A code signing certificate is like a trusted passport for your software — it proves your identity to operating systems and users every time someone downloads or installs your app.
But what happens if something goes wrong? Maybe your private key was exposed, your USB token got lost, your company changed its legal name, or your signing process got compromised.
In these situations, you don’t just keep signing and hope for the best. You need to revoke or replace your DigiCert Code Signing Certificate — fast — to protect your software, your users, and your reputation.
This guide explains exactly how revocation and replacement work, when you should take action, and the steps you’ll follow with DigiCert to make it smooth and secure.
What Does It Mean to Revoke a Code Signing Certificate?
Revocation is the process of telling DigiCert (and all operating systems that trust DigiCert) that your certificate should no longer be trusted.
When you revoke a code signing certificate:
-
DigiCert updates the Certificate Revocation List (CRL) and Online Certificate Status Protocol (OCSP) servers to mark the certificate as invalid.
-
When Windows, macOS, or other systems check your software’s signature, they’ll see that the certificate was revoked.
-
This means any new software you sign with that certificate won’t be trusted — it’s basically void.
Already-signed software, however, may continue to work if you timestamped your signature at the time of signing. That’s why timestamping is critical — it preserves trust for legitimate builds that were signed before the revocation date.
Why You Might Need to Revoke or Replace
Here are the most common reasons developers revoke or replace their DigiCert Code Signing Certificates:
Key Compromise
The private key tied to your certificate is the heart of your signing process. If it leaks, a hacker could sign malicious code and pass it off as yours. This is a nightmare scenario for any software publisher — so revocation is required immediately if you suspect your key is compromised.
Lost or Stolen Hardware Token (EV Certificates)
If you have an EV Code Signing Certificate, your private key lives on a secure hardware token. Lose the token, and you lose control over who could potentially sign with your identity. Revoking the certificate renders that token useless.
Company Name Change or Rebranding
If your legal company name changes, you’ll need a new certificate showing the new legal entity name. This means revoking the old one and requesting a replacement to match your new verified identity.
Routine Replacement or Renewal
Sometimes revocation isn’t about emergencies — it’s just part of replacing your expiring certificate with a new one. Best practice is to revoke the old certificate once the new one is active, so there’s no risk of the old key being used accidentally.
How to Revoke a DigiCert Code Signing Certificate
DigiCert makes revocation straightforward — but there’s no “undo” button, so make sure you’re ready before you do it.
Here’s how it works:
Step 1: Identify the Certificate
Log in to your DigiCert account and find the certificate you want to revoke. Double-check the common name, serial number, and product type to be sure you’re not revoking the wrong one.
Step 2: Backup Any Needed Files
Once you revoke a certificate, you can’t sign with it again. So make sure you have timestamped any software that should stay trusted. If you skipped timestamping, your existing builds may also fail trust checks once the cert is revoked.
Step 3: Submit a Revocation Request
In your DigiCert portal, look for the Revoke option under your certificate details. You’ll be asked for a reason:
-
Key compromise
-
Token lost/stolen
-
Organization information change
-
Routine replacement
-
Other
DigiCert might request additional verification if it’s a security issue like key compromise. Be prepared to provide supporting details.
Step 4: Wait for Confirmation
DigiCert usually processes revocations quickly — often within 24 hours. They’ll update the CRL and OCSP servers, so any system that checks the certificate status sees it as revoked.
You’ll get an email confirmation once it’s done.
How to Replace Your DigiCert Code Signing Certificate
Replacing isn’t just revocation — it’s about getting a fresh, valid certificate in place to keep signing your software without interruption.
Here’s how replacement works:
Step 1: Start a Reissue or New Order
In your DigiCert account, you can either reissue your certificate or place a new order. Reissuing is often quicker if you’re just fixing minor details or replacing an expiring cert. A new order is required for major changes, like new EV identity verification.
Step 2: Complete Validation
If it’s an OV Code Signing Certificate, DigiCert may just verify your organization info again. For EV, you’ll do the full extended validation — this may include phone verification, legal paperwork, and shipping a new hardware token.
Step 3: Install and Test
Once DigiCert issues your replacement certificate:
-
If it’s OV, download the new
.pfxfile and install it on your build machine. -
If it’s EV, plug in the new hardware token and test that your signing tools (like SignTool) detect it properly.
Always do a test sign and verify that SmartScreen or your target OS accepts the new signature.
Step 4: Revoke the Old One
Once you’re 100% sure your new certificate works, revoke the old certificate so nobody can sign with the outdated key — especially if it was lost, stolen, or compromised.
What Happens to Already Signed Files After Revocation?
A common worry is: “Will my software stop working if I revoke my certificate?”
The good news is — not if you timestamped it properly.
When you sign your software and include a timestamp, the operating system checks that the signature was valid at the time it was signed, not just today. So even if your certificate is revoked later, the trusted timestamp protects older builds.
This is why every reputable developer uses a trusted timestamp server — DigiCert’s timestamp service is included for free.
Best Practices for Secure Replacement
✔️ Always use strong passwords when exporting .pfx files for OV certificates.
✔️ For EV, never share your USB token — treat it like a passport or bank card.
✔️ Store your private key backups securely and offline if possible.
✔️ Rotate certificates proactively — don’t wait until they expire to avoid last-minute panic.
✔️ Monitor your signing environment for unusual activity — if you see unauthorized signing, revoke immediately.
Conclusion
Revoking or replacing a DigiCert Code Signing Certificate might sound stressful — but it’s better than risking a compromised signature that could damage your reputation or expose your customers to malicious code.
The process is straightforward if you follow DigiCert’s steps:
-
Identify the certificate.
-
Secure your builds with timestamps.
-
Submit the revocation.
-
Replace the certificate quickly so you never have to pause your software release cycle.
Good security hygiene isn’t just about prevention — it’s about knowing how to respond when something goes wrong. And DigiCert’s support team is there to guide you through every step.
FAQs
Why would I need to revoke my DigiCert code signing certificate?
You should revoke a code signing certificate if the private key is lost, stolen, or compromised; if the hardware token is lost; if you no longer need the certificate; or if you want to replace it due to organizational changes. Revoking ensures unauthorized parties can’t use your certificate to sign software.
How do I start the revocation process for a DigiCert code signing certificate?
Log in to your DigiCert CertCentral account, go to your list of certificates, select the certificate you wish to revoke, and choose the “Revoke” option. You will need to specify the reason for revocation, such as key compromise or replacement.
Who needs to approve a revocation request?
For organizational accounts, a CertCentral administrator typically needs to approve the revocation request before DigiCert will process it. Admins can sometimes expedite this by approving immediately, depending on permission levels.
Is revoking a code signing certificate reversible?
No, revoking a code signing certificate is permanent. Once revoked, the certificate cannot be restored or used to sign code again.
What happens to software already signed with a revoked certificate?
After revocation, any software signed by that certificate will be flagged as untrusted and may show security warnings, even if it was previously timestamped. To maintain trust, resign your code with a new, valid certificate.
How do I replace an expired or revoked DigiCert code signing certificate?
Purchase or request a new code signing certificate from DigiCert. Complete the required validation process, install the new certificate, and re-sign your software to ensure it is trusted by users and systems.
What information do I need to provide to revoke a certificate?
You will be asked for the certificate’s order number, the reason for revocation (such as key compromise or superseded), and any comments for your account administrator or DigiCert.
Can I revoke and replace a DigiCert code signing certificate at the same time?
Yes, you can request a new certificate while revoking the old one. Make sure you re-sign any previously signed code files with the new certificate to avoid user warnings.
How long does it take for DigiCert to process a revocation?
Once the revocation request is approved by your organization’s admin, DigiCert processes the revocation promptly—often within the same day.
What immediate steps should I take after revoking my certificate?
Re-sign all previously signed and distributed code with your new certificate, update users or partners as needed, and ensure distribution channels and documentation reflect the change.
What does it mean to revoke a DigiCert Code Signing Certificate?
Revoking a DigiCert Code Signing Certificate means invalidating the certificate before its expiration date, typically due to a security breach, loss of private key, or other issues that compromise its integrity. Once revoked, the certificate can no longer be used to sign software, and users will be notified if they attempt to install or run software signed with a revoked certificate.
Can I use the same private key when replacing a DigiCert Code Signing Certificate?
No, when replacing a revoked DigiCert Code Signing Certificate, you will need a new private key associated with the new certificate. You cannot reuse the old private key as it’s tied to the revoked certificate and is no longer secure.
Will revoking my DigiCert Code Signing Certificate affect my existing software users?
Yes, if you revoke your DigiCert Code Signing Certificate, users who try to install or run software signed with the revoked certificate will receive warnings that the software is from an untrusted source. To avoid this, you must replace the revoked certificate and re-sign the software with a new certificate.
Is there a cost to revoke or replace a DigiCert Code Signing Certificate?
Typically, revoking a DigiCert Code Signing Certificate is free. However, there may be a cost to replace it, as you’ll need to purchase a new certificate. The renewal or replacement cost will depend on the type of certificate you choose (Standard or EV) and any ongoing promotions.
Can I get a refund if I revoke my DigiCert Code Signing Certificate early?
Refund policies vary depending on DigiCert’s terms and the certificate you purchased. Generally, DigiCert offers a pro-rata refund if you revoke a certificate within a certain period after purchase. Be sure to check their terms and conditions for specific refund policies related to early revocation.
What happens to the timestamp if I revoke my DigiCert Code Signing Certificate?
If you revoke your DigiCert Code Signing Certificate, the timestamp associated with your signed software will still be valid, as long as the timestamp was added before the certificate was revoked. This ensures that the software can still be verified as having been signed at the time of issuance, even after the certificate is revoked.
