A code signing certificate is like a trusted passport for your software — it proves your identity to operating systems and users every time someone downloads or installs your app.
But what happens if something goes wrong? Maybe your private key was exposed, your USB token got lost, your company changed its legal name, or your signing process got compromised.
In these situations, you don’t just keep signing and hope for the best. You need to revoke or replace your DigiCert Code Signing Certificate — fast — to protect your software, your users, and your reputation.
This guide explains exactly how revocation and replacement work, when you should take action, and the steps you’ll follow with DigiCert to make it smooth and secure.
What Does It Mean to Revoke a Code Signing Certificate?
Revocation is the process of telling DigiCert (and all operating systems that trust DigiCert) that your certificate should no longer be trusted.
When you revoke a code signing certificate:
-
DigiCert updates the Certificate Revocation List (CRL) and Online Certificate Status Protocol (OCSP) servers to mark the certificate as invalid.
-
When Windows, macOS, or other systems check your software’s signature, they’ll see that the certificate was revoked.
-
This means any new software you sign with that certificate won’t be trusted — it’s basically void.
Already-signed software, however, may continue to work if you timestamped your signature at the time of signing. That’s why timestamping is critical — it preserves trust for legitimate builds that were signed before the revocation date.
Why You Might Need to Revoke or Replace
Here are the most common reasons developers revoke or replace their DigiCert Code Signing Certificates:
Key Compromise
The private key tied to your certificate is the heart of your signing process. If it leaks, a hacker could sign malicious code and pass it off as yours. This is a nightmare scenario for any software publisher — so revocation is required immediately if you suspect your key is compromised.
Lost or Stolen Hardware Token (EV Certificates)
If you have an EV Code Signing Certificate, your private key lives on a secure hardware token. Lose the token, and you lose control over who could potentially sign with your identity. Revoking the certificate renders that token useless.
Company Name Change or Rebranding
If your legal company name changes, you’ll need a new certificate showing the new legal entity name. This means revoking the old one and requesting a replacement to match your new verified identity.
Routine Replacement or Renewal
Sometimes revocation isn’t about emergencies — it’s just part of replacing your expiring certificate with a new one. Best practice is to revoke the old certificate once the new one is active, so there’s no risk of the old key being used accidentally.
How to Revoke a DigiCert Code Signing Certificate
DigiCert makes revocation straightforward — but there’s no “undo” button, so make sure you’re ready before you do it.
Here’s how it works:
Step 1: Identify the Certificate
Log in to your DigiCert account and find the certificate you want to revoke. Double-check the common name, serial number, and product type to be sure you’re not revoking the wrong one.
Step 2: Backup Any Needed Files
Once you revoke a certificate, you can’t sign with it again. So make sure you have timestamped any software that should stay trusted. If you skipped timestamping, your existing builds may also fail trust checks once the cert is revoked.
Step 3: Submit a Revocation Request
In your DigiCert portal, look for the Revoke option under your certificate details. You’ll be asked for a reason:
-
Key compromise
-
Token lost/stolen
-
Organization information change
-
Routine replacement
-
Other
DigiCert might request additional verification if it’s a security issue like key compromise. Be prepared to provide supporting details.
Step 4: Wait for Confirmation
DigiCert usually processes revocations quickly — often within 24 hours. They’ll update the CRL and OCSP servers, so any system that checks the certificate status sees it as revoked.
You’ll get an email confirmation once it’s done.
How to Replace Your DigiCert Code Signing Certificate
Replacing isn’t just revocation — it’s about getting a fresh, valid certificate in place to keep signing your software without interruption.
Here’s how replacement works:
Step 1: Start a Reissue or New Order
In your DigiCert account, you can either reissue your certificate or place a new order. Reissuing is often quicker if you’re just fixing minor details or replacing an expiring cert. A new order is required for major changes, like new EV identity verification.
Step 2: Complete Validation
If it’s an OV Code Signing Certificate, DigiCert may just verify your organization info again. For EV, you’ll do the full extended validation — this may include phone verification, legal paperwork, and shipping a new hardware token.
Step 3: Install and Test
Once DigiCert issues your replacement certificate:
-
If it’s OV, download the new
.pfxfile and install it on your build machine. -
If it’s EV, plug in the new hardware token and test that your signing tools (like SignTool) detect it properly.
Always do a test sign and verify that SmartScreen or your target OS accepts the new signature.
Step 4: Revoke the Old One
Once you’re 100% sure your new certificate works, revoke the old certificate so nobody can sign with the outdated key — especially if it was lost, stolen, or compromised.
What Happens to Already Signed Files After Revocation?
A common worry is: “Will my software stop working if I revoke my certificate?”
The good news is — not if you timestamped it properly.
When you sign your software and include a timestamp, the operating system checks that the signature was valid at the time it was signed, not just today. So even if your certificate is revoked later, the trusted timestamp protects older builds.
This is why every reputable developer uses a trusted timestamp server — DigiCert’s timestamp service is included for free.
Best Practices for Secure Replacement
✔️ Always use strong passwords when exporting .pfx files for OV certificates.
✔️ For EV, never share your USB token — treat it like a passport or bank card.
✔️ Store your private key backups securely and offline if possible.
✔️ Rotate certificates proactively — don’t wait until they expire to avoid last-minute panic.
✔️ Monitor your signing environment for unusual activity — if you see unauthorized signing, revoke immediately.
Conclusion
Revoking or replacing a DigiCert Code Signing Certificate might sound stressful — but it’s better than risking a compromised signature that could damage your reputation or expose your customers to malicious code.
The process is straightforward if you follow DigiCert’s steps:
-
Identify the certificate.
-
Secure your builds with timestamps.
-
Submit the revocation.
-
Replace the certificate quickly so you never have to pause your software release cycle.
Good security hygiene isn’t just about prevention — it’s about knowing how to respond when something goes wrong. And DigiCert’s support team is there to guide you through every step.
