Learn how to set up your code signing DigiCert-provided hardware token.
Before you begin
Before you begin, make sure you meet these prerequisites:
- DigiCert-provided hardware token: SafeNet 5110 CC, SafeNet 5110 FIPS, or SafeNet 5110+ FIPS.
- Access to your certificate's Order details page in CertCentral.
- Code Signing or EV Code Signing certificate order number.
- Verify whether the eToken is blankor comes with the certificate preinstalled.
- Administrator permissions on your computer.
- Secure password manager.See Passwords 101.
Important:
This process will require you to supply multiple passwords. If you incorrectly enter or lose a password, you can permanently disable your eToken. We recommend using a secure password manager to track the passwords used for initializing your eToken.
How do I know if my eToken is blank or comes with the certificate installed?
In your CertCentral account, go to your certificate's Order details page. In theCertificate actionsdropdown menu, what option do you see? The menu option lets you know if the eToken is blank or has the certificate preinstalled.
Menu options:
- Install certificate
This option means the eToken is blank, and you must install the certificate on the eToken. SeeInstall your code signing certificate on your hardware eTokenbelow. - Initialize token
This option means the certificate comes preinstalled on your eToken. You need to unlock the eToken to access your certificate.See Initialize your eTokenbelow.
Install your code signing certificate on your eToken
- In your CertCentral account, in the left main menu, go toCertificates > Orders.
- On theOrderspage, select the certificate's order number.
- On the certificate'sOrder detailspage, in theCertificate detailsection, in theCertificate actionsdropdown, selectInstall certificate.
- Use the following link to download and install the DigiCert Hardware Certificate Installer:
Download the DigiCert Hardware Certificate Installer - Copy the initialization code for your order.
- Open the DigiCert Hardware Certificate Installer.
- In theDigiCert Hardware Certificate Installeron the Initialization Codepage, in theInitialization Codebox, enter the initialization code from your CertCentral account and then selectNext.
- Plug in your eToken.
- On theToken Detectionpage, checkRe-initialize my token and permanently delete any existing certificates and keysand then selectNext.
If you are installing an alternate chain or key type and need to keep your current certificate on the eToken intact, leave theRe-initializeoption unchecked. - On theKey informationpage, do one of the following tasks and then selectNext:
- RSA
- Under Key Type, select RSA.
- Under Key Size/Curve Name, select 4096.
- ECC Key Types
- Under Key Type, select ECC
- Under Key Size/Curve Name, select p-256 or p-384.
- RSA
- On theToken Setuppage, do the following tasks:
- Add aToken Name.
The token name is used to identify the eToken. This name is helpful when you have multiple eTokens. - Create aToken Password.
This password (sometimes called a token PIN) is required to access the certificates saved on the eToken.
- Add aToken Name.
- READ THIS BEFORE YOU CONTINUE
On theAdministrator Passwordpage, do one of the following tasks:
- If you haveNOT changed the Administrator Password since receiving your eToken, leaveUse factory default Administrator passwordchecked and selectFinish.
- If you have set a new Administrator Password (done outside of DigiCert Support using the SafeNet client), uncheckUse factory default Administrator password, enter the current Administrator Password, and selectFinish.
- On theCertificate Installationpage, be patient and wait.
Someof the steps may take several minutes to complete. Wait toremove the eTokenuntil the whole process is completed.
Generating an RSA 4096-bit key will take time. Let the process complete. - When the process finishes, selectClose.
- You can now use the code signing certificate on your eToken to sign code.
Initialize your eToken
- In your CertCentral account, in the left main menu, go toCertificates > Orders.
- On theOrderspage, select the certificate's order number.
- On the certificate's Order details page, in the Certificate detail section, in the Certificate actions dropdown, select Initialize Token.
Important: Do not proceed without your DigiCert-provided hardware token. You need the eToken to complete these steps. Additionally, some information is only shown one time.
- On the initialization page, confirm you have your eToken.
If you have not received your DigiCert-provided hardware token,do notproceed. You can use the link to check your tracking information. However, come back once you have your DigiCert-provided token.- Now that you have your DigiCert-provided hardware token, checkI have received the hardware token.
- When ready, selectSubmit.
- On the confirmation page, copy your preassigned eToken password and store it in a safe place.
Warning:Your preassigned password will only be visible once. Make sure to take note of this password. You need it to access your certificate on your DigiCert-provided hardware token. SeePassword 101.
- Use the link to download and install the DigiCert Hardware Certificate Installer.
- You must install the SafeNet Authentication ClientToolson any system you plug the eToken in to sign code.
- Learn how toinstall the SafeNet Drivers.
- Change the eToken password.
The eToken password is used toaccess the eToken certificate store.- Open the SafeNet Authentication Client and then connect the eToken to your computer.
- In the SafeNet Authentication Client, on the top of the page, click the cog icon (Advanced View button).
You should now see the eToken listed in the tree menu on the left side of the page. - Right-click on the eToken name and selectChange Password.
- On the change password page, enter yourCurrent Token Passwordfrom theInitialization pagein CertCentral.
- Next, create a new password.
- Save theNew Token Passwordin your secure password manager.
- When ready, selectOK.
- You can use the certificate on your eToken to sign code.
Password 101
Warning: The SafeNet eToken uses multiple passwords for authentication. If anAdministrator Passwordis entered incorrectlyfive times, the eToken is permanently locked.
The SafeNet eToken uses the following passwords:
- Administrator Password:
The default Administrator Password is"0" 48 timesas provided by the manufacturer. If "this" password is lost, you are permanently locked out of the eToken and must purchase a new one. DigiCert does not set up this password.
- Token Password:
This password is used toaccess the eToken certificate store. If lost, you can reset the eToken and reinstall the certificate.
- Personal Unlocking Key (PUK): Default PUK is 000000.DigiCert does not use the PUK in our process.
Minimum Password Requirements:
- Your password should contain at least 8 characters.
- Your password should include both upper-case characters and lower-case characters as well as numerals and special characters (for example: !, $, %, #).
- The minimum password length and character requirements apply to both the Token password and the Administrator password.
Troubleshooting
- My token appears as "SafeNet Token JC 0."
Your eToken has been permanently disabled due to incorrect password attempts. Please contactDigiCert Supportto order a new eToken. - I lost my Administrator password.
The administrator password is required to reset the device and is unrecoverable. Please contactDigiCert Supportto order a new eToken.
Note: The manufacturer sets this password,not DigiCert. - I lost my Token password.
The Token Password is used to access the eToken certificate store. Use the Administrator Password to reset the eToken password if lost.
If you have lost your Token Password, you can reinitialize the eToken and create a new Token store when you reissue/rekey your certificate.- Reissue your certificate.
- Reissue or re-key a Code Signing certificate
- Reissue or re-key an EV Code Signing certificate
- Rekeying Your DigiCert Document Signing Certificate
- Re-initialize your eToken.After DigiCert reissues your certificate, install it on your eToken. SeeInstall your code signing certificate on your hardware token.
Note: Items 4, 5, 6 and 7 refer to troubleshooting errors for the DigiCert Hardware Certificate Installer.
- Reissue your certificate.
- Error "The Initialization Code was invalid, has already been used, or has expired."
- Scenario 1: The user has an existing order in a reissue state.
Solution:- Log in to the account > Certificates > Orders > Click on the order number > Certificate Actions > Reissue Certificate > Provisioning options > Use existing token > Submit request.
- Return to the order > Certificate Actions > Install certificate > Copy the new initialization code.
- Scenario 2:The new order does not have the "install certificate" option in the CertCentral account.
Solution:
Reissue the certificate when the install certificate option is not displayed under certificate actions.- Log in to the account > force a reissue using the link below in a new tab on the browser where you are logging in from:https://digicert.com/secure/orders/{order-number}/reissue
- Select Provisioning options > Use existing token > Submit request.
- Return to the order > Certificate Actions > Install certificate > Copy the new initialization code
- Scenario 3:Some time has passed before an install attempt has been made which resulted in the above error.
Solution:
Force reissue the certificate when only the install certificate option is displayed under certificate actions.- Log in to the account > force a reissue using the link below in a new tab on the browser where you are logging in from: https://digicert.com/secure/orders/{order-number}/reissue
- Select Provisioning options > Use existing token > Submit request.
- Return to the order > Certificate Actions > Install certificate > Copy the new initialization code.
- Scenario 1: The user has an existing order in a reissue state.
- Error:8-0x00000062
This error is caused by trying to install your certificate on a token that does not support RSA above 2048.
You will need to choose ECC in the DigiCert Hardware Certificate Installer to complete the installation or reissue the order and purchase an additional token that will be compatible.ECC is not always compatible with all signing tools, so this option is only if you need to sign urgently and the signing tool you utilize supports ECC or are unable to purchase a new token at the time.It is recommended that you have a supported token. - Error: 5-0x00000030This error is related to not having the latest Safenet version. To solve this issue please update to the latest Safenet version which you can find here.
- Error: 8-0x00000031This error is related to having too many code signing certificates on the same token. To solve this issue please remove some of the certificates to ensure sufficient space is availbale for another certificate.Once you have removed the certificates, please reattempt the initialization process.