Jun 24, 2025
OVERVIEW: This page walks you through the process of downloading and installing your GlobalSign Code Signing Certificate using the installation and key generation methods you selected. At the completion of this procedure, your Certificate will be ready to place signatures on drivers, executables, and other files. Learn more about Code Signing Certificate management and other FAQs here. |
During ordering, you were given an option to choose the implementation method (Token or HSM) you prefer for your Code Signing certificate. Based on your selection, install your GlobalSign Code Signing Certificate with the following guidelines:
TOKEN-BASED INSTALLATION
Enrollment with Fortify
Download using Internet Explorer (IE) Compatibility Mode
IMPORTANT: GlobalSign-provided eToken is mailed to you upon ordering GlobalSign's Code Signing Certificate. The minimum required supported key size of the eToken for Code Signing certificate is 4096 bits. Ensure that you have your eToken handy before proceeding with the process. This implementation has two key generation methods: Enrollment with Fortify and Download using Internet Explorer (IE) Compatibility Mode. |
IMPORTANT: If you selected the Enrollment with Fortify as key generation method during the ordering process, proceed with install your certificate using Fortify. Otherwise, you need to cancel your current order and reorder to change your selection. |
Approved and vetted GlobalSign Code Signing Certificate.
GlobalSign-provided SafeNet eToken. Depending on your need, do the following actions:
For New Orders
• Download and install SafeNet Authentication Client drivers.
• Initialize SafeNet eToken. This is a requirement when setting up the SafeNet eToken for the first time.
For Renewals and Reissues
• You may still use compatible and existing SafeNet eTokens as long as it meets the required supported key size.
IMPORTANT: If the supported key size of your current token is not compatible with code signing, request for a new token during the renewal/reissuing process. |
• If your eToken is still compatible and you do not want to make any changes with your current token password, initializing your eToken is not required. You may proceed with the guidelines.
WARNING: Initializing your eToken will delete all certificates currently installed there and they will have to be reissued and installed again. |
For Certificate pickup, you must have access to a Windows PC to proceed. Once the Certificate is installed and stored in the removable device, you may sign from other platforms such as OS X. You are also required to open the pickup link in Microsoft Edge with IE Compatibility Mode enabled, then continue with the guidelines.
IMPORTANT: Standard Code Signing Certificate is now issued of R45 Intermediate Certificate and you may need to include the R3-R45 Cross Certificate. |
Open the Certificate Download Ready email and launch the pickup link using Microsoft Edge with IE Compatibility enabled.
Enter the Temporary Pickup Password that was set at the time of ordering and click Next to continue.
In the Web Access Confirmation prompt, click Yes to allow digital certificate operations.
In the Install Certificate window, choose one from the Cryptographic Service Provider drop-down options:
• If you want to install the GlobalSign-provider SafeNet eToken, select eToken Base Cryptographic Provider
• If you want to install a private-owned smart card, select Microsoft Base Smart Card Crypto Provider
Then, tick the box to agree to the subscriber agreement and click Next.
Insert your SafeNet USB token into your computer.
Enter the password for your USB token. This was set during the initialization process, then click OK.
WARNING: The screen may appear to freeze for a minute or two. DO NOT press any button on your browser until the process is complete as it will interrupt the progress. There should be a blinking light from your eToken and a message in the screen reminding to wait for a while. |
IMPORTANT: If you selected the Download using Internet Explorer (IE) Compatibility Mode as key generation method during the ordering process, proceed with install certificate using Microsoft Edge in IE Compatibility Mode. Otherwise, you need to cancel your current order and reorder to change your selection. |
Approved and vetted GlobalSign Code Signing Certificate.
GlobalSign-provided SafeNet eToken. See eToken related prerequisites above.
Downloaded and installed Fortify App in your operating system. Ensure that you meet the following system requirements:
• Browsers supported by Fortify: Microsoft Edge, Safari, Firefox and Chrome
• OS supported by Fortify: MAC OS 10.12 or higher, Windows 7 or higher, and Ubuntu 16.04 or higher
For Certificate pickup, you must have access to a Windows PC to proceed. Once the Certificate is installed and stored in the removable device, you may sign from other platforms such as OS X.
IMPORTANT: Standard Code Signing Certificate is now issued of R45 Intermediate Certificate and you may need to include the R3-R45 Cross Certificate. |
A pop-up window for the authorization of code will appear on the Access Permission and on Fortify Authorization. If the both codes matched, click Approve to continue.
In the Create Certificate Request or Self-Signed Certificate window, review the DN or Certificate Identity Detail Information. Then, click Create to continue. Note: If you haven't yet, make sure that your eToken is plugged in to your computer at this point.
A pop-up window will appear, then enter the token password. Note: Please wait for a while as it will take a few seconds to process.
On the Install Certificate window, under Select Provider, select the token that you setup (as a prerequisite). Then, click Start to proceed.
IMPORTANT: For HSM-based installation, FIPS 140-2 Level 2 compliant is the required HSM to use to generate the CSR and private key for EV Code Signing certificate. The CSR should be created with a key size of 4096 bit or greater. You will be prompted to provide the CSR during the certificate pick up process. |
Approved and vetted GlobalSign Code Signing Certificate.
Internal or external audit letter will be required stating that the subscriber will be using compliant HSMs for EV CodeSigning Certificates.
For Certificate pickup, you must have access to a Windows PC. Once the Certificate is installed, you may sign from other platforms such as OS X.
Enter your CSR on the Enter CSR Required box. Then, tick I Agree to the subscriber Agreement and click Next to proceed.
Note: Paste the CSR generated on the HSM which is FIPS 140-2 Level 2 compliant.
IMPORTANT: These Certificates will match the private key used to generate the CSR submitted during the ordering process, for information on how to import these Certificates on your HSM, please consult your HSM vendors instructions. |
Check your certificate installation for SSL issues and vulnerabilities.