Knowledge Base

Learn how to set up your code signing DigiCert-provided hardware token. 

Before you begin

Before you begin, make sure you meet these prerequisites:

• DigiCert-provided hardware token: SafeNet 5110 CC, SafeNet 5110 FIPS, or SafeNet 5110+ FIPS.
• Access to your certificate's Order details page in CertCentral.
• Code Signing or EV Code Signing certificate order number.
• Verify whether the eToken is blank or comes with the certificate preinstalled.
• Administrator permissions on your computer.
• Secure password manager. See Passwords 101.

How do I know if my eToken is blank or comes with the certificate installed?

In your CertCentral account, go to your certificate's Order details page. In the Certificate actions dropdown menu, what option do you see? The menu option lets you know if the eToken is blank or has the certificate preinstalled.

Menu options:

• Install certificate
  This option means the eToken is blank, and you must install the certificate on the eToken. See Install your code signing certificate on your hardware eToken below.
  
  
• Initialize token
  This option means the certificate comes preinstalled on your eToken. You need to unlock the eToken to access your certificate. See Initialize your eToken below.

Install your code signing certificate on your eToken

1. In your CertCentral account, in the left main menu, go to Certificates > Orders.
   
   
2. On the Orders page, select the certificate's order number.
   
   
3. On the certificate's Order details page, in the Certificate detail section, in the Certificate actions dropdown, select Install certificate.
   
   
4. Use the following link to download and install the DigiCert Hardware Certificate Installer:
   Download the DigiCert Hardware Certificate Installer 
   1.  You must install the SafeNet Authentication Client Tools on any system you plug the eToken in to sign code.
   2. Learn how to install the SafeNet Drivers.
       
5. Copy the initialization code for your order.
   
   
6. Open the DigiCert Hardware Certificate Installer.
   
   
7. In the DigiCert Hardware Certificate Installer on the Initialization Code page, in the Initialization Code box, enter the initialization code from your CertCentral account and then select Next.  
   
   
   
   
8. Plug in your eToken.
   
   
9. On the Token Detection page, check Re-initialize my token and permanently delete any existing certificates and keys and then select Next.
   If you are installing an alternate chain or key type and need to keep your current certificate on the eToken intact, leave the Re-initialize option unchecked.  
   
   
   
   
   
10. On the Key information page, do one of the following tasks and then select Next:
    
    
    • RSA
      1. Under Key Type, select RSA.
      2. Under Key Size/Curve Name, select 4096.
          
    • ECC Key Types
      1. Under Key Type, select ECC
      2. Under Key Size/Curve Name, select p-256 or p-384. 
         
          
          
11. On the Token Setup page, do the following tasks:
    1. Add a Token Name.
       The token name is used to identify the eToken. This name is helpful when you have multiple eTokens.
       
    2. Create a Token Password.
       This password (sometimes called a token PIN) is required to access the certificates saved on the eToken.  
       
       
       
        
12. READ THIS BEFORE YOU CONTINUE
    
    On the Administrator Password page, do one of the following tasks:
    
    1. If you have NOT changed the Administrator Password since receiving your eToken, leave Use factory default Administrator password checked and select Finish.
    2. If you have set a new Administrator Password (done outside of DigiCert Support using the SafeNet client), uncheck Use factory default Administrator password, enter the current Administrator Password, and select Finish. 
       
       
       
       
        
13. On the Certificate Installation page, be patient and wait.
    Some of the steps may take several minutes to complete. Wait to remove the eToken until the whole process is completed. 
    Generating an RSA 4096-bit key will take time. Let the process complete.  
    
    
    
    
    
14. When the process finishes, select Close.  
    
    
    
    
    
15. You can now use the code signing certificate on your eToken to sign code.
     

Initialize your eToken

1. In your CertCentral account, in the left main menu, go to Certificates > Orders.
   
   
2. On the Orders page, select the certificate's order number.
   
   
3. On the certificate's Order details page, in the Certificate detail section, in the Certificate actions dropdown, select Initialize Token.
   
   

   Important: Do not proceed without your DigiCert-provided hardware token. You need the eToken to complete these steps. Additionally, some information is only shown one time.

   
   
4. On the initialization page, confirm you have your eToken.
   If you have not received your DigiCert-provided hardware token, do not proceed. You can use the link to check your tracking information. However, come back once you have your DigiCert-provided token.
   1. Now that you have your DigiCert-provided hardware token, check I have received the hardware token.
   2. When ready, select Submit.
       
5. On the confirmation page, copy your preassigned eToken password and store it in a safe place.
   
   

   Warning: Your preassigned password will only be visible once. Make sure to take note of this password. You need it to access your certificate on your DigiCert-provided hardware token. See Password 101.

   
   
6. Use the link to download and install the DigiCert Hardware Certificate Installer.
   1. You must install the SafeNet Authentication Client Tools on any system you plug the eToken in to sign code.
   2. Learn how to install the SafeNet Drivers.
      
      
7. Change the eToken password.
   The eToken password is used to access the eToken certificate store.
   1. Open the SafeNet Authentication Client and then connect the eToken to your computer.
   2. In the SafeNet Authentication Client, on the top of the page, click the cog icon (Advanced View button).
      You should now see the eToken listed in the tree menu on the left side of the page.
   3. Right-click on the eToken name and select Change Password.
   4. On the change password page, enter your Current Token Password from the Initialization page in CertCentral.
   5. Next, create a new password.
   6. Save the New Token Password in your secure password manager.
   7. When ready, select OK.
       
8. You can use the certificate on your eToken to sign code.

Password 101

The SafeNet eToken uses the following passwords:

• Administrator Password: 
  
  The default Administrator Password is "0" 48 times as provided by the manufacturer. If "this" password is lost, you are permanently locked out of the eToken and must purchase a new one. DigiCert does not set up this password.
  
  
• Token Password: 
  
  This password is used to access the eToken certificate store. If lost, you can reset the eToken and reinstall the certificate.
  
  
• Personal Unlocking Key (PUK): Default PUK is 000000. 
  
  DigiCert does not use the PUK in our process.

Minimum Password Requirements:

• Your password should contain at least 8 characters.
• Your password should include both upper-case characters and lower-case characters as well as numerals and special characters (for example: !, $, %, #).
• The minimum password length and character requirements apply to both the Token password and the Administrator password.

Troubleshooting

1. My token appears as "SafeNet Token JC 0." 
   Your eToken has been permanently disabled due to incorrect password attempts. Please contact DigiCert Support to order a new eToken.  
   
   
   
   
   
2. I lost my Administrator password. 
   The administrator password is required to reset the device and is unrecoverable. Please contact DigiCert Support to order a new eToken.
   Note: The manufacturer sets this password, not DigiCert.
   
   
3. I lost my Token password. 
   The Token Password is used to access the eToken certificate store. Use the Administrator Password to reset the eToken password if lost. 
   If you have lost your Token Password, you can reinitialize the eToken and create a new Token store when you reissue/rekey your certificate. 
   
   
   1. Reissue your certificate. 
      • Reissue or re-key a Code Signing certificate
      • Reissue or re-key an EV Code Signing certificate
      • Rekeying Your DigiCert Document Signing Certificate
         
   2. Re-initialize your eToken. After DigiCert reissues your certificate, install it on your eToken. See Install your code signing certificate on your hardware token.
      
      
      

      Note: Items 4, 5, 6 and 7 refer to troubleshooting errors for the DigiCert Hardware Certificate Installer.

      
       
4. Error "The Initialization Code was invalid, has already been used, or has expired."
   
   
   • Scenario 1: The user has an existing order in a reissue state.
     
     Solution: 
     1. Log in to the account > Certificates > Orders > Click on the order number > Certificate Actions > Reissue Certificate > Provisioning options > Use existing token > Submit request. 
     2. Return to the order > Certificate Actions > Install certificate > Copy the new initialization code.
         
   • Scenario 2: The new order does not have the "install certificate" option in the CertCentral account.
     
     Solution:
     Reissue the certificate when the install certificate option is not displayed under certificate actions.
     1. Log in to the account > force a reissue using the link below in a new tab on the browser where you are logging in from: https://digicert.com/secure/orders/{order-number}/reissue 
     2. Select Provisioning options > Use existing token > Submit request.
     3. Return to the order > Certificate Actions > Install certificate > Copy the new initialization code
        
        
   • Scenario 3: Some time has passed before an install attempt has been made which resulted in the above error.
     
     Solution:
     Force reissue the certificate when only the install certificate option is displayed under certificate actions.
     1. Log in to the account > force a reissue using the link below in a new tab on the browser where you are logging in from: https://digicert.com/secure/orders/{order-number}/reissue 
     2. Select Provisioning options > Use existing token > Submit request.
     3. Return to the order > Certificate Actions > Install certificate > Copy the new initialization code. 
        
        
        
         
5. Error: 8-0x00000062 
   
   This error is caused by trying to install your certificate on a token that does not support RSA above 2048. 
   You will need to choose ECC in the DigiCert Hardware Certificate Installer to complete the installation or reissue the order and purchase an additional token that will be compatible. ECC is not always compatible with all signing tools, so this option is only if you need to sign urgently and the signing tool you utilize supports ECC or are unable to purchase a new token at the time. It is recommended that you have a supported token.
   
   
6. Error: 5-0x00000030 
   
   This error is related to not having the latest Safenet version. To solve this issue please update to the latest Safenet version which you can find here. 
   
   
7. Error: 8-0x00000031 
   
   This error is related to having too many code signing certificates on the same token. To solve this issue please remove some of the certificates to ensure sufficient space is availbale for another certificate. Once you have removed the certificates, please reattempt the initialization process.