DigiCert KnowledgeBase - Technical Support-hero

Knowledge Base

Code signing changes in 2023

Solution ID : AL310523141628
Last Modified : 05/01/2024

New Code Signing certificate private key storage requirement

Starting May 30, 2023, DigiCert requires private keys for code signing certificates to be stored on hardware certified as FIPS 140-2 level 2, Common Criteria EAL 4+, or equivalent that supports 3072-bit or larger keys.

The DigiCert timeline ensured we had updated our code signing certificate process so that private keys for code signing certificates are stored on hardware certified as FIPS 140 Level 2, Common Criteria EAL 4+, or equivalent by June 1, 2023.

Reminder: On June 1, 2023, industry standards will require private keys for code signing certificates to be stored on hardware certified as FIPS 140-2 level 2, Common Criteria EAL 4+, or equivalent that supports 3072-bit or larger keys.

For more information about these changes, see our knowledge base articles:


Frequently asked questions

What if I need to reissue my code signing certificate after May 30?

Code signing certificates can be reissued. However, the reissued certificate and its private key must be stored on FIPS 140-2 level 2, Common Criteria EAL 4+, or equivalent that supports 3072-bit or larger keys.

When reissuing your code signing certificate, you will need to select a provisioning method:

  • You can use an existing hardware token if you already have a supported token: SafeNet 5110 CC, SafeNet 5110+ FIPS, and SafeNet 5110 FIPS.
  • If you don't have a supported hardware token, you can use a DigiCert-provided hardware token as the provisioning method.

You can also use the reissue process to replace older tokens that do not meet the current RSA key size requirements.


Is there a cost to reissue my code signing certificate?

This depends on the Provisioning method you select. See the chart below.

Provisioning Options Additional Cost: Yes/No Price (USD)
DigiCert provided hardware token Yes $120
Use existing token No -
Install on an HSM No -
DigiCert KeyLocker Yes Reach out to your account manager


Can I get a new security token when I renew my Code Signing certificate?

When you renew a certificate, you can get a new token as part of your order by selecting DigiCert-provided hardware token as the provisioning method. See Renew a Code Signing certificate.


Can I order extra eTokens?

Additional USB eTokens can be purchased to go with your Code Signing order. To purchase additional tokens, you must reissue your Code Signing certificate. On the reissue form, select DigiCert provided hardware token as the provisioning method.


If I want to get my own supported token, which eTokens does DigiCert support?

Token Capabilities Bits
Safenet 5110 FIPS ECC P-256 3072/4096
ECC P-384 3072/4096
Safenet 5110 CC* RSA 4096 4096
ECC P-256 4096
ECC P-384 4096
Safenet 5110+ FIPS* RSA 4096 4096
ECC P-256 4096
ECC P-384 4096
*Note: Safenet 5110 CC and SafeNet 5110+ FIPS supports a minimum of 4096 bit even though the industry standard is 3072 bit.


How do I get the new provisioning method DigiCert KeyLocker enabled for my account?

Reach out to your account manager or our sales team to assist with getting DigiCert KeyLocker enabled for your account.