CertCentral: Improved Order details page
DigiCert is happy to announce that we improved the layout and design of the Order details page.
We took your feedback and updated the Orders page to make managing your certificates and orders easier throughout their lifecycle.
When we reorganized the information on the Order details page, we didn’t remove anything. So, everything you did before the updates, you can still do now. However, there are a few things you asked for that you can do now that you couldn’t do before.
Summary of changes:
See the changes for yourself. In your CertCentral account, in the left main menu, go to Certificates > Orders.
Want to provide feedback?
The next time you are in your CertCentral account, locate the “d” icon in the lower right corner of the page (white “d” in a blue circle) and click it. Use the Share Your Feedback feature to let us know your thoughts on the changes. And don’t hesitate to provide feedback about other CertCentral pages and functionality.
CertCentral: DigiCert KeyGen, our new key generation service
DigiCert is happy to announce our new key generation service—KeyGen. Use KeyGen to generate and install your client and code signing certificates from your browser. KeyGen can be used on macOS and Windows and is supported by all major browsers.
With KeyGen, you don't need to generate a CSR to order your client and code signing certificates. Place your order without a CSR. Then after we process the order and your certificate is ready, DigiCert sends a "Generate your Certificate" email with instructions on using KeyGen to get your certificate.
How does KeyGen work?
KeyGen generates a keypair and then uses the public key to create a certificate signing request (CSR). KeyGen sends the CSR to DigiCert, and DigiCert sends the certificate back to KeyGen. Then KeyGen downloads a PKCS12 (.p12) file to your desktop that contains the certificate and the private key. The password you create during the certificate generation process protects the PKCS12 file. When you use the password to open the certificate file, the certificate gets installed in your personal certificate store.
To learn more about generating client and code signing certificates from your browser, see the following instructions:
Verified Mark Certificates (VMC): Three new approved trademark offices
We are happy to announce that DigiCert now recognizes three more intellectual property offices for verifying the logo for your VMC certificate. These new offices are in Korea, Brazil, and India.
New approved trademark offices:
Other approved trademark offices:
What is a Verified Mark Certificate?
Verified Mark Certificates (VMCs) are a new type of certificate that allows companies to place a certified brand logo next to the “sender” field in customer inboxes.
Bugfix: Code Signing (CS) certificate generation email sent only to CS verified contact
We fixed a bug in the Code Signing (CS) certificate issuance process where we were sending the certificate generation email to only the CS verified contact. This bug only happened when the requestor did not include a CSR with the code signing certificate request.
Now, for orders submitted without a CSR, we send the code signing certificate generation email to:
Note: DigiCert recommends submitting a CSR with your Code Signing certificate request. Currently, Internet Explorer is the only browser that supports keypair generation. See our knowledgebase article: Keygen support dropped with Firefox 69.
Industry moves to 3072-bit key minimum RSA code signing certificates
Starting May 27, 2021, to comply with new industry standards for code signing certificates, DigiCert will make the following changes to our code signing certificate process.
See Appendix A in the Baseline Requirements for the Issuance and Management of Publicly-Trusted Code Signing Certificates to learn more about these industry changes,
How do these changes affect my existing 2048-bit key certificates?
All existing 2048-bit key size code signing certificates issued before May 27, 2021, will remain active. You can continue to use these certificates to sign code until they expire.
What if I need 2048-bit key code signing certificates?
Take these actions, as needed, before May 27, 2021:
How do these changes affect my code signing certificate process starting May 27, 2021?
Reissues for code signing certificate
Starting May 27, 2021, all reissued code signing certificates will be:
New and renewed code signing certificates
Starting May 27, 2021, all new and renewed code signing certificates will be:
CSRs for code signing certificates
Starting May 27, 2021, you must use a 3072-bit RSA key or larger to generate all certificate signing requests (CSR). We will no longer accept 2048-bit key CSRs for code signing certificate requests.
eTokens for EV code signing certificates
Starting May 27, 2021, you must use an eToken that supports 3072-bit keys when you reissue, order, or renew an EV code signing certificate.
HSMs for EV code signing certificates
Starting May 27, 2021, you must use an HSM that supports 3072-bit keys. Contact your HSM vendor for more information.
New ICA and root certificates
Starting May 27, 2021, DigiCert will issue all new code signing certificates from our new RSA and ECC intermediate CA and root certificates (new, renewed, and reissued).
RSA ICA and root certificates:
ECC ICA and root certificates:
No action is required unless you practice certificate pinning, hard code certificate acceptance, or operate a trust store.
If you do any of these things, we recommend updating your environment as soon as possible. Stop pinning and hard coding ICAs or make the necessary changes to ensure certificates issued from the new ICA certificates are trusted (in other words, they can chain up to their issuing ICA and trusted root certificates).
References
If you have questions or concerns, please contact your account manager or our support team.
DigiCert to stop issuing SHA-1 code signing certificates
On Tuesday, December 1, 2020 MST, DigiCert will stop issuing SHA-1 code signing and SHA-1 EV code signing certificates.
Note: All existing SHA-1 code signing/EV code signing certificates will remain active until they expire.
Why is DigiCert making these changes?
To comply with the new industry standards, certificate authorities (CAs) must make the following changes by January 1, 2021:
See Appendix A in the Baseline Requirements for the Issuance and Management of Publicly-Trusted Code Signing Certificates.
How do the SHA-1 code signing certificate changes affect me?
If you rely on SHA-1 code signing certificates, take these actions as needed before December 1, 2020:
For more information about the December 1, 2020 changes, see our knowledgebase article DigiCert to Stop Issuing SHA-1 Code Signing Certificates.
If you have additional questions, please contact your account manager or our support team.
Microsoft is sunsetting support for third-party kernel-mode driver package digital signatures
The process for signing your kernel-mode driver packages is changing. Starting in 2021, Microsoft will be the sole provider of production kernel-mode code signatures. You will need to start following Microsoft’s updated instructions to sign any new kernel-mode driver packages going forward. See Partner Center for Windows Hardware.
What is DigiCert doing about this?
As a first step in this sunsetting process, DigiCert has removed the Microsoft Kernel-Mode Code platform option from Code Signing certificate request forms: new, reissue, and renew.
This means going forward, you can no longer order, reissue, or renew a code signing certificate for the kernel-mode platform.
How does this affect my existing kernel-mode Code Signing certificate?
You can continue to use your existing certificates to sign Kernel-Mode driver packages until the cross-signed root it is chained to expires. DigiCert brand cross-signed root certificates expire in 2021.
For more details, see our knowledgeable article, Microsoft sunsetting support for cross-signed root certificates with kernel-mode signing capabilities.
CertCentral: Domain validation management for all account types
We are happy to announce all CertCentral accounts now come with domain validation management by default. Now, all account types have access to these domain management features:
To use the new domain validation management features, go to the Domains page (in the left main menu, go to Certificates > Domains).
*For more information about submitting domains for prevalidation, see Domain prevalidation.
Note: Previously, only Enterprise and Partner accounts had the ability to submit domains for prevalidation and manage their domains' validations (domain control validation).
CertCentral: Domain Validation Scope settings apply to TLS orders only
On the Division Preferences page, under Domain Control Validation (DCV), we updated the Domain Validation Scope settings: Submit exact domain for validation and Submit base domains for validation. These updated settings allow you to define the default domain validation behavior when submitting new domains through the TLS certificate order process: EV, OV, and DV. These settings no longer apply to the domain prevalidation process.*
*How do these changes affect the domain prevalidation process?
When submitting domains for prevalidation, you can validate a domain at any level, base or any of the lower level subdomains: example.com, sub1.example.com, sub2.sub1.example.com, etc. See Domain prevalidation.
"Resend create certificate email" option for browser generated Code Signing certificate orders
We added a Resend create certificate email option to our Code Signing certificate process for orders where the certificate is generated in a supported browser: IE 11, Safari, Firefox 68, and portable Firefox.
Now, when a code signing certificate order has the status Emailed to Recipient, you can resend the certificate generation email.
For more information, see Resend "Create Your DigiCert Code Signing Certificate" email.
We fixed a bug preventing the Cancel Order option from appearing for Code Signing (CS) certificate orders with a status of Emailed to Recipient. On the Order details, page the Cancel Order option was missing from the Certificate Actions dropdown.
Note: To cancel the order, you had to contact our support team.
Now, to cancel a Code Signing (CS) certificate order with the status Emailed to Recipient, go to Order details page for the certificate and cancel the order.
For more information, Cancel a certificate order.
CertCentral: Edit organization details
We added a new feature to the organization management process in CertCentral—Edit organization details. Now, to update organization information, go to the Organization details page for that organization and click Edit Organization.
What you need to do before you edit an organization's details
Changing organization details for a validated organization negates all existing validation for the organization. This cannot be undone. This means DigiCert will need to validate the "updated/new" organization before we can issue certificates for it. Before you begin, make sure you understand and accept what happens when you change an organization's details.
For more information, see Edit organization details.
Firefox ending key generation support
With the release of Firefox 69, Firefox will finally drop support for Keygen. Firefox uses Keygen to facilitate generating key material for submitting the public key when generating Code Signing, Client, and SMIME certificates in their browser.
Note: Chrome already dropped support for key generation, and Edge and Opera never supported it.
How does this affect you?
After DigiCert issues your Code Signing, Client, or SMIME certificates, we send you an email with a link to create and install your certificate.
Once Firefox 69 is released, you can only use two browsers to generate these certificates: Internet Explorer and Safari. If company policy requires the use of Firefox, you can use Firefox ESR or a portable copy of Firefox.
For more information, see Keygen support to be dropped with Firefox 69.
Tips and tricks
We added a new status, Emailed to Recipient, to the Orders and Order Details pages, for Code Signing and Client certificate orders, making it easier to identify where these orders are in the issuance process.
This new status indicates the DigiCert has validated the order, and the certificate is waiting for the user/email recipient to generate it in one of the supported browsers: IE 11, Safari, Firefox 68, and portable Firefox.
(In the sidebar menu, click Certificates > Orders. Then, on the Orders page, click the order number for the Code Signing or Client certificate order.)
We updated our Extended Validation (EV) Code Signing (CS) and Document Signing (DS) certificate reissue processes, enabling you to reissue these certificates without automatically revoking the current certificate (original or previously reissued certificate).
Note: If you don't need the current certificate (original or previously reissued certificate), you'll need to contact support so they can revoke it for you.
Now, the next time you reissue an EV CS or DS certificate, you can keep the previously issued certificate active to its current validity period (or for as long as you need it).
DigiCert will continue to support the SHA1 signature for Code Signing certificates. We are removing the max expiration restriction of December 30, 2019.