> ## Documentation Index
> Fetch the complete documentation index at: https://infisical.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Sign with DigiCert

> Issue code-signing certificates from DigiCert CertCentral with an HSM-backed key.

## Concept

A DigiCert Certificate Authority configured for code signing issues OV (`code_signing`) and EV (`code_signing_ev`) certificates from your CertCentral account against a CSR. The signing key must live on an HSM, so Infisical generates the CSR against an HSM key and sends only the CSR to DigiCert.

This guide covers using such a CA from the **Code Signing** product. To set up the CA itself, see [DigiCert (CertCentral Services API)](/documentation/platform/pki/ca/digicert-direct).

## Prerequisites

* A DigiCert Certificate Authority created with **Purpose** set to `Code Signing`. See [DigiCert (CertCentral Services API)](/documentation/platform/pki/ca/digicert-direct).
* An [HSM Connector](/documentation/platform/pki/settings/hsm-connectors) the signing key can be generated on.

## Create a Signer

Once a CA is configured for code signing, it appears in the **Code Signing → Create Signer** wizard's CA picker. The Signer is created in **Pending** state while DigiCert processes the order, and flips to **Active** once the certificate issues.

DigiCert's code-signing workflow includes an out-of-band approval step that the API cannot skip: DigiCert emails an approval link to the order's approver, and the order stays **Pending** until someone opens that link and approves it in DigiCert. Depending on your CertCentral account's settings this can apply per order, so a Signer can sit in Pending even after the organization is validated.

<Note>
  Code-signing certificates require an HSM-backed key. When you select a DigiCert code-signing CA, the Signer wizard locks the key source to **HSM** and you must pick an [HSM Connector](/documentation/platform/pki/settings/hsm-connectors).
</Note>

A **Pending** signer is checked on a schedule. To poll DigiCert immediately, use **Check issuance now** from the signer's actions menu. Hovering the **Pending** status on the signer's detail page shows the DigiCert **order number** so you can open that order in DigiCert to approve it or resend the approval email.

### Reuse an existing order

Each DigiCert order consumes a subscription slot on your CertCentral account. If a code-signing order already exists in this CA's organization, a Signer can issue into that order instead of spending another slot. This includes orders placed directly in DigiCert, not just ones Infisical created.

Reuse is scoped to the CA's configured organization and product, so only orders from that organization and product can be selected. The Common Name and Validity come from the chosen order rather than from the Signer.

<Tabs>
  <Tab title="Infisical UI">
    In the Create Signer wizard's **Certificate** step, open **Reuse an existing order** and pick one of the listed issued orders. The Common Name and Validity fields are hidden because they are inherited from the order. Leave the field empty to place a new order.
  </Tab>

  <Tab title="API">
    Set `externalConfiguration.reissueFromExternalOrderId` to the order id on [Create Signer](/api-reference/endpoints/code-signing/signers/create) or [Reissue](/api-reference/endpoints/code-signing/signers/reissue).
  </Tab>
</Tabs>

<Warning>
  Reissuing into an existing order replaces that order's certificate. DigiCert revokes the previous certificate within 72 hours, after which it can no longer be used to sign.
</Warning>

## Editing a Signer

Editing a signer's Common Name, validity, key source, key algorithm, or CA triggers a fresh issuance. The signer returns to **Pending** until the new certificate issues, and DigiCert revokes the previous certificate within 72 hours.

## Reissue and renewal

* **Reissue** (changing the key source, key algorithm, or pointing at an existing order) hits DigiCert's reissue endpoint, which keeps the same order and its validity and replaces the certificate.
* **Auto-renewal** (when **Renew before** is set) places a new order linked to the prior one so DigiCert tracks certificate history. If DigiCert reports the prior order as not eligible for renewal, Infisical falls back to a fresh, unlinked order.

## Deleting a Signer

Deleting a DigiCert code-signing signer revokes its DigiCert order, so the certificate can no longer be used to sign anywhere. Depending on your CertCentral account's revocation policy, DigiCert may queue the revocation for administrator approval.

## Next steps

Once your signer is **Active**, you can use it to sign artifacts through the Infisical [PKCS#11 module](/documentation/platform/pki/code-signing/pkcs11-module). The signing workflow is the same as any other Infisical signer—only the certificate backing it comes from DigiCert.

<CardGroup cols={2}>
  <Card title="Sign Windows Executables" icon="windows" href="/documentation/platform/pki/guides/code-signing/osslsigncode">
    Sign `.exe`, `.dll`, `.msi`, and other Windows artifacts with osslsigncode
  </Card>

  <Card title="Sign Java JARs" icon="java" href="/documentation/platform/pki/guides/code-signing/jarsigner">
    Sign Java archives with jarsigner
  </Card>

  <Card title="Sign Container Images" icon="docker" href="/documentation/platform/pki/guides/code-signing/cosign">
    Sign OCI container images with Sigstore cosign
  </Card>

  <Card title="Sign with OpenSSL" icon="lock" href="/documentation/platform/pki/guides/code-signing/openssl">
    General-purpose signing with OpenSSL
  </Card>
</CardGroup>
