SSL/TLS Certificates - How to Request a Code Signing Certificate

This document provides details regarding the information and processes required to obtain a code signing certificate, as well as the instructions to download the certificate once it is issued.

Criteria to Request a Code Signing certificate

Required Conditions

Key Attestation: CA/Browser Forum regulations as of June 2023 require the use of a Hardware Crypto Module HSM/HCM device to generate and store Private Keys. Key Attestation is required on the Code Signing Certificate request form. Please see the following for more information: Changes to Sectigo Code Signing Offerings

Presently there are two forms of hardware that Sectigo supports for verification.
- Thales/Safenet Luna and netHSM devices
- Yubico FIPS Yubikey (for ECC Keys only)

We are recommending the acquisition of a FIPS Series YubiKey
- You can find more information regarding the use of a YubiKey here: Key Generation and Attestation with YubiKey
- https://www.yubico.com/product/yubikey-5-fips-series/yubikey-5-nfc-fips/
  - Cost is roughly $80-$105 for a YubiKey. We strongly recommend that this is a departmental purchase, not a personal purchase.

To request a code signing certificate, please make sure your request meets the criteria below.

Make sure you are submitting the request from a UW-Madison affiliated email address. Requests from non affiliated email addresses will be declined.

The code signing certificate request can only be submitted for software or applications that are affiliated with UW-Madison.

Required Information

To request a code signing certificate, please send the information below to servercertificates@doit.wisc.edu.

Explanation of why a code signing certificate is needed. A reason to use one in the past may no longer be valid, and no longer requires your time to maintain and renew.
Brief description of the software or application regarding its intended purposes and who the audience is?

What domain is the software or application tied to? If the software or application is not tied to a domain, which department or domain is the software or application associated with?

For domains that do not currently exist in the certificate provider system, they will need to be added to the system and vetted by Domain Control Validation (DCV).

If your domain does not exist in the system and needs to be added, you will be asked to contact servercertificates@doit.wisc.edu to assist you with accomplishing this process.

What contact email would you like to appear on the code signing certificate? (Note: Must be a UW-Madison affiliated address)

What is the contact information that we should use incase issues or questions arise? (Please provide: Full Name, Email, Phone.)

How long should the code signing certificate be valid for? (Max is 3 years)

Obtaining and Downloading the Code Signing Certificate

Once your request is approved based on the information that you provided above, you will receive an email indicating that you have been invited to enroll in a certificate. The email contains some instructions that you will follow to obtain your code signing certificate (See Below).

After clicking the Invitation Request, you will be prompted with the following form to submit your Code Signing Certificate request. Please see the above section related to Key Attestation for assistance in generating a Private Key and related Attestation before selecting the Invitation Request. The Invitation Request will expire if not submitted after initially opening the form. If that is the case, please send us a new request.
Once the form is submitted, Sectigo will be prompted to approve the request and provide an email with the certificate download links.

NOTE: Downloading the certificate can be done in any browser.

Clicking the download link will automatically open your default browser and begin downloading your code signing certificate. You will also be prompted with this message containing some important information.

Your code signing certificate is now ready for you to use. Unfortunately, Server Certificates does not support the process of installing the certificate, this process is up to the user to complete.

NOTE: In the event that any part of these instructions do not work, please use the information on this KB Doc to contact Sectigo directly to complete your Code Signing Certificate Request: SSL/TLS Certificate Support

Keywords	code, signing, code signing, certificate, code signing certificate, ssl, tls, comodo, sectigo, incommon, key attestation, yubikey, yubico, security key, hsm, hcm, hardware crypto module, hardware security module Suggest keywords	Doc ID	77864
Owner	Jake S.	Group	SSL Server Certificates
Created	2017-11-02 08:50:58	Updated	2024-06-12 08:09:46
Sites	DoIT Help Desk, SSL Server Certificates
Feedback	0 0 Comment Suggest a new document