Issue Leaf Certificate

An end-entity certificate with the Code Signing EKU.

Leaf / End-Entity Certificate: The final cert in the chain — the one actually used for signing, TLS, email, etc. Cannot issue further certificates.
This certificate is specifically authorized to sign executable software.

Certificate Details

Issuing CA

In practice, leaf certificates are almost always issued by an Intermediate CA, not directly by the Root CA. This keeps the root's private key offline and limits exposure. Direct root issuance is technically valid but uncommon outside of test environments.

Label (display name inside PKILab)

Common Name (CN)

The name that identifies the software publisher — typically the company or developer name.

Organization (O)

Country (C)

Key Type

Key Size

Validity (days)

Leaf certs typically last 1 year (365 days) or less.

Cancel