Alert ID : AL290421153255
Last Modified : 05/28/2021
Starting from May 28, 2021, 14:00 MDT (20:00 UTC), DigiCert will require 3072-bit RSA keys or larger for code signing certificates. This change is to comply with industry standards. These new RSA key size requirements apply to the complete certificate chain: end-entity, intermediate CA, and root. ECC key requirements however remain unchanged.
Where can I find the new intermediate CA and root certificates?
DigiCert Trusted Root Authority Certificates
What if my customers need to reissue?
All code signing certificates reissued after May 28 will include the new intermediate and root certificates.
Customers will have the option of using an ECC chain with the SafeNet eToken 5110FIPS or purchasing a SafeNet eToken 5110CC which is compatible with RSA4096 bit keys in addition to ECC keys. The cost to upgrade an existing token is $75.
If your environment includes pinned or hard coded references to the previous intermediate and root certificates, you will need to update your environment.
For EV certificates, you need a token or HSM that supports at least the 3072-bit RSA key size.
We are currently working on implementing and finalizing these details. Please bookmark this page and check back soon.
How do I get the new security token for EV CS certificates?
When you renew a certificate, you can request a new token as part of your order. There is no cost for the token when placing a new order after May 28th. We will make the new tokens available as soon as possible, at which point customers can begin upgrading.
How do I order extra tokens?
We are currently working on implementing and finalizing these details. Please bookmark this page and check back soon.
What happens if I pin, hard code, or if I have a trust store for my certificates?
How does this impact my use of Secure Software Manager?
Secure Software Manager (SSM) aligns with the new requirements without the need for hardware. See the DigiCert Secure Software Manager page for more information.
