Ask a Question

Advanced Search

Alert ID : AL290421153255

Last Modified : 05/03/2021

Code signing changes in 2021

Description

Starting from May 27, 2021, 14:00 MDT (20:00 UTC), DigiCert will require 3072-bit RSA keys or larger for code signing certificates. This change is to comply with industry standards. These new RSA key size requirements apply to the complete certificate chain: end-entity, intermediate CA, and root. ECC key requirements however remain unchanged.

  • Code signing certificates issued before May 27 require no changes and will work until they expire.
  • After May 27, new, renewed, and reissued code signing certificates from DigiCert will automatically issue with new intermediate CAs and roots.
  • After May 27, all code signing certificates will require CSRs with 3072-bit or larger RSA keys. EV code signing certificates will need a new token or an HSM that supports at least 3072-bit keys. Currently most tokens and HSMs only support the smaller 2048-bit keys.

 


Where can I find the new intermediate CA and root certificates?

DigiCert Trusted Root Authority Certificates

 

DigiCert's ICAs

 

What if my customers need to reissue?

All code signing certificates reissued after May 27 will include the new intermediate and root certificates.

If your environment includes pinned or hard coded references to the previous intermediate and root certificates, you will need to update your environment.

For EV certificates, you need a token or HSM that supports at least the 3072-bit RSA key size.

We are currently working on implementing and finalizing these details. Please bookmark this page and check back soon.

 

How do I get the new security token for EV CS certificates?

When you renew a certificate, you can request a new token as part of your order. We are currently working on implementing and finalizing these details. Please bookmark this page and check back soon.

 

How do I order extra tokens?

We are currently working on implementing and finalizing these details. Please bookmark this page and check back soon.

 

What happens if I pin, hard code, or if I have a trust store for my certificates?

Update your environment with the new root and intermediate CA. DigiCert recommends that you stop pinning and hard coding certificates. Before May 27, make sure that the certificates are trusted and chain up to the new intermediate CA and the DigiCert Trusted Root G4.
 

How does this impact my use of Secure Software Manager?

Secure Software Manager (SSM) aligns with the new requirements without the need for hardware. See the DigiCert Secure Software Manager page for more information.