docs/documentation/platform/pki/code-signing/signers.mdx
A Signer is a single signing identity inside Code Signing. It bundles three things:
You'll typically have one Signer per real-world signing concern, such as mobile-app-prod, firmware-release, or ci-staging-builds.
| Role | Capabilities |
|---|---|
| Administrator | Edit settings, manage members, edit the approval policy, pre-approve signing for others, sign, and export the certificate. |
| Operator | Sign artifacts and submit signing requests. Export the certificate. Cannot manage members or the policy. |
| Auditor | View members, activity, and the audit log. Export the certificate. Cannot sign or change anything. |
In Certificate Manager → Code Signing → Signers, click Create Signer. The wizard walks you through five steps in order: Basics, Certificate, Signing Key, Members, and Approval Policy.
<Steps> <Step title="Basics"> Pick a name for the Signer and (optionally) describe what it's for.| Field | Description |
|-------|-------------|
| **Signer name** | A short, slug-friendly identifier (lowercase, dashes). Example: `mobile-app-prod`. The PKCS#11 module shows this as the **token label**. |
| **Description** | Optional. What this Signer is for, in plain English. Example: *iOS and Android production bundles*. |
Click **Next** to move on to the certificate.
| Field | Description |
|-------|-------------|
| **Certificate Authority** | The CA that issues the certificate. Internal CAs issue immediately. External CAs (AWS Private CA, Azure AD CS, DigiCert) issue asynchronously and the Signer enters **Pending** until the cert lands. |
| **Common Name** | The legal name shown on the certificate, for example `Acme Mobile, Inc.`. You can change it later; doing so reissues the certificate. |
| **Validity (days)** | How long each issued certificate is valid for. Default 365. |
| **Renew before (days)** | Optional, 1 to 30. Auto-renew this many days before expiry. Must be less than Validity. Leave empty to disable auto-renewal. |
<Note>
Some CAs add extra fields on this step. Check your CA's documentation for any CA-specific options.
</Note>
Click **Next** to choose the signing key.
| Field | Description |
|-------|-------------|
| **Key source** | Where the signing key is generated. **Infisical** (default) lets Infisical generate and manage the key for you. **HSM** generates the key inside your own HSM through an [HSM Connector](/documentation/platform/pki/settings/hsm-connectors). Some CAs require an HSM-backed key and lock this to **HSM** (DigiCert code signing is one of them). |
| **HSM Connector** | The HSM Connector Infisical uses to reach your HSM. Set the Connector up first under **Certificate Manager > Settings > HSM Connectors**. Shown only when **Key source = HSM**. See [HSM Connectors](/documentation/platform/pki/settings/hsm-connectors). |
| **Key algorithm** | The signing key algorithm: `RSA-2048`, `RSA-3072`, `RSA-4096`, `ECDSA P-256`, `ECDSA P-384`, or `ECDSA P-521`. When **Key source = HSM** the choice is restricted to `RSA-2048`, `RSA-4096`, `ECDSA P-256`, or `ECDSA P-384`. |
Click **Next** to add members.
- **User**
- **Machine Identity**: a non-human caller (CI runner, build job, deploy script). Operator is the typical role.
- **Group**: a directory group. Everyone in the group inherits the role on this Signer.
The user who creates the Signer is added as Administrator automatically and cannot be removed at creation time. You can manage members later from the Signer's **Members** tab.
Click **Next** to set up the approval policy.
- **No approval required**: leave the policy empty. Members with sign rights can sign immediately. Recommended for dev and internal Signers.
- **Add approval steps**: require one or more sign-offs. See [Approvals → Configure the approval policy](/documentation/platform/pki/code-signing/approvals#configure-the-approval-policy) for the step editor and per-approval limits.
Press **Create Signer** to finish. Infisical issues the certificate (synchronously for internal CAs, asynchronously for external CAs) and the Signer appears in the list with a status badge.
When you pick Key source = HSM on the Signing Key step, pick the HSM Connector Infisical should use. The Key algorithm choices narrow to the HSM-supported subset. The private key never leaves the HSM and every sign operation routes through the linked Connector. Infisical only holds the public key and the issued certificate.
You can later switch an existing Signer between Infisical and HSM by reissuing the certificate with a different key source. Hit the reissue endpoint with a certificate.keySource body, plus hsmConnectorId when switching to HSM. The signer keeps its name, members, policy, and CA. Only the underlying key and the cert wrapping it change.
See HSM Connectors for the setup.
| Status | Meaning |
|---|---|
| Pending | The Signer is created but the certificate has not been issued yet. Most common with external CAs that take time to respond. The PKCS#11 module sees this slot but signing is rejected until the certificate lands. |
| Active | Certificate issued and bound. Signing works, subject to the approval policy. |
| Failed | Issuance failed. Hover the badge to see the reason. Use Retry issuance from the Options menu, or Edit a Signer to change the CA, Common Name, or Validity and try again. |
| Disabled | Manually disabled. Signing is blocked. Re-enable from the Options menu. |
| Expired | The certificate's notAfter has passed and no auto-renewal was configured (or the renewal failed). Reissue with a new validity period. |
Open the Signer and choose Options → Edit settings. The edit sheet walks you through three steps: Basics, Certificate, and Signing Key. Changing the CA, identity, validity, or key triggers a fresh issuance, and the signer switches to the newly issued certificate.
<Steps> <Step title="Basics"> Update the Signer's identifying information. These never reissue the certificate.- **Signer name**: rename freely. The PKCS#11 token label updates on the next refresh.
- **Description**: edit at will.
Click **Next** to edit the certificate.
- **Certificate Authority**: swap to another CA. Saving with a different CA reissues the certificate immediately from the new CA.
- **Reuse an existing order**: offered by some CAs (DigiCert code signing). Point the Signer at an existing order to reuse that order slot instead of placing a new one. Common Name and Validity are inherited from the order.
- **Common Name** and **Validity (days)**: edit them to change the identity on the certificate. Saving reissues the certificate with the new values, and the signer switches to the new certificate.
- **Renew before (days)**: edit any time, 1 to 30, must be less than Validity.
Click **Next** to edit the signing key.
- **Key source**: switch between Infisical and HSM. Switching to HSM requires picking an HSM Connector and a supported algorithm. CAs that require an HSM-backed key (such as DigiCert code signing) lock this to **HSM**.
- **HSM Connector**: shown when Key source is HSM.
- **Key algorithm**: pick a different algorithm. Changing it generates a new key and reissues the certificate.
<Note>
Renewals always issue a new certificate from the same CA with a fresh key pair. Old artifacts remain valid under the old certificate. New sign operations use the new one.
</Note>
Press **Save** to apply the changes.
To sign with a Signer, pick the integration that matches your tooling:
jarsigner, cosign, osslsigncode, apksigner, openssl, gpg, and more).signtool Authenticode signing on Windows.**Delete** is permanent. The Signer and everything attached to it (members, policy, access records, audit log) is removed. The certificate object remains in the inventory unless you delete that separately.
The same operation is available via the [reissue endpoint](/api-reference/endpoints/code-signing/signers/reissue) by passing `certificate.keySource` and (when switching to HSM) `hsmConnectorId`.
The previous certificate stays in the inventory. Delete or retire the old certificate before you try to delete the HSM Connector it referenced.