What is Code Signing Reissue?

Reissuing a code signing certificate is a process of generating a new certificate using the same subscription or order, usually because your private key changed, the certificate expired, the token was replaced, or the certificate was revoked.

Common Reasons to Reissue

• Lost or Damaged USB Token
• Private Key Compromise
• Changing Cryptographic Settings
• Reissuing after Certificate Revocation
• Migrating to a new Signing Environment
• Replacing Expiring Certificates

Reissuing Code Signing Certificates Under New 459 Day Validity Rules

The industry is moving toward shorter certificate lifetimes, and many Certificate Authorities now issue code signing certificates with a maximum validity of 459 days instead of multi-year end-entity certificates. Remaining subscription time is usually managed through reissuance rights. You may need multiple reissues during a longer subscription term.

How Code Signing Certificate Reissue Works

• Generate a New CSR or Key Pair
• Submit Reissue Request
• Complete Validation if Required

After the reissue is completed, sectigo sends the new certificate to the registered email by automation.

Sectigo/ Comodo/ Certera: Install on Existing HSM (YubiKey 5 NFC FIPS 140-2 OR Google KMS OR Luna HSM)

Sectigo Code Signing certificates installed on YubiKey 5 FIPS, Luna HSM, or Google KMS devices can be reissued and reinstalled. Please follow the steps outlined below and let us know if you encounter any errors or have any questions.

Here are the steps to access your certificate management portal and re-issue your certificate:

• Access the management portal on this page: https://secure.sectigo.com/products/frontpage?area=ssl
• If you have never accessed this portal, you must reset your password. Locate the Forgotten password? Section under the login area and “Click here” to start the password reset process.
• In a new window, you will be prompted to enter your Sectigo Order Number and either your admin username or admin email address for the order. Please enter only the order number and the admin email address you used when you originally enrolled in the certificate. Do not enter any admin username. Click OK when ready.

You will receive a Password Reset email from [email protected], which includes a confirmation password. Go to the link in this email and enter the confirmation password to receive your account username and temporary password.

• Return to the main page and use the account username and temporary password to log in to the Sectigo certificate management portal. You may be prompted to change your password immediately. Please make sure to save the new password and username in your preferred password manager.
• You should now be in the Account Area. Click the Code Signing Certificates link.
• In CS Certificate Options, you should see your certificate details. Click Replace to start the re-issue process.
• In the new window, upload your new CSR and attestation files. Paste your CSR in the CSR field.

For the key attestation, we recommend using the Upload Key Attestation Files option. Select your HSM model. In the example, we used a YubiKey HSM. Check “Encode to BASE64”. Click CHOOSE FILES to select your attestation and intermediate files. On Windows, you can hold down the CTRL key to select and upload multiple files.

• You will not need to make any further changes to the certificate details UNLESS there is an issue with the contact email or organization details. Please keep in mind that any changes to the organization details will require validation and may delay the re-issuance of the certificate.
• Please read the information at the bottom of the form before you click Continue. Replacing the certificate will revoke the old one after 14 days. If you have signed any code with the old certificate, it must be time-stamped for the signature to remain valid.
• Click “Continue” to replace your certificate. The validation team will process the request as quickly as possible. You will receive your new certificate via email as soon as it is issued.
• As soon as you have completed the re-issue request, please inform our support team. We must update your order in our system to avoid automatic cancellations. Please contact our support team to confirm anytime you re-issue your certificate.

For DigiCert Orders Installation on an existing HSM (supported HSMs: Azure Key Vault or YubiKey 5 NFC – FIPS 140-2)

Please note that even for DigiCert certificates, we do not have a mechanism to reissue the certificate directly from the dashboard of the order page.

In this case, the customer needs to generate a new CSR from the HSM. The HSM must comply with FIPS 140-2 Level 2, Common Criteria EAL4+, or an equivalent standard, and must support at least 3072-bit RSA or higher.

The customer should then share the CSR with us via our support email, using their registered email address. Once received, we can reissue the certificate from the backend. After the reissue is completed, we will inform the customer of the next steps to obtain the newly issued certificate.

For any query, reach out to our customer support team!

EV Code Signing Cert

Digitally Sign your Windows 10+ Drivers, Kernel Mode Drivers, Packages with Highest Level Security and Assurance of EV Code Signing.

Price Starts at $279.99 Per Year