docs/documentation/platform/pki/guides/code-signing/digicert-code-signing.mdx
A DigiCert Certificate Authority configured for code signing issues OV (code_signing) and EV (code_signing_ev) certificates from your CertCentral account against a CSR. The signing key must live on an HSM, so Infisical generates the CSR against an HSM key and sends only the CSR to DigiCert.
This guide covers using such a CA from the Code Signing product. To set up the CA itself, see DigiCert (CertCentral Services API).
Code Signing. See DigiCert (CertCentral Services API).Once a CA is configured for code signing, it appears in the Code Signing → Create Signer wizard's CA picker. The Signer is created in Pending state while DigiCert processes the order, and flips to Active once the certificate issues.
DigiCert's code-signing workflow includes an out-of-band approval step that the API cannot skip: DigiCert emails an approval link to the order's approver, and the order stays Pending until someone opens that link and approves it in DigiCert. Depending on your CertCentral account's settings this can apply per order, so a Signer can sit in Pending even after the organization is validated.
<Note> Code-signing certificates require an HSM-backed key. When you select a DigiCert code-signing CA, the Signer wizard locks the key source to **HSM** and you must pick an [HSM Connector](/documentation/platform/pki/settings/hsm-connectors). </Note>A Pending signer is checked on a schedule. To poll DigiCert immediately, use Check issuance now from the signer's actions menu. Hovering the Pending status on the signer's detail page shows the DigiCert order number so you can open that order in DigiCert to approve it or resend the approval email.
Each DigiCert order consumes a subscription slot on your CertCentral account. If a code-signing order already exists in this CA's organization, a Signer can issue into that order instead of spending another slot. This includes orders placed directly in DigiCert, not just ones Infisical created.
Reuse is scoped to the CA's configured organization and product, so only orders from that organization and product can be selected. The Common Name and Validity come from the chosen order rather than from the Signer.
<Tabs> <Tab title="Infisical UI"> In the Create Signer wizard's **Certificate** step, open **Reuse an existing order** and pick one of the listed issued orders. The Common Name and Validity fields are hidden because they are inherited from the order. Leave the field empty to place a new order. </Tab> <Tab title="API"> Set `externalConfiguration.reissueFromExternalOrderId` to the order id on [Create Signer](/api-reference/endpoints/code-signing/signers/create) or [Reissue](/api-reference/endpoints/code-signing/signers/reissue). </Tab> </Tabs> <Warning> Reissuing into an existing order replaces that order's certificate. DigiCert revokes the previous certificate within 72 hours, after which it can no longer be used to sign. </Warning>Editing a signer's Common Name, validity, key source, key algorithm, or CA triggers a fresh issuance. The signer returns to Pending until the new certificate issues, and DigiCert revokes the previous certificate within 72 hours.
Deleting a DigiCert code-signing signer revokes its DigiCert order, so the certificate can no longer be used to sign anywhere. Depending on your CertCentral account's revocation policy, DigiCert may queue the revocation for administrator approval.
Once your signer is Active, you can use it to sign artifacts through the Infisical PKCS#11 module. The signing workflow is the same as any other Infisical signer—only the certificate backing it comes from DigiCert.
<CardGroup cols={2}> <Card title="Sign Windows Executables" icon="windows" href="/documentation/platform/pki/guides/code-signing/osslsigncode"> Sign `.exe`, `.dll`, `.msi`, and other Windows artifacts with osslsigncode </Card> <Card title="Sign Java JARs" icon="java" href="/documentation/platform/pki/guides/code-signing/jarsigner"> Sign Java archives with jarsigner </Card> <Card title="Sign Container Images" icon="docker" href="/documentation/platform/pki/guides/code-signing/cosign"> Sign OCI container images with Sigstore cosign </Card> <Card title="Sign with OpenSSL" icon="lock" href="/documentation/platform/pki/guides/code-signing/openssl"> General-purpose signing with OpenSSL </Card> </CardGroup>