Ask a Question

Advanced Search

Alert ID : INFO4888

Last Modified : 10/11/2018

Thawte New Code-Signing PKI Hierarchy


Please note that the release of these changes has been delayed until further notice. We will update this page once we have set a new date.


What is happening?

As part of the integration with DigiCert’s certificate issuance platforms, we are updating our code signing PKI hierarchy. This change is essential for the modernization and streamlining of our code signing certificate offerings.

We expect to start issuing all new code signing certificates from DigiCert’s hierarchy and infrastructure by October 31st. After this date, any end-entity certificate you issue will use the new PKI hierarchy. Watch this article for further confirmation on timelines.

Going forward, Thawte code signing certificates will be issued from GeoTrust  intermediate CAs.This change facilitates integration with DigiCert platforms and only impacts root hierarchy. There are no changes to the Thawte brand or product set.

SHA-1 Full Chain End-of-Life (EOL)
Thawte will no longer issue SHA-1 full chain code signing certificates. For those who need SHA-1 full chain support upon expiry, we will continue offering such certificates on the DigiCert brand.

Which services are affected by this change?

These hierarchy changes apply to all:

  •  Public signing services such as Microsoft, Extended Validation, and Java

What happens to my existing certificates?

Your existing certificates are not affected by this change—you may continue using existing certificates to sign your code.

PLEASE NOTE: There is no impact to existing code-signing certificates or the validity of signed files, whether timestamped or otherwise. However, by October 31st, all new code-signing certificates will be issued from DigiCert’s hierarchy and infrastructure.

What happens when I replace a certificate after the hierarchy update?

Your replacement certificate will be signed under the new code signing hierarchy.

What happens when I renew a certificate after the hierarchy update?

Your renewal certificate will be signed under the new code signing hierarchy.

What is the action item for me?

If you have hard-coded the PKI hierarchies in your implementations, ensure that you update them with the new hierarchies.

What are the new Roots and ICAs?

The available new certificates are attached at the bottom of this article.



New Intermediate CAs

Certificate Type
DigiCert RSA
DigiCert RSA SHA-256
SHA1- Root
DigiCert RSA SHA-256
SHA2- Root
Microsoft Authenticode
Microsoft Office VBA
Adobe Air

Not Supported