You’ve done the hard work: your DigiCert Code Signing Certificate has been approved, your identity has been validated, and you’re ready to secure your software with a trusted digital signature.
But then, just when you think you’re done, you hit a snag. Maybe Windows refuses to import the certificate. Maybe your token software won’t recognize the certificate. Maybe SignTool says “No certificate found.”
Don’t worry — you’re not alone. Whether you’re using a Standard (OV) or Extended Validation (EV) DigiCert Code Signing Certificate, a few common issues trip up even seasoned developers.
In this complete guide, I’ll walk you through the most common installation and setup problems developers face — and show you exactly how to fix each one, step by step, with clear explanations.
The Certificate Won’t Install (PFX Import Fails)
The problem:
You double-click your .pfx or .p12 file expecting a smooth import, but Windows throws an error — maybe the wizard just hangs, or you see a vague “This file is invalid” message.
Why this happens:
Usually, this means there’s a mismatch between your certificate file and the private key that generated it — or the .pfx itself is corrupted or password-protected with the wrong password.
Another common scenario is that the file was transferred between devices and the private key never left the original machine, so Windows can’t pair the certificate with the key.
How to fix it:
First, double-check that you’re importing the certificate on the same machine that created the CSR (Certificate Signing Request). If you generated the CSR on one PC and moved the .pfx to another, you’ll probably hit this issue unless you exported the private key with it.
If the problem is a password error, try re-downloading the .pfx from DigiCert’s portal if you still can, and confirm the exact password you set. Remember: the password is case-sensitive — even an extra space can break it.
If you can’t recover the right .pfx, you may need to reissue the certificate from DigiCert, generate a new CSR on the target machine, and redo the process. It’s a hassle, but better than trying to force a broken file.
The Hardware Token Is Not Recognized
The problem:
You’ve received your DigiCert EV USB token in the mail. You plug it into your computer, expecting to see your shiny new certificate ready to sign your code. But the token utility says “No certificate found” or worse — Windows won’t even detect the token.
Why this happens:
Most of the time, this happens because the required drivers or token management software (like SafeNet Authentication Client) haven’t been installed properly. EV tokens rely on special middleware to communicate with your PC — plug-and-play won’t cut it.
How to fix it:
First, check that you’ve installed the SafeNet (or similar) software that came with your token. If you skipped it, download it directly from DigiCert’s support page or the token manufacturer’s official site.
Next, plug the token into a different USB port — preferably one directly on your computer, not through a hub. Some older USB hubs can cause power or recognition issues.
If Windows still doesn’t see the token, open Device Manager and look under Smart card readers or Universal Serial Bus controllers to see if it appears. If you see a yellow warning icon, right-click and update the driver.
Finally, restart your PC — you’d be surprised how often a simple reboot resolves token handshake issues.
SafeNet Token Shows Empty or Missing Certificate
The problem:
You’ve installed the SafeNet Authentication Client, and the token is detected in the client interface. But when you expand the token tree, it shows no certificate at all — just an empty slot.
Why this happens:
This usually means the certificate hasn’t been initialized onto the token yet — or the token was not correctly provisioned during shipping.
How to fix it:
Log into your DigiCert account and check the status of your certificate. For EV Code Signing, DigiCert often pre-installs the certificate onto the token before shipping — but if something failed in that step, you’ll need to request a re-issuance.
Contact DigiCert support immediately — they may guide you to return the token and receive a replacement, or they may issue a new one and help you initialize it through SafeNet if the token supports in-field provisioning.
SignTool or Your Build Tool Says “No Certificate Found”
The problem:
You’ve imported the .pfx file, or you have your EV token plugged in — but when you run signtool sign or your CI/CD script, you get an error like “No matching certificate found” or “No certificate was found that met all the given criteria.”
Why this happens:
Most often, this means SignTool can’t find the certificate in the Windows Certificate Store, or you’re using the wrong subject name in your command.
How to fix it:
Open Manage User Certificates on your PC (certmgr.msc) and navigate to Personal > Certificates. Make sure your code signing certificate is actually listed there.
If you’re signing with an OV .pfx, make sure you’re using the /f switch and pointing to the right file or the /n switch with your exact publisher name. For example:
Spelling and punctuation matter. An extra comma or missing Inc. will break it.
If you’re using an EV token, the subject name must match exactly what’s on the certificate. If you’re not sure, double-click the certificate in the Certificates console and look at the “Issued To” field — that’s your precise subject name.
The Private Key Is Missing
The problem:
Your certificate appears in the Windows Certificate Store, but when you try to sign something, you see errors like “No private key found for this certificate.”
Why this happens:
This happens if the private key didn’t import with the certificate. Maybe you downloaded only the .crt file instead of the .pfx that bundles the certificate and the private key.
How to fix it:
You need to ensure you always import the .pfx or .p12 file — not just the .crt. The .crt by itself is only the public portion.
If you’re missing the private key entirely, you’ll need to generate a new CSR and private key on your signing machine, then reissue the certificate from DigiCert.
The Certificate Imports to the Wrong Store
The problem:
You’ve imported your .pfx, but SignTool can’t find it — even though you see it in Certificates Manager.
Why this happens:
Sometimes the certificate accidentally gets imported into the Local Machine store instead of the Current User store. Or it might land in the wrong folder altogether — for example, Trusted Root instead of Personal.
How to fix it:
Open certmgr.msc and check the Personal folder under Current User. If you don’t see it there, that’s the issue.
Re-import the .pfx and make sure you select Current User in the import wizard. Choose the Personal store as the destination.
Password Prompt or Access Denied When Signing
The problem:
When you run your signing command, you’re prompted for a password — but your password fails, or you see “Access Denied.”
Why this happens:
This means your private key is protected with a password or hardware token PIN — which is good — but you’re using the wrong password or the token isn’t unlocked.
How to fix it:
Double-check your .pfx export password if you’re using OV. If you’re using EV, make sure you’ve unlocked the token session through the SafeNet Authentication Client — you may need to enter your PIN when prompted.
If you keep getting “Access Denied,” run your terminal or script as Administrator — some secure containers require elevated privileges to access the private key.
Timestamp Server Fails
The problem:
You’ve run your sign command, but you get an error like “Failed to contact timestamp server” or “Cannot establish trust chain for timestamp.”
Why this happens:
This could be a simple network error, or your timestamp URL might be wrong or blocked by a firewall.
How to fix it:
Always use DigiCert’s current timestamp server:
Try pinging it in your browser — if you get blocked, check your firewall or proxy settings. You can also test alternative timestamp URLs if DigiCert supports them — but never skip the timestamp just because you hit a hiccup.
Final Tips
Installing and using a DigiCert Code Signing Certificate can feel intimidating at first — but most installation errors come down to just a few things: missing private keys, incorrect imports, drivers not installed, or small typos in your SignTool command.
If you get stuck, always:
-
Double-check your certificate location in the Certificate Store.
-
Confirm your private key is present and matches.
-
Verify your subject name or file path exactly.
-
Test your USB token on another machine to rule out port issues.
And if all else fails — DigiCert support is famously good. Open a ticket, and they’ll guide you through the fix.
Conclusion
Errors during DigiCert Code Signing Certificate installation can be frustrating — especially when you’re on a deadline to release a new build. But once you know what to look for, these problems are almost always fixable in minutes, not days.
Take your time, follow the steps carefully, and you’ll have your certificate up and running — ready to sign software your users trust.
FAQs
Why can’t my computer detect the DigiCert USB token during installation?
This can happen if the token drivers are missing, the token isn’t properly inserted, or there’s a conflict with other USB devices. Make sure the SafeNet Authentication Client is installed, use a direct USB port, and disconnect other tokens before retrying.
I get an “Initialization code invalid” message. What should I do?
Double-check that you’ve entered the correct initialization code exactly as given in your DigiCert dashboard. The code is shown only once—if you’ve lost it, you will need to request a new one from DigiCert support.
The installer says my eToken already contains certificates. How do I proceed?
You may be prompted to reinitialize the token, which erases existing certificates and keys. Only do this if you’re certain you won’t lose any needed certificates. Always back up if possible before continuing.
Why does my code signing certificate not appear in my browser or certificate store?
The certificate might not have been installed to the right location, or the installation process was interrupted. Restart the process and ensure you follow every prompt, installing to the appropriate store (Personal/My Certificates). Also, confirm you have administrator privileges.
What should I do if I see “No private key” when viewing my certificate?
This means the private key wasn’t generated or linked during the installation. Start the installation again, making sure you generate the certificate signing request (CSR) on the machine or device where the private key will reside.
How do I fix “chain of trust” or “intermediate certificate missing” errors?
Install any intermediate and root certificates provided by DigiCert during your certificate installation. These are essential for establishing full trust and must be correctly placed in your certificate chain.
Why does my signed software still generate Windows security warnings?
This may occur if your code is not timestamped, the certificate chain is broken, or you’re signing drivers requiring EV or cross-signed certificates. Double-check your signing process, ensure timestamping is enabled, and verify you’re using the correct certificate type.
My token or certificate software is unresponsive or crashes. How can I resolve this?
Close unnecessary applications, restart your computer, and ensure you have the latest version of all required software. Try different USB ports if using a hardware token.
What if I get an error about key size or algorithm during installation?
Some tokens or platforms only support certain key types (e.g., RSA 2048 or 4096, ECC P-256/P-384). Choose a supported algorithm during setup. For older tokens, you may need to select ECC if large RSA keys are not supported.
I’m getting a “Password Incorrect” error during DigiCert Code Signing installation. What should I do?
If you are seeing a “Password Incorrect” error:
Verify that you’re using the correct password for your .pfx or .p12 certificate file.
Double-check for typos or extra spaces when entering the password.
If you’ve forgotten the password, you may need to reissue your certificate from DigiCert, as the password cannot be recovered.
What should I do if my DigiCert Code Signing Certificate file is in the wrong format (e.g., not .pfx or .p12)?
If you have a certificate file in an unsupported format:
Convert the certificate into a valid format (e.g., .pfx or .p12).
You can use OpenSSL or Windows Certificate Manager to convert the format.
If you’re unable to convert the file, contact DigiCert support to help you with the process.
Why am I getting an “Access Denied” error when installing my DigiCert Code Signing Certificate?
The “Access Denied” error may occur due to insufficient permissions. To resolve this:
Ensure you are logged in with administrator rights on your computer.
If you’re installing the certificate on a server, check that the server’s security settings allow certificate installation.
Try installing the certificate in safe mode or by using PowerShell with elevated permissions.
My DigiCert Code Signing Certificate doesn’t appear in the Windows Certificate Store. How can I fix this?
If your certificate is missing from the Windows Certificate Store:
Open Microsoft Management Console (MMC) and add the Certificates snap-in to view the certificate.
Re-import the .pfx or .p12 file using Certificate Import Wizard.
If the certificate still doesn’t appear, restart your system or check for any Windows updates that might affect certificate installation.
How do I resolve “The Certificate Is Not Valid For Code Signing” error?
This error typically occurs when the certificate you’re using is not a Code Signing Certificate or has not been correctly configured. To fix this:
Verify that the certificate you’ve purchased from DigiCert is specifically for Code Signing.
Check if the certificate is activated and valid for Code Signing through the DigiCert portal.
Contact DigiCert support for assistance if you’re unsure about the type of certificate.
