Create a Signing Key¶

Signing Keys belong to Projects. They let you create and store keys and, optionally, certificates for signing. After you create a Signing Key, Authorized Signers on the Project can sync it to their signing workstations and use it for signing.

Prerequisite¶

• A Project must already be in place.
• If you plan to request a certificate using anything other than the built-in CA, the certificate authority configuration must be in place.

To create a Signing Key¶

1. Sign in to Certificate Manager - SaaS.
2. Click Inventory > Signing Keys.
3. From the Projects drop down, select the Project that you want to add the Signing Key to.
4. Click New.
5. Complete the fields in Basic information.
   1. Project should be pre-selected. If it's incorrect, cancel this Signing Key creation, restart the procedure, and select the correct Project.
   2. Enter a Signing Key Name.
   3. (Optional). Enter a Description that describes what this Signing Key will be used for.
   4. Click Continue.

6. Complete the Key Pair Properties.

   1. For Key Storage Type and Key Storage Location, there are currenly only one option to select. These are pre-selected

   2. Enter a Validity Period.

      Entering 0 will give the Signing Key an infinite validity period.

   3. Select the Key Algorithm.

      Considerations when selecting a key algorithm

      • Security policy: If your organization has algorithm and compliance standards, align your selection with those standards.

      • RSA 2048 / 3072 / 4096: Widely supported and reliable. Use 3072 for modern security strength and 2048 for maximum compatibility.

      • ECDSA P-256 / P-384 / P-521: Smaller, faster, and more efficient than RSA, but some older tools may not support them. P-256 is the most broadly compatible ECDSA option.

      • If you plan to request a certificate from DigiCert in the next step, note that DigiCert does not support RSA 2048 or ECDSA 521.

7. Complete the Certificate Properties.

   1. Select a Certificate Authority.

      If you want to create just a key pair without a certificate, select None. Otherwise, select the certificate authority.

   2. Select the Product Option. These options vary by certificate authority.

   3. Complete the remaining fields in accordance with your company's guidelines.

      Note

      Some of these fields may be set by your certificate authority. In those cases, the values will be overwritten with the certificate authority settings on the signed certificate.

8. Complete the Cryptographic Object Creation section.

   Select whether you want the keys and certificates created now or later, and then click Finish.

   If you selected to create the cryptographic objects later, you'll need to open the Signing Key, and from the Cryptographic Objects tab, create the objects.

Next Steps¶

With the Signing Keys now in place, your Authorized Signers are ready to sync the keys to their signing workstations or CI/CD pipelines. See Getting started with Code Sign Client in Dev Central for steps.