How to Create a Code Signing CSR (Using DigiCert’s Certificate Utility)
Creating a certificate signing request (CSR) is the first step to get a code signing certificate. Here are step-by-step instructions to quickly generate a CSR with the DigiCert Certificate Utility
A code signing certificate CSR — or what’s sometimes referred to as a code signing CSR or code signing request — is what you need to do to get a publicly trusted code signing certificate to sign your code, scripts, or other executables. You can create a code signing CSR:
- Using a web browser that allows this function (i.e., Internet Explorer 11)
- Using OpenSSL
- Using a CSR generation utility
To simplify the code signing CSR process, this article will walk through how to complete a code signing request using DigiCert’s Certificate Utility tool.
Step One: Open the DigiCert Certificate Utility Tool
This may surprise you to know that the DigiCert Certificate Utility tool isn’t meant only for generating or handling SSL/TLS certificates. This CSR generation utility can also generate code signing requests (CSRs). To use this tool, you’ll need to download and install DigiCert’s Certificate Utility tool. Once you’ve done that, open the program on your device.
In the left-hand navigation pane, select Code Signing. Next, press the blue Create CSR option near the top-right portion of your screen:
Pressing the Create CSR option will launch a new screen that features some information fields that you’ll need to complete.
Step Two: Complete the Code Signing Request’s Required Information Fields
The Code Signing radio button should automatically be selected. If not, be sure to switch that from SSL to Code Signing now.
Next, you’ll need to complete the required information fields:
- Common name: This is where you’ll enter your personal individual name (for a developer’s individual code signing certificate) or your organization’s name.
- Subject Alternative Name (SAN): Notice that this field is greyed out in the screenshot above so that you can’t enter any information. It doesn’t matter because SAN info isn’t applicable for code signing certificate CSR generation. You’d only need to enter the SAN information if you were requesting a multi-domain SSL/TLS certificate.
- Organization: This is where you’ll need to enter your organization’s legally registered name (e.g., Your Company, Inc.).
- Department: You don’t need to worry about it for code signing certificates. (This field is where you’d typically enter the department or organizational unit [OU] information that you want to display in SSL/TLS certificates.)
- City/State/Country: These three fields are pretty self explanatory — simply enter your organization’s legally registered location information in these three fields.
- Key Size: The available key sizes are 2048, 3072 and 4096. However, it’s important to note that the CA/B Forum changed the Baseline Requirements for code signing certificates so that the new minimum key size is 3072 bits (as of June 1, 2021).
Once finished, click the Generate button to create your CSR block. This will close out the dialog window and open a new screen that says, “The certificate request has been successfully created.”
Step Three: Copy & Attach the Cost Signing Certificate CSR to Your Certificate Order
In the next window, you’ll see a message that starts with “—-BEGIN NEW CERTIFICATE REQUEST—–.” This is the unique code signing CSR data block that you’ll need to send to your issuing CA by adding it to your code signing certificate order form.
To copy the code signing CSR, press Copy CSR. Be sure to also save a copy of your CSR as a text file. You can do this by pressing Save to File.
Now, you’ll need to add this data to your certificate order. If you purchased your certificate through CodeSigningStore.com, you can do this by:
- Logging into your customer account
- Going to your order page and finding the certificate that you want to generate a certificate for.
- Press the Next Step: Generate Certificate button. This will take you to another page (certificategeneration.com) where you can complete the certificate generation process. This process is pretty straight forward and includes 4-5 steps.
That’s it! You’ve now completed the code signing certificate CSR generation process. The next step involves waiting for DigiCert to perform the validation of your organization on their end and receiving the certificate via email.
What If You Aren’t Using a DigiCert Code Signing Certificate?
No worries here. The DigiCert Utility tool also can be used to generate code signing CSRs for other brands’ certificates as well (think Sectigo, Comodo, etc.). It’s not a brand-specific user interface. Alternatively, you also can use OpenSSL (via the Windows command line console) to generate a certificate manually. We’ve put together a resource that will walk you through how to use OpenSSL to generate a code signing CSR.