You’ve done the hard work: your DigiCert Code Signing Certificate has been approved, your identity has been validated, and you’re ready to secure your software with a trusted digital signature.
But then, just when you think you’re done, you hit a snag. Maybe Windows refuses to import the certificate. Maybe your token software won’t recognize the certificate. Maybe SignTool says “No certificate found.”
Don’t worry — you’re not alone. Whether you’re using a Standard (OV) or Extended Validation (EV) DigiCert Code Signing Certificate, a few common issues trip up even seasoned developers.
In this complete guide, I’ll walk you through the most common installation and setup problems developers face — and show you exactly how to fix each one, step by step, with clear explanations.
The Certificate Won’t Install (PFX Import Fails)
The problem:
You double-click your .pfx or .p12 file expecting a smooth import, but Windows throws an error — maybe the wizard just hangs, or you see a vague “This file is invalid” message.
Why this happens:
Usually, this means there’s a mismatch between your certificate file and the private key that generated it — or the .pfx itself is corrupted or password-protected with the wrong password.
Another common scenario is that the file was transferred between devices and the private key never left the original machine, so Windows can’t pair the certificate with the key.
How to fix it:
First, double-check that you’re importing the certificate on the same machine that created the CSR (Certificate Signing Request). If you generated the CSR on one PC and moved the .pfx to another, you’ll probably hit this issue unless you exported the private key with it.
If the problem is a password error, try re-downloading the .pfx from DigiCert’s portal if you still can, and confirm the exact password you set. Remember: the password is case-sensitive — even an extra space can break it.
If you can’t recover the right .pfx, you may need to reissue the certificate from DigiCert, generate a new CSR on the target machine, and redo the process. It’s a hassle, but better than trying to force a broken file.
The Hardware Token Is Not Recognized
The problem:
You’ve received your DigiCert EV USB token in the mail. You plug it into your computer, expecting to see your shiny new certificate ready to sign your code. But the token utility says “No certificate found” or worse — Windows won’t even detect the token.
Why this happens:
Most of the time, this happens because the required drivers or token management software (like SafeNet Authentication Client) haven’t been installed properly. EV tokens rely on special middleware to communicate with your PC — plug-and-play won’t cut it.
How to fix it:
First, check that you’ve installed the SafeNet (or similar) software that came with your token. If you skipped it, download it directly from DigiCert’s support page or the token manufacturer’s official site.
Next, plug the token into a different USB port — preferably one directly on your computer, not through a hub. Some older USB hubs can cause power or recognition issues.
If Windows still doesn’t see the token, open Device Manager and look under Smart card readers or Universal Serial Bus controllers to see if it appears. If you see a yellow warning icon, right-click and update the driver.
Finally, restart your PC — you’d be surprised how often a simple reboot resolves token handshake issues.
SafeNet Token Shows Empty or Missing Certificate
The problem:
You’ve installed the SafeNet Authentication Client, and the token is detected in the client interface. But when you expand the token tree, it shows no certificate at all — just an empty slot.
Why this happens:
This usually means the certificate hasn’t been initialized onto the token yet — or the token was not correctly provisioned during shipping.
How to fix it:
Log into your DigiCert account and check the status of your certificate. For EV Code Signing, DigiCert often pre-installs the certificate onto the token before shipping — but if something failed in that step, you’ll need to request a re-issuance.
Contact DigiCert support immediately — they may guide you to return the token and receive a replacement, or they may issue a new one and help you initialize it through SafeNet if the token supports in-field provisioning.
SignTool or Your Build Tool Says “No Certificate Found”
The problem:
You’ve imported the .pfx file, or you have your EV token plugged in — but when you run signtool sign or your CI/CD script, you get an error like “No matching certificate found” or “No certificate was found that met all the given criteria.”
Why this happens:
Most often, this means SignTool can’t find the certificate in the Windows Certificate Store, or you’re using the wrong subject name in your command.
How to fix it:
Open Manage User Certificates on your PC (certmgr.msc) and navigate to Personal > Certificates. Make sure your code signing certificate is actually listed there.
If you’re signing with an OV .pfx, make sure you’re using the /f switch and pointing to the right file or the /n switch with your exact publisher name. For example:
Spelling and punctuation matter. An extra comma or missing Inc. will break it.
If you’re using an EV token, the subject name must match exactly what’s on the certificate. If you’re not sure, double-click the certificate in the Certificates console and look at the “Issued To” field — that’s your precise subject name.
The Private Key Is Missing
The problem:
Your certificate appears in the Windows Certificate Store, but when you try to sign something, you see errors like “No private key found for this certificate.”
Why this happens:
This happens if the private key didn’t import with the certificate. Maybe you downloaded only the .crt file instead of the .pfx that bundles the certificate and the private key.
How to fix it:
You need to ensure you always import the .pfx or .p12 file — not just the .crt. The .crt by itself is only the public portion.
If you’re missing the private key entirely, you’ll need to generate a new CSR and private key on your signing machine, then reissue the certificate from DigiCert.
The Certificate Imports to the Wrong Store
The problem:
You’ve imported your .pfx, but SignTool can’t find it — even though you see it in Certificates Manager.
Why this happens:
Sometimes the certificate accidentally gets imported into the Local Machine store instead of the Current User store. Or it might land in the wrong folder altogether — for example, Trusted Root instead of Personal.
How to fix it:
Open certmgr.msc and check the Personal folder under Current User. If you don’t see it there, that’s the issue.
Re-import the .pfx and make sure you select Current User in the import wizard. Choose the Personal store as the destination.
Password Prompt or Access Denied When Signing
The problem:
When you run your signing command, you’re prompted for a password — but your password fails, or you see “Access Denied.”
Why this happens:
This means your private key is protected with a password or hardware token PIN — which is good — but you’re using the wrong password or the token isn’t unlocked.
How to fix it:
Double-check your .pfx export password if you’re using OV. If you’re using EV, make sure you’ve unlocked the token session through the SafeNet Authentication Client — you may need to enter your PIN when prompted.
If you keep getting “Access Denied,” run your terminal or script as Administrator — some secure containers require elevated privileges to access the private key.
Timestamp Server Fails
The problem:
You’ve run your sign command, but you get an error like “Failed to contact timestamp server” or “Cannot establish trust chain for timestamp.”
Why this happens:
This could be a simple network error, or your timestamp URL might be wrong or blocked by a firewall.
How to fix it:
Always use DigiCert’s current timestamp server:
Try pinging it in your browser — if you get blocked, check your firewall or proxy settings. You can also test alternative timestamp URLs if DigiCert supports them — but never skip the timestamp just because you hit a hiccup.
Final Tips
Installing and using a DigiCert Code Signing Certificate can feel intimidating at first — but most installation errors come down to just a few things: missing private keys, incorrect imports, drivers not installed, or small typos in your SignTool command.
If you get stuck, always:
-
Double-check your certificate location in the Certificate Store.
-
Confirm your private key is present and matches.
-
Verify your subject name or file path exactly.
-
Test your USB token on another machine to rule out port issues.
And if all else fails — DigiCert support is famously good. Open a ticket, and they’ll guide you through the fix.
Conclusion
Errors during DigiCert Code Signing Certificate installation can be frustrating — especially when you’re on a deadline to release a new build. But once you know what to look for, these problems are almost always fixable in minutes, not days.
Take your time, follow the steps carefully, and you’ll have your certificate up and running — ready to sign software your users trust.
