订购 EV 代码签名证书
重要
对代码签名证书的行业要求改为最低 RSA 3072 位密钥
为了遵守更改后的行业要求,DigiCert 对我们的代码签名证书流程进行了以下更改:
仅颁发最低 RSA 3072 位密钥的代码签名证书*
使用新的中间证书 CA 和根证书颁发代码签名和 EV 代码签名证书:RSA 和 ECC
DigiCert 支持两种电子令牌:
5110 CC(适用于 RSA 4096 位和 ECC P-256 位密钥证书)
5110 FIPS(适用于 ECC P-256 和 P-384 位密钥证书)
SafeNet eToken 5110+ FIPS for RSA 4096-bit and ECC P-256-bit key certificates.
SafeNet eToken 5110+ CC (940B) for ECC P-256-bit key certificates.
HSM 必须:
支持最低 RSA 3072 位或 ECC P-256 位密钥大小
必须是符合 FIPS 140-2 Level 2+ 或通用标准 EAL4+ 的设备
在开始之前
预验证组织对您需要为其获取 EV 代码签名证书的组织进行预验证。请参阅 添加组织 和提交组织以进行预验证。
预验证组织对您需要为其获取 EV 代码签名证书的组织进行预验证。请参阅 添加组织 和提交组织以进行预验证。
生成 CSR(仅限 HSM 订单)如果要在 HSM 设备安装 EV 代码签名证书,必须通过订单提交证书签名请求 (CSR)。
生成 CSR(仅限 HSM 订单)如果要在 HSM 设备安装 EV 代码签名证书,必须通过订单提交证书签名请求 (CSR)。
为了保持安全,证书必须使用最低 RSA 3072 位或 ECC P-256 位密钥大小。请参阅您的 HSM 提供商的文档,以便为您的请求创建 CSR。
订购 EV 代码签名证书
In the left main menu, hover over Request a Certificate. Under Code Signing Certificates, select EV Code Signing.
On the Request EV Code Signing Certificate page, in the For dropdown, select the division to manage the certificate.
The For dropdown only appears if your account uses Divisions.
证书设置
有效期
选择证书的有效期:1 年、2 年或 3 年。
If needed, you can customize the expiration date or certificate length. However, you cannot exceed the 39-month maximum EV code signing certificate validity.
自动续订
要为该证书设置自动续订,请选中在到期前 30 天自动续订订单。
启用自动续订后,当此证书即将到期时,将自动提交新的证书订单。如果您的证书尚未到期,DigiCert 会将您当前证书的剩余期限转至您的新证书(最多 39 个月)。
重要
If your certificate still has time remaining before it expires, DigiCert adds the remaining time from your current certificate to your new certificate (up to 39 months).
Organization
组织
Select Add organization. The organization name will appear on the EV code signing certificate.
在下拉列表中,选择需要为其订购 EV 代码签名证书的组织。组织名称将会显示在 EV 代码签名证书上。
In the Add organization window, do one of the following:
Add an existing organization.
Select An existing organization.
In the dropdown, select the organization and then select Add.
If you choose an organization not validated for EV Code Signing certificates or if the organization's EV code signing validation has expired, DigiCert must validate the organization for EV code signing validation before we can issue your certificate.
Organization and technical contacts.
DigiCert automatically adds the contacts assigned to the organization to the request form. To see the organization and technical contacts, select Show organization contacts.
Verified contacts.
DigiCert automatically adds the assigned contacts to the request form if the organization has EV code signing verified contacts. To view, change selections, or add verified contacts, expand Verified contacts.
The Add contacts popup window opens if the organization has not assigned EV code signing verified contacts. In this window, you can add yourself, a user in your account, or a new contact as a verified contact. See Verified contacts below.
Add a new organization.
Select A new organization and select Next.
Under Organization address details, enter your organization's legal name, assumed name (optional), address, and phone number.
DigiCert must validate the organization for EV code signing validation before we can issue your certificate.
When ready, select Add.
Add an organization contact.
In the Add organization window, add yourself or someone else from your account, or create a new organization contact.
重要
The organization contact is whom we contact when validating the organization and verifying your authority to order a DigiCert certificate for the organization.
They may also receive the following notifications:
Order status updates for certificates requested for their organization.
Domain status updates for domains associated with their organization.
Add yourself as the organization contact.
Select Add me as the organization contact and then select Add or Next.
If we have all your information, you will select Add.
If we need more information, you will select Next, enter the missing information, and then select Add.
Add someone else as the organization contact.
Select Add someone else as the organization contact. Then in the Add contact dropdown, select the contact or user and then select Add or Next.
If we have the needed user information, you will select Add.
If we need more user information, you will select Next, enter the missing information, and then select Add.
Create new contact.
Select Add someone else as the organization contact.
In the Add contact dropdown, select Create new contact and then select Next.
Enter the needed user information and then select Add.
Technical contact for the organization (optional)
We may contact a technical contact for inquiries regarding certificate orders for the organization. They may receive the certificate lifecycle-related emails: certificate issued, reissued, and expiring.
Add yourself as the technical contact.
Select Add me as the technical contact for the organization and then select Add or Next.
If we have all your information, you will select Add.
If we need more information, you will select Next, enter the missing information, and then select Add.
Add someone else as the technical contact.
Select Add someone else as the technical contact for the organization. Then in the Add contact dropdown, select the contact or user and then select Add or Next.
If we have the needed user information, you will select Add.
If we need more user information, you will select Next, enter the missing information, and then select Add.
Create new contact.
Select Add someone else as the technical contact for the organization.
In the Add contact dropdown, select Create new contact and then select Next.
Enter the needed user information and then select Add.
Verified contacts
A verified contact must represent the organization included in your certificate request. At least one EV code signing verified contact is required.
To view, change selections, or add verified contacts, expand Verified contacts.
Select verified contacts.
If the organization has multiple EV code signing verified contacts, you can select who receives the EV code signing order approval email.
DigiCert sends the approval email to all selected, verified contacts, but only one needs to approve your order. Once the order is approved, DigiCert can issue your certificate. Selecting multiple verified contacts increases the likelihood of your order being approved quickly.
Add a verified contact.
When adding a new verified contact, we will contact the organization directly to verify the individual's name, email, phone number, job title, and authority. Only after DigiCert validates a verified contact can they approve EV code signing orders for the organization.
Add yourself as the verified contact.
Select Add me as a verified contact for the organization and then select Add or Next.
If we have all your information, you will select Add.
If we need more information, you will select Next, enter the missing information, and then select Add.
Add someone else as the verified contact.
Select Add someone else as the verified contact for the organization. Then in the Add contact dropdown, select the contact or user and then select Add or Next.
If we have the needed user information, you will select Add.
If we need more user information, you will select Next, enter the missing information, and then select Add.
Create new contact.
Select Add someone else as the verified contact for the organization.
In the Add contact dropdown, select Create new contact and then select Next.
Enter the needed information and then select Add.
其他电子邮件
输入您希望能收到证书通知邮件(例如,颁发证书、续订证书等)的收件人的电子邮件地址(使用逗号分隔)。
Depending on your account settings, your administrator may require you to include at least one additional email.
Additional certificate options
The information below is optional. None of it is required to issue your EV code signing certificate.
组织单位
添加组织单位是可选的。表单上的此框可以为空。
添加组织单位是可选的。表单上的此框可以为空。
设置选项
Provisioning options
The provisioning method refers to where you will store the private key and certificate. For the security of your EV Code Signing certificate, the certificate must be installed on and used from an approved device.
Select the storage device for your EV Code Signing certificate and its' private key.
DigiCert-provided hardware token (nonrefundable)
DigiCert ships a secure token with instructions for installing the certificate on your token. So you can start signing code.
Then, under Shipping address, add your shipping information: your name and the address where you want us to send the hardware token.
Use existing token
After DigiCert issues your EV code signing certificate, install the certificate on your token.
In the Platform dropdown, select the type of hardware token on which you plan to install your EV Code Signing certificate:
SafeNet eToken 5110 CC (940) for RSA 4096-bit and ECC P-256-bit or higher key certificates.
SafeNet eToken 5110 FIPS for ECC P-256 and P-384-bit key certificates.
SafeNet eToken 5110+ FIPS for RSA 4096-bit and ECC P-256-bit or higher key certificates.
SafeNet eToken 5110+ CC (940B) for ECC P-256-bit key certificates.
重要
You must have a FIPS 140-2 Level 2 or Common Criteria EAL4+ compliant device listed above. You cannot install the certificate on any device not on the list.
Need an approved token?
Please select DigiCert-provided hardware token to have a token shipped to you. If you have questions, please contact DigiCert Support.
Install on HSM
After DigiCert issues your EV code signing certificate, install it on the HSM where you generated the private key and CSR.
Select Yes under Was the private key generated by a Common Criteria EAL4+ standard or FIPS 140-2 level 2 HSM?
Note that we will send the certificate requestor an agreement email. This email ensures the private key is stored on an HSM certified as FIPS 140 Level 2, Common Criteria EAL 4+, or equivalent. DigiCert will only issue the certificate after the requester agrees to the private key protection requirement.
重要
You must have a FIPS 140-2 Level 2 or Common Criteria EAL4+, or equivalent hardware security module (HSM) that supports at least 3072-bit keys.
Don't have a compatible HSM?
Please select a different provisioning method. If you have questions, please contact DigiCert Support.
DigiCert KeyLocker (Cloud HSM)
KeyLocker is an automated cloud storage service where you can store your private key and code signing certificate. Access them anytime from anywhere to sign your code. Learn more.
DigiCert also offers Software Trust Manager, an enterprise-level code signing solution. Contact your account representative to determine if your organization could benefit from Software Trust Manager. Learn more.
Additional order options
The information below is optional. None of it is required to issue your certificate.
Comments to Administrator (optional)
Enter any information your administrator might need for approving your request, about the purpose of the certificate, etc.
其他续订消息
要为此证书创建续订消息,请键入消息,其中包含与续订证书相关的信息。
付款信息
选择付款方式
在付款信息下,选择为证书付款的付款方式:
将帐单计入信用卡
没有合同且不希望使用合同为证书付款?使用信用卡为证书付款。
当提出请求时,我们为卡片授权。但是,我们只能在颁发您的证书后才能完成交易。
如果您启用了合同,请选中从合同条款中排除。
将帐单计入帐户余额
没有合同且不希望使用合同为证书付款?从您的帐户余额中扣费。
如需充值,请单击充值链接。单击该链接将跳转到您的 CertCentral 帐户的其他页面。在申请表中输入的任何信息都不会被保存。
如果您启用了合同,请选中 从合同条款中排除。
按照合同条款付款
您是否有合同且希望使用它为证书付款?如果您有合同,这是默认的付款方式。
证书服务协议
阅读协议,然后选中我同意证书服务协议。
单击提交证书请求。
Selecting Submit Certificate Request also means you agree to all the terms and conditions in the Master Services Agreement.
接下来
DigiCert recommends that developers take precautions with the code signing process and protect the private key associated with their signing certificate. See Protect private keys: Code signing best practices.