When is an HSM Letter Required?
When you choose to install your Document Signing or Code Signing certificate on your personal HSM device instead of using your own USB Token or receiving a USB token from DigiCert.
For EV Code Signing enrolled on or after November 17, 2022, HSM Audit Letters are no longer required if the customer makes the following selection during the order enrollment in CertCentral:
Under "Provisioning Options" select "Install on an HSM" and then select "Yes" under "Was the private key generated by a Common Criteria EAL4+ standard or FIPS 140-2 level 2 HSM".
If you do not have a compatible HSM, select a differnet provisioning method.
If you need to change the provisioning option after enrollment, please contact DigiCert for the update to be made or cancel the order and place a new one selecting the desired provisioning option.
What is the HSM Letter?
The purpose of the HSM Audit Letter is to have the customer accept liability for storing their private key on a FIPS 140-2 or EAL4+ Compliant HSM device which is a CA/B requirement.
Who can sign the HSM Letter?
How long is the HSM Letter valid for?
Applicable Products
Validity Period of Letter
EV Code Signing
13 Months
Standard Code Signing
825 Days
Document Signing
825 Days
What is the HSM Procedure?
If you chose to use your own HSM device: