Ask a Question

Advanced Search

Alert ID : AL290421153255

Last Modified : 05/11/2023

Share Via Email

Code signing changes in 2021

Description

Starting from May 28, 2021, 14:00 MDT (20:00 UTC), DigiCert will require 3072-bit RSA keys or larger for code signing certificates. This change is to comply with industry standards. These new RSA key size requirements apply to the complete certificate chain: end-entity, intermediate CA, and root. ECC key requirements however remain unchanged.

  • Code signing certificates issued before May 28 require no changes and will work until they expire.
  • From May 28, 2021, new, renewed, and reissued code signing certificates from DigiCert will automatically issue with new intermediate CAs and roots.
  • From May 28, all code signing certificates will require CSRs with 3072-bit or larger RSA keys.
  • From May 28. 2021 EV code signing certificates will need a new token or an HSM that supports at least 3072-bit keys.


Code signing changes in 2023

On June 1, 2023, industry standards will require private keys for code signing certificates to be stored on hardware certified as FIPS 140 Level 2, Common Criteria EAL 4+, or equivalent that supports 3072-bit or larger keys.

DigiCert timeline for changes

DigiCert’s timeline ensures we update our code signing certificate process so that private keys for code signing certificates are stored on hardware certified as FIPS 140 Level 2, Common Criteria EAL 4+, or equivalent by May 30, 2023. Our timeline also allows you to transition to the supported provisioning methods by May 16, 2023.

For more information about these changes, see our knowledge base articles:


Where can I find the new intermediate CA and root certificates?

DigiCert Trusted Root Authority Certificates

DigiCert's ICAs

 

What if my customers need to reissue?

All code signing certificates reissued after May 28 will include the new intermediate and root certificates. 

Customers will have the option of using an ECC chain with the SafeNet eToken 5110FIPS or purchasing a SafeNet eToken 5110CC  which is compatible with RSA4096 bit keys in addition to ECC keys.

To upgrade an existing token or replace older tokens that do not meet the current RSA key size requirements, customers should contact their account manager.

 

If your environment includes pinned or hard-coded references to the previous intermediate and root certificates, you will need to update your environment.


How do I get the new security token for EV CS certificates?

When you renew a certificate, you can request a new token as part of your order by selecting a Provisioning Method of "DigiCert-provided hardware token".

 

How do I order extra tokens?

Additional USB eTokens can be purchased to go with your EV Code Signing order. To purchase additional tokens, please reach out to your Account Manager or our Support Team

Which token should I request?

Token

Capabilities

 Bits

Safenet 5110 FIPS

ECC P-256

3072/4096

 

ECC P-384

3072/4096

 

Safenet 5110 CC

RSA 4096

 4096

ECC P-256

 4096

ECC P-384

 4096

Note: Safenet 5110 CC supports a minimum of 4096 bit even though the industry standard is 3072 bit.


What happens if I pin, hard code, or if I have a trust store for my certificates?

Update your environment with the new root and intermediate CA. DigiCert recommends that you stop pinning and hard coding certificates. Before May 28, make sure that the certificates are trusted and chain up to the new intermediate CA and the DigiCert Trusted Root G4.
 

How does this impact my use of DigiCert® Software Trust Manager?

DigiCert® Software Trust Manager aligns with the new requirements without the need for hardware. See the DigiCert® Software Trust Manager page for more information.