Description

Starting from May 28, 2021, 14:00 MDT (20:00 UTC), DigiCert will require 3072-bit RSA keys or larger for code signing certificates. This change is to comply with industry standards. These new RSA key size requirements apply to the complete certificate chain: end-entity, intermediate CA, and root. ECC key requirements however remain unchanged.

• Code signing certificates issued before May 28 require no changes and will work until they expire.
• After May 28, new, renewed, and reissued code signing certificates from DigiCert will automatically issue with new intermediate CAs and roots.
• After May 28, all code signing certificates will require CSRs with 3072-bit or larger RSA keys. EV code signing certificates will need a new token or an HSM that supports at least 3072-bit keys. Currently most tokens and HSMs only support the smaller 2048-bit keys.

Where can I find the new intermediate CA and root certificates?

DigiCert Trusted Root Authority Certificates

• DigiCert Trusted G4 (RSA default)
• DigiCert Global Root G3 (ECC default)
• DigiCert CS RSA 4096 Root G5 (Future)
• DigiCert CS ECC P384 Root G5 (Future)
  Note: The G5 roots are finalizing roll out and will be optional chains upon launch.

DigiCert's ICAs

• DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1 (RSA default)
• DigiCert Global G3 Code Signing ECC SHA384 2021 CA1 (ECC default)
• DigiCert G5 CS RSA4096 SHA384 2021 CA1
• DigiCert G5 CS ECC SHA384 2021 CA1
• DigiCert Trusted G4 Code Signing RSA4096 SHA256 SHA256 2021 CA1
• DigiCert Global G3 Code Signing ECC P256 SHA384 2021 CA1

What if my customers need to reissue?

All code signing certificates reissued after May 28 will include the new intermediate and root certificates. 

Customers will have the option of using an ECC chain with the SafeNet eToken 5110FIPS or purchasing a SafeNet eToken 5110CC  which is compatible with RSA4096 bit keys in addition to ECC keys. The cost to upgrade an existing token is $75. 

If your environment includes pinned or hard coded references to the previous intermediate and root certificates, you will need to update your environment.

For EV certificates, you need a token or HSM that supports at least the 3072-bit RSA key size.

We are currently working on implementing and finalizing these details. Please bookmark this page and check back soon.

How do I get the new security token for EV CS certificates?

When you renew a certificate, you can request a new token as part of your order by selecting a Provisioning Method of "Preconfigured Hardware Token". There is no cost for the token when placing a new order. 

How do I order extra tokens?

Additional USB eTokens can be purchased to go with your EV Code Signing order. To purchase additional tokens, please reach out to your Account Manager or our Support Team

Which token should I request?

Note: Safenet 5110 CC supports a minimum of 4096bit even though the industry standard is 3072bit.