同且希望使用它为证书付款?如果您有合同,这是默认的付款方式。

  2. 证书服务协议

    选择证书服务协议。阅读协议,然后选中我同意证书服务协议

  3. 选择提交证书请求

    需要审批时,组织的已验证的 CS 联系人将收到一封电子邮件,告知其需要批准证书请求。

接下来

重要

DigiCert recommends that developers take precautions with the code signing process and protect the private key associated with their signing certificate. See Protect private keys: Code signing best practices.