Knowledge Base

When is an HSM Letter Required?

When installing your Document Signing certificate on your personal HSM device instead of using your own USB Token or receiving a USB token from DigiCert.

If you need to change the provisioning option after enrollment, please contact DigiCert Support for the update to be made or cancel the order and place a new one, selecting the desired provisioning option. 

What is the HSM Letter?

The purpose of the HSM Audit Letter is to have the customer accept liability for storing their private key on a FIPS 140-2 or EAL4+ Compliant HSM device which is a CA/B requirement.

Who can sign the HSM Letter?

• Anyone can sign the HSM Audit Letter if the signer states they have IT knowledge.
• The document can be hand-signed or signed with a valid electronic signature.
  

How long is the HSM Letter valid for?

For Document Signing, the HSM letter is valid for 825 days.

What is the HSM Procedure?

If you chose to use your own HSM device:

1. DigiCert must send the HSM Audit Letter.
   
2. The HSM Audit Document must be signed and returned to DigiCert.
   
3. DigiCert must call to confirm the authenticity of the letter with the signer.
   
   
   • DigiCert will complete the call using one of these phone numbers:
     
     
     • A verified telephone number - preferred
     • The number listed on the HSM letter
   • DigiCert must confirm:
      
     • The signer is aware of the letter
       
     • The HSM device is FIPS 140-2 or EAL4+ Compliant