SSL certificate maximum validity is being reduced to 200 days from March 2026. Read more →

SSL Certificates

Cheap SSL DV SSL Wildcard SSL Multi-Domain (SAN) OV & EV SSL

Specialty Certificates

Code Signing Document Signing Email / S/MIME VMC / BIMI
In effect now Certificate Lifetime

Automation

Overview Auto DNS FairSSL vs Let's Encrypt

Platforms

Windows Setup Linux & Kubernetes Appliances ACME Clients

Tools

SSL Scanner Certificate Decoder CAA Generator

Guides

Windows Server Linux & Open Source All guides

Company

About Us Contact Installation Service
News

Language

Dansk Svenska English

Currency

Login Create Account

GlobalSign Code Signing with USB token: setup and installation

This guide covers the complete process from ordering to your first signature with a GlobalSign Code Signing certificate on a SafeNet USB token. You will get an overview of validation, driver installation, token initialization, certificate retrieval via Fortify and practical signing tips.

What to expect after ordering

1

FairSSL creates the order with GlobalSign

We submit your order to GlobalSign and start the validation process.

2

GlobalSign begins organization validation

Validation may include document signing and a phone call to the company main number.

3

Phone verification (approx. 2 minutes)

The contact person from the order must be reachable at the company main number.

4

USB token shipped by post

SafeNet eToken 5110 CC delivered to your postal address (~7 business days). Express shipping (1-2 business days) available for €65. The token is shipped separately from the certificate.

5

Certificate sent via email

GlobalSign sends an email with a download link for the certificate.

Step 1: Complete validation

GlobalSign validates your organization before the certificate is issued. The process may include:

  • Documents to sign (sent via email)
  • Phone call to company main number. GlobalSign asks to speak with the contact person listed on the order.

Tip: Let reception know to expect a call from GlobalSign and be ready to transfer to the right contact person. This speeds up validation significantly.

Step 2: Receive USB token

GlobalSign ships a SafeNet eToken 5110 CC to the postal address listed on the order. The token is shipped after validation is complete. Standard delivery takes approximately 7 business days. Express shipping (1-2 business days) can be added for €65 at the time of ordering.

Already have a working token? If you are renewing and already have a working SafeNet token from a previous order, GlobalSign may not send a new one. Your new certificate can be installed on the existing token.

Step 3: Install SafeNet drivers

Install SafeNet Authentication Client drivers on the computer where you will use the token.

Important: Install drivers before attempting to retrieve the certificate. If this is a renewal, update to the latest driver version.

Step 4: Initialize USB token (new tokens only)

Initialize the token to reset it and set your security codes. Open SafeNet Authentication Client, right-click your token and select "Initialize Token".

Security codes

  • PIN: Used for signing operations. This is the code you enter daily.
  • PUK: Used to unlock PIN if it gets locked, and to reset/wipe the device.
  • Token Password: Used during certificate installation. We recommend using the same code as PIN, as some systems confuse these two.
  • Administrator Password: Used to wipe/reset the device. Default is 48 zeros. We recommend that you do not change this.

Check PIN Policy for code requirements. If the code is too long, it may not be recognized later. Check the allowed lengths and character types in SafeNet Authentication Client under Token Settings before choosing a code.

Critical warning: If Administrator Password or PUK is entered incorrectly 5 times, the token is permanently destroyed. It cannot be recovered. You will need to purchase a new token.

Step 5: Install Fortify software

Fortify is required to retrieve the GlobalSign certificate. The software acts as a bridge between your web browser and the USB token, allowing the certificate to be installed directly on the token from the browser.

Download Fortify from fortifyapp.com ↗ and install it before proceeding to the next step.

Step 6: Retrieve the certificate

Retrieve the certificate using the link sent by GlobalSign and the one-time code provided by FairSSL. Follow these steps:

  • Use Edge, Firefox, Chrome or Safari with Fortify installed
  • Plug in the USB token before opening the link
  • During installation, use Token Password (not PIN) to authorize access to the device

Do not use Edge IE mode. Internet Explorer compatibility mode in Edge does not work with Fortify. Use the normal browser mode.

Step 7: Sign your code

The certificate is now installed on your USB token and ready to use. You can use the token on other machines by installing the SafeNet driver and plugging in the token.

The certificate and private key cannot be copied or exported from the token. The token is the only way to use the certificate. Store it securely.

Example with signtool

signtool sign /fd sha256 /tr http://timestamp.globalsign.com/tsa/r6advanced1 /td sha256 /a "MyApp.exe"

The SafeNet driver will prompt for your PIN code when signtool attempts to sign.

Tips and troubleshooting

Always use timestamping

Always include a timestamp when signing. This ensures the signature remains valid after the certificate expires. 

signtool sign /fd sha256 /tr http://timestamp.globalsign.com/tsa/r6advanced1 /td sha256 /a "MyApp.exe"

Backward compatibility: import CA certificates

For backward compatibility: import the "GlobalSign Code Signing Root R45 (R3 cross)" CA certificate into SafeNet under Advanced on your token. In some cases, you also need to import the intermediate certificate.

Enable single logon

In SafeNet Authentication Client: Client Settings → Advanced → Enable single logon. This way you are only prompted for PIN once per session instead of for every signing operation.

Automated CI/CD signing

Automated signing with signtool is technically possible using undocumented parameters for token name, key container name and password. Contact FairSSL for guidance.

Token locks after wrong code entries

The token locks itself after repeated wrong code entries. Some software may retry automatically, using up attempts. Check remaining attempts in SafeNet Authentication Client.

Extra USB tokens

Extra USB tokens can be purchased from FairSSL for €100. Delivered faster than GlobalSign's standard shipping.

GlobalSign Code Signing certificates

OV Code Signing

GlobalSign

GlobalSign CodeSign

OV

GlobalSign OV Code Signing. USB token included.

from €375 /year See details →

EV Code Signing

GlobalSign

GlobalSign CodeSign EV

EV

GlobalSign EV Code Signing. USB token + kernel drivers.

from €428 /year See details →
See all products with prices →

Frequently asked questions about GlobalSign USB token

Find answers to the most common questions about SSL certificates and FairSSL.

Yes. Install the SafeNet driver and plug in the token. The certificate travels with the token.
No. Standard Windows RDP does not support USB token forwarding. Use TeamViewer or AnyDesk instead.
Use PUK to unlock PIN. If PUK is also blocked: use Administrator Password to reset the device (this deletes the certificate). If Administrator Password is forgotten: the token is permanently destroyed.
Not necessarily. Your new certificate can be installed on your existing token.

Ready to order GlobalSign Code Signing?

Create a free account and issue your first certificate in under 10 minutes.

Create free account Compare certificates