Ask a Question

Advanced Search

Alert ID : AL281020215455

Last Modified : 11/13/2020

DigiCert to Stop Issuing SHA-1 Code Signing Certificates

URGENT

Description

On Tuesday, December 1, 2020, DigiCert will stop issuing SHA-1 code signing and SHA-1 EV code signing certificates.

Note: All existing SHA-1 code signing/EV code signing certificates will remain active until they expire. For more details, see the What do I need to do? Section below.

 

Why is DigiCert making these changes?

The industry is moving away from SHA-1 code signing and SHA-1 EV code signing certificates and from SHA-1 code signing, EV code signing, and timestamping intermediate CA and root certificates.

To comply with the new industry standards, certificate authorities (CAs) must make these changes by January 1, 2021:

  • Stop issuing SHA-1 code signing and SHA-1 EV code signing certificates
  • Stop using SHA-1 intermediate CA certificates to issue SHA-256 algorithm code signing, EV code signing, and timestamping certificates

See Appendix A in the Baseline Requirements for the Issuance and Management of Publicly-Trusted Code Signing Certificates.

 

How does this affect me?

As of December 1, 2020, you cannot:

  • Order new SHA-1 code signing certificates
  • Renew and get SHA-1 code signing certificates
  • Reissue and get SHA-1 code signing certificates

 

What do I need to do?

If you rely on SHA-1 code signing certificates, take these actions as needed before Tuesday December 1, 2020:

  • Get your new SHA-1 certificates
  • Renew your SHA-1 certificates
  • Reissue and get needed SHA-1 certificates*

*Note: You can still use an existing SHA-1 code signing certificate to sign code, after you reissue it and get a SHA-2 code signing certificate. Reissues don't revoke the previously issued code signing certificate.