727.388.4240

Google Plus

Blog
  1. Home
  2. Code Signing Certificate Support
  3. Code Signing Hardware Setup
  4. Preventing Locked Code Signing eTokens
Searching...

Preventing Locked Code Signing eTokens

When you purchase a Code Signing hardware token from a Certificate Authority, you’ll receive a SafeNet USB eToken that has been reinforced with strict security measures to mitigate misuse and abuse of the certificate. The token may lock itself if it detects suspicious operations, such as entering the wrong password too many times, or trying to export the certificate from the token.

Please take great care when handling your vendor-provided Code Signing token to avoid locking it. In some cases it is not possible to unlock a token or recover a deleted certificate, and your only option will be to order a new one from the vendor. We cannot guarantee the replacement token will be free of charge. 

Regarding the SafeNet User Guide (and Other Online Resources)

The SafeNet Authentication client is a third-party software used by many different Certificate Authorities. You may be able to find various online resources with different sets of instructions for using the SafeNet client.

Please keep in mind that not all of the SafeNet resources online today will be accurate to your specific code signing certificate. You must be cautious when referring to instructional guides that were not created by the Certificate Authority that issued your certificate.

Even the official SafeNet User Guide instructs on several actions you can take within the SafeNet client that will result in locking your token or deleting the certificate and key. You should be aware of several operations listed in the user guide that you should NEVER attempt if you have purchased your Code Signing certificate token from the SSLStore, whether it was issued by Sectigo or DigiCert.

You may follow the SafeNet User Guide for the following operations

  • Selecting the Active Token
  • Viewing and Copying Token Information
  • Logging On to the Token as a User
  • Changing the Token Password

Do NOT attempt the following operations under any circumstances

  • Deleting Token Content
  • Importing a Certificate to a Token
  • Exporting a Certificate from a Token
  • Clearing a Default Certificate
  • Deleting a Certificate
  • Logging On to the Token as an Administrator
  • Changing the Administrator Password
  • Unlocking a Token by the Challenge-Response Method
  • Setting a Token Password by an Administrator

If you are forced by the SafeNet client to enter an administrator password or provide a challenge and response code, please STOP and contact our support team right away. We will direct you to the appropriate technical support team for assistance. 

Token Password vs. Administrator Password

There are two different types of passwords set on your code signing certificate token. 

Token Password

The token password is used to logon to the token as a user and complete signing processes. Depending on the Certificate Authority, you may either be provided a preset token password (which you can change in SafeNet) or you may be able to set your own password when you setup the token for the first time.

We recommend using a password manager to save your token password so that you do not lose it. If you enter the token password incorrectly too many times, the token will be locked, and it may not be recoverable.

You have a limited number of password attempts before the token will be permanently locked due to invalid password entry. SafeNet Client displays the maximum number of attempts and the number of retries remaining before the token will be locked in the certificate details window.

If you are having trouble with your password please check how many attempts you have left so you do not accidentally lock the token.

If you have lost your token password, please ask our support team to direct you to the appropriate vendor technical support team for further assistance.

Administrator Password

The administrator password is set by the Certificate Authority and may not be changeable by the user. 

DigiCert Code Signing Administrator Password

DigiCert Code Signing certificates may allow you to change the default administrator password during token setup. However, changing the administrator password is not recommended, as losing that password might lock you out of your token.

Sectigo Code Signing Administrator Password

Sectigo Code Signing certificates never allow changes to the administrator password, and the password is only known to the technical team at Sectigo. Do not attempt to use any “default administrator passwords” that may be listed online with your Sectigo Code Signing certificate token.

My Token is Locked, What Can I Do?

If your code signing certificate token is locked, or the certificate has been deleted, please reach out to support for troubleshooting. You may need to do a remote session with the CA’s technical support team to attempt unlocking the certificate or to verify that the token has been permanently locked. 

Once it is confirmed that the token is locked and needs to be replaced, you must order a new certificate. Again, we cannot guarantee that a replacement certificate will be free of charge or that the locked token will be refundable – so you must avoid user error at all times!

Updated on

Was this article helpful?

Yes No

Related Articles