Knowledge Base

Description

When is an HSM Letter Required?

When you choose to install your Document Signing or Code Signing certificate on your personal HSM device instead of using your own USB Token or receiving a USB token from DigiCert.

For EV Code Signing enrolled on or after November 17, 2022, HSM Audit Letters are no longer required if the customer makes the following selection during the order enrollment in CertCentral:

Under "Provisioning Options" select "Install on an HSM" and then select "Yes" under "Was the private key generated by a Common Criteria EAL4+ standard or FIPS 140-2 level 2 HSM".
If you do not have a compatible HSM, select a differnet provisioning method.

If you need to change the provisioning option after enrollment, please contact DigiCert for the update to be made or cancel the order and place a new one selecting the desired provisioning option. 

What is the HSM Letter?

The purpose of the HSM Audit Letter is to have the customer accept liability for storing their private key on a FIPS 140-2 or EAL4+ Compliant HSM device which is a CA/B requirement.

Who can sign the HSM Letter?

• Anyone can sign the HSM Audit Letter, as long as the signer states they have IT knowledge
  
• The document can be hand-signed or signed with a valid electronic signature.
  

How long is the HSM Letter valid for?

What is the HSM Procedure?

If you chose to use your own HSM device:

1. DigiCert must send the HSM Audit Letter
   
2. The HSM Audit Document must be signed and returned to DigiCert
   
3. DigiCert must call to confirm the authenticity of the letter with the signer.
   
   
   • DigiCert will complete the call using:
     • A verified telephone number (preferred)
     • The number listed on the HSM letter
   • DigiCert must confirm that: 
     • The signer is aware of the letter
       
     • The HSM device is FIPS 140-2 or EAL4+ Compliant