Knowledge Base

Description

DigiCert stopped issuing SHA-1 code signing and SHA-1 EV code signing certificates on December 1, 2020.

Note: All existing SHA-1 code signing/EV code signing certificates will remain active until they expire. For more details, see the What do I need to do? Section below.

Why is DigiCert making these changes?

The industry is moving away from SHA-1 code signing and SHA-1 EV code signing certificates and from SHA-1 code signing, EV code signing, and timestamping intermediate CA and root certificates.

To comply with the new industry standards, certificate authorities (CAs) must make these changes by January 1, 2021:

• Stop issuing SHA-1 code signing and SHA-1 EV code signing certificates
• Stop using SHA-1 intermediate CA certificates to issue SHA-256 algorithm code signing, EV code signing, and timestamping certificates

See Appendix A in the Baseline Requirements for the Issuance and Management of Publicly-Trusted Code Signing Certificates.

How does this affect me?

As of December 1, 2020, you cannot:

• Order new SHA-1 code signing certificates
• Renew and get SHA-1 code signing certificates
• Reissue and get SHA-1 code signing certificates

What do I need to do?

If you rely on SHA-1 code signing certificates, take these actions as needed before Tuesday December 1, 2020:

• Get your new SHA-1 certificates
• Renew your SHA-1 certificates
• Reissue and get needed SHA-1 certificates*

*Note: You can still use an existing SHA-1 code signing certificate to sign code, after you reissue it and get a SHA-2 code signing certificate. Reissues don't revoke the previously issued code signing certificate.