Ask a Question

Advanced Search

Alert ID : GN270718153533

Last Modified : 03/05/2019

SAS New Code-Signing PKI Hierarchy


SAS Code-Signing PKI Hierarchy changes for Test Signing, Android and Client Admin certificates

What is happening?

As part of the integration with DigiCert's certificate issuance platforms, we are updating some of our code signing PKI hierarchy on Secure App Service (SAS). This change is part of the modernization and streamlining of our code signing certificate offerings.

We expect to start issuing new code signing certificates for Test Signing, Android and Client Admin certificates on February 21st, 2019. After this date, Test Signing, Android and Client Admin new certificates issued will come from a different PKI hierarchy compared to what is in use today.

Which services are affected by this change?

Hierarchy changes will be made to the following certificates:

  • Test signing services
  • Android Signing
  • Administrator certificates for accessing the console via browser
  • Administrator certificates for accessing the service via APIs

The following hierarchy’s will remain unchanged:

  •  Public signing services such as Microsoft, Extended Validation, and Java

What happens to my existing certificates?

Your existing signing certificates are not affected by this change-you may continue using existing certificates to sign your code. Existing administrator certificates will continue to allow access to the console and APIs for the duration of their validity.

PLEASE NOTE: There is no impact to existing code-signing certificates or the validity of signed files, whether timestamped or otherwise. However, starting on February 21st, 2019, all test, android and administrator certificates will be issued from a new hierarchy and DigiCert infrastructure.

What is the action item for me?

If you have hard-coded the PKI hierarchies for test signing in your implementations, ensure that you add the new test signing root and ICA so test signing can be validated. When you are replacing admin certificates before they expire, please ensure to follow the steps needed to preload the Root and ICA in your browser to enable authentication to the console.

What are the new Roots and ICAs?

The available new certificates are attached at the bottom of this article.


New Intermediate CAs


Certificate Type
Symantec Android
Private Symantec SHA-2 Root

DigiCert Test (ALL)

Private Symantec SHA-2 TEST Root



(Secure App Service only)




Certificate Type
Symantec RSA SHA-256
SHA-2 Root
Administrator Certificate