When your code signing certificate is about to expire, you’ll need to order a new one. Follow these steps to renew your code signing certificate.
1. Purchase a New Certificate
Before you buy, you’ll need to consider which secure storage option you want to use for your certificate. The following “Certificate Delivery Methods” are supported.
- USB token (SafeNet) provided by the CA
- Note: only DigiCert code signing can be installed on a pre-owned USB token
- Your own FIPS 140-2 compliant hardware security module (HSM)
- A supported cloud-based key management service
You won’t be able to change the delivery method later, so make sure you know what you need before you purchase it.
For a better look at the hardware options, check out our article on Code Signing Certificate Delivery Methods.
2. Enroll the Certificate Request
After you buy the certificate, proceed to the enrollment form to provide all the necessary information for your certificate request.
If you’re using your HSM for a Comodo or Sectigo certificate, you must provide a CSR and attestation file that you create on your HSM. If you need help with this step, you can either refer to your HSM documentation or check out our HSM CSR and Attestation Guides.
3. Complete Validation with the Certificate Authority
Once you have submitted your order, the Certificate Authority will start verifying your organization or individual developer information.
Yes, even though it’s a renewal, the CA must verify your organization again. They must make sure your company is still active, in good standing, and that the person requesting the certificate is an authorized employee. Individual developers will also need to provide documents and go through a verification process.
Check out our Code Signing Validation articles for a full overview of what to expect from the validation process, and keep your eyes out for communication from your CA to get through the validation process as quickly as possible.
4. Set Up Your New Certificate
After your information is verified, the certificate company will issue your new certificate.
If you opted to buy a token from the CA, they’ll mail it to either your organization’s address or the alternate shipping address you provided during enrollment.
If you’re using your own HSM or cloud-based service, the certificate will be emailed to you. Then, you’ll need to install it or import it into your HSM before you can use it.
Please refer to our Code Signing Hardware Setup guides for installation instructions for your specific certificate, as there are different steps required depending on the Certificate Authority as well as the hardware itself.
Finally, you’re all set with your renewed Code Signing Certificate.