VeriSign and Symantec Timestamping services moving to Digicert.com.
What is happening?
As part of our rebranding initiative from the acquisition of Symantec in 2017, DigiCert has stopped future timestamp signatures from legacy Verisign and Symantec timestamp services and facilitate all future timestamps via our consolidated DigiCert timestamping service.
Which services are affected by this change?
This article is related to the changes required for legacy Symantec and Thawte Code Signing.
What is changing?
DigiCert has stopped future timestamp signatures from legacy Verisign and Symantec timestamp services and facilitate all future timestamps via our consolidated DigiCert timestamping service from August 2019 onwards as follows:
|TSA Type||Current TSA in use||Future TSA in use|
|RFC 3161 sha1||sha1timestamp.ws.symantec.com/sha1/timestamp||timestamp.digicert.com?alg=sha1|
|RFC 3161 sha256||sha256timestamp.ws.symantec.com/sha256/timestamp||timestamp.digicert.com?alg=sha256|
The DigiCert timestamping service will change its IP address on October 23rd, 2019. The URL for this service is timestamp.digicert.com
The new IP address will be: 22.214.171.124
Timelines for legacy VeriSign and Symantec timestamp to no longer support future timestamping:
|Authenticode||August 16th 2019||Customers will need to modify signing commands on or before August 16th 2019 to ensure timestamps are successful.|
|RFC 3161 sha1||October 31st 2019||Customers will need to modify signing commands on or before October 31st 2019 to ensure timestamps are successful.|
|RFC 3161 sha256||October 31st 2019||Customers will need to modify signing commands on or before October 31st 2019 to ensure timestamps are successful.|
Is there any impact to my previous signatures?
There is no impact for any previous timestamp signatures. All previous timestamp signatures are not affected by this change and will continue to be trusted for the duration of the timestamp certificate. This also has no impact on existing codesigning certificates which were used to sign files in the past and continue to be used to sign files in the future.
What changes are required?
Customers will need to make a change to their signing command in order to request timestamping from the DigiCert timestamping service instead of the legacy Symantec timestamping services going forward.
What are the action items for me?
Customers who timestamp during signing should update their signing commands to refer to the DigiCert timestamps as follows:
MS SignTool Command changes for Authenticode CSP Client Customers:
For Authenticode TSA replace “/t http://timestamp.verisign.com/scripts/timstamp.dll” with “/t http://timestamp.digicert.com?alg=sha1”
For RFC 3161 SHA1 TSA replace “/tr http://sha1timestamp.ws.symantec.com/sha1/timestamp” with “/tr http://timestamp.digicert.com?alg=sha1”
JarSigner Command changes for Java and Android CSP Client Customers:
For RFC 3161 SHA256 replace “-tsa http://sha256timestamp.ws.symantec.com/sha256/timestamp” with “-tsa http://timestamp.digicert.com?alg=sha256”
New DigiCert timestamping service IP address:
If necessary, whitelist this service so you can access it on your network. Due to the IP address change occurring on October 23rd, 2019, existing users may need to update their whitelist. We recommend whitelisting by domain name (timestamp.digicert.com), but if you are required to whitelist by IP, the new IP address will be: 126.96.36.199
We appreciate your business. If you have additional questions, please contact Tech Support or your Account Manager.