Microsoft is sunsetting support for third-party kernel-mode driver package digital signatures
The process for signing your kernel-mode driver packages is changing. Starting in 2021, Microsoft will be the sole provider of production kernel-mode code signatures. You will need to start following Microsoft’s updated instructions to sign any new kernel-mode driver packages going forward. See Partner Center for Windows Hardware.
What is DigiCert doing about this?
As a first step in this sunsetting process, DigiCert has removed the Microsoft Kernel-Mode Code platform option from Code Signing certificate request forms: new, reissue, and renew.
This means going forward, you can no longer order, reissue, or renew a code signing certificate for the kernel-mode platform.
How does this affect my existing kernel-mode Code Signing certificate?
You can continue to use your existing certificates to sign Kernel-Mode driver packages until the cross-signed root it is chained to expires. DigiCert brand cross-signed root certificates expire in 2021.
For more details, see our knowledgeable article, Microsoft sunsetting support for cross-signed root certificates with kernel-mode signing capabilities.
CertCentral: Domain validation management for all account types
We are happy to announce all CertCentral accounts now come with domain validation management by default. Now, all account types have access to these domain management features:
To use the new domain validation management features, go to the Domains page (in the left main menu, go to Certificates > Domains).
*For more information about submitting domains for prevalidation, see Domain prevalidation.
Note: Previously, only Enterprise and Partner accounts had the ability to submit domains for prevalidation and manage their domains' validations (domain control validation).
CertCentral: Domain Validation Scope settings apply to TLS orders only
On the Division Preferences page, under Domain Control Validation (DCV), we updated the Domain Validation Scope settings: Submit exact domain for validation and Submit base domains for validation. These updated settings allow you to define the default domain validation behavior when submitting new domains through the TLS certificate order process: EV, OV, and DV. These settings no longer apply to the domain prevalidation process.*
*How do these changes affect the domain prevalidation process?
When submitting domains for prevalidation, you can validate a domain at any level, base or any of the lower level subdomains: example.com, sub1.example.com, sub2.sub1.example.com, etc. See Domain prevalidation.
"Resend create certificate email" option for browser generated Code Signing certificate orders
We added a Resend create certificate email option to our Code Signing certificate process for orders where the certificate is generated in a supported browser: IE 11, Safari, Firefox 68, and portable Firefox.
Now, when a code signing certificate order has the status Emailed to Recipient, you can resend the certificate generation email.
For more information, see Resend "Create Your DigiCert Code Signing Certificate" email.
We fixed a bug preventing the Cancel Order option from appearing for Code Signing (CS) certificate orders with a status of Emailed to Recipient. On the Order details, page the Cancel Order option was missing from the Certificate Actions dropdown.
Note: To cancel the order, you had to contact our support team.
Now, to cancel a Code Signing (CS) certificate order with the status Emailed to Recipient, go to Order details page for the certificate and cancel the order.
For more information, Cancel a certificate order.
CertCentral: Edit organization details
We added a new feature to the organization management process in CertCentral—Edit organization details. Now, to update organization information, go to the Organization details page for that organization and click Edit Organization.
What you need to do before you edit an organization's details
Changing organization details for a validated organization negates all existing validation for the organization. This cannot be undone. This means DigiCert will need to validate the "updated/new" organization before we can issue certificates for it. Before you begin, make sure you understand and accept what happens when you change an organization's details.
For more information, see Edit organization details.
Firefox ending key generation support
With the release of Firefox 69, Firefox will finally drop support for Keygen. Firefox uses Keygen to facilitate generating key material for submitting the public key when generating Code Signing, Client, and SMIME certificates in their browser.
Note: Chrome already dropped support for key generation, and Edge and Opera never supported it.
How does this affect you?
After DigiCert issues your Code Signing, Client, or SMIME certificates, we send you an email with a link to create and install your certificate.
Once Firefox 69 is released, you can only use two browsers to generate these certificates: Internet Explorer and Safari. If company policy requires the use of Firefox, you can use Firefox ESR or a portable copy of Firefox.
For more information, see Keygen support to be dropped with Firefox 69.
Tips and tricks
We added a new status, Emailed to Recipient, to the Orders and Order Details pages, for Code Signing and Client certificate orders, making it easier to identify where these orders are in the issuance process.
This new status indicates the DigiCert has validated the order, and the certificate is waiting for the user/email recipient to generate it in one of the supported browsers: IE 11, Safari, Firefox 68, and portable Firefox.
(In the sidebar menu, click Certificates > Orders. Then, on the Orders page, click the order number for the Code Signing or Client certificate order.)
We updated our Extended Validation (EV) Code Signing (CS) and Document Signing (DS) certificate reissue processes, enabling you to reissue these certificates without automatically revoking the current certificate (original or previously reissued certificate).
Note: If you don't need the current certificate (original or previously reissued certificate), you'll need to contact support so they can revoke it for you.
Now, the next time you reissue an EV CS or DS certificate, you can keep the previously issued certificate active to its current validity period (or for as long as you need it).
DigiCert will continue to support the SHA1 signature for Code Signing certificates. We are removing the max expiration restriction of December 30, 2019.
