Starting from May 28, 2021, 14:00 MDT (20:00 UTC), DigiCert will require 3072-bit RSA keys or larger for code signing certificates. This change is to comply with industry standards. These new RSA key size requirements apply to the complete certificate chain: end-entity, intermediate CA, and root. ECC key requirements however remain unchanged.
Starting June 1, 2023, Standard code signing certificates will require private keys to be stored on hardware certified as FIPS 140 Level 2, Common Criteria EAL 4+, or equivalent, that supports at least 3072-bit keys See our New private key storage requirement for Standard Code Signing certificates knowledge base article. |
Where can I find the new intermediate CA and root certificates?
DigiCert Trusted Root Authority Certificates
What if my customers need to reissue?
All code signing certificates reissued after May 28 will include the new intermediate and root certificates.
Customers will have the option of using an ECC chain with the SafeNet eToken 5110FIPS or purchasing a SafeNet eToken 5110CC which is compatible with RSA4096 bit keys in addition to ECC keys.
To upgrade an existing token or replace older tokens that do not meet the current RSA key size requirements, customers should contact their account manager.
If your environment includes pinned or hard coded references to the previous intermediate and root certificates, you will need to update your environment.
How do I get the new security token for EV CS certificates?
When you renew a certificate, you can request a new token as part of your order by selecting a Provisioning Method of "Preconfigured Hardware Token". There is no cost for the token when placing a new order.
How do I order extra tokens?
Additional USB eTokens can be purchased to go with your EV Code Signing order. To purchase additional tokens, please reach out to your Account Manager or our Support Team
Which token should I request?
Token |
Capabilities |
Bits |
Safenet 5110 FIPS |
ECC P-256 |
3072/4096
|
ECC P-384 |
3072/4096
|
|
Safenet 5110 CC |
RSA 4096 |
4096 |
ECC P-256 |
4096 | |
ECC P-384 |
4096 |
Note: Safenet 5110 CC supports a minimum of 4096 bit even though the industry standard is 3072 bit.
What happens if I pin, hard code, or if I have a trust store for my certificates?
How does this impact my use of Secure Software Manager?
Secure Software Manager (SSM) aligns with the new requirements without the need for hardware. See the DigiCert Secure Software Manager page for more information.