Change log | docs.digicert.com

Mai 27, 2021

industry standards root certificates certificate signing request reissued certificates new certificates 3072-bit eToken ECC renewed certificates HSM code signing certificates RSA intermediate CA certificates ev code signing certificates industry changes

Industry moves to 3072-bit key minimum RSA code signing certificates

Starting May 27, 2021, to comply with new industry standards for code signing certificates, DigiCert will make the following changes to our code signing certificate process.

Stop issuing 2048-bit key code signing certificates
Only issue 3072-bit key or stronger code signing certificates
Use 4096-bit key intermediate CA and root certificates to issue our code signing certificates.

See Appendix A in the Baseline Requirements for the Issuance and Management of Publicly-Trusted Code Signing Certificates to learn more about these industry changes,

How do these changes affect my existing 2048-bit key certificates?

All existing 2048-bit key size code signing certificates issued before May 27, 2021, will remain active. You can continue to use these certificates to sign code until they expire.

What if I need 2048-bit key code signing certificates?

Take these actions, as needed, before May 27, 2021:

Order new 2048-bit key certificates
Renew expiring 2048-bit key certificates
Reissue 2048-bit key certificates

How do these changes affect my code signing certificate process starting May 27, 2021?

Reissues for code signing certificate

Starting May 27, 2021, all reissued code signing certificates will be:

3072-bit key or stronger. See eTokens for EV code signing certificates and HSMs for EV code signing certificates below.
Automatically issued from new intermediate CA and root certificates. See New ICA and root certificates below.

New and renewed code signing certificates

Starting May 27, 2021, all new and renewed code signing certificates will be:

3072-bit key or stronger. See eTokens for EV code signing certificates and HSMs for EV code signing certificates below.
Automatically issued from new intermediate CA and root certificates. See New ICA and root certificates below.

CSRs for code signing certificates

Starting May 27, 2021, you must use a 3072-bit RSA key or larger to generate all certificate signing requests (CSR). We will no longer accept 2048-bit key CSRs for code signing certificate requests.

eTokens for EV code signing certificates

Starting May 27, 2021, you must use an eToken that supports 3072-bit keys when you reissue, order, or renew an EV code signing certificate.

When you order or renew an EV code signing certificate, DigiCert includes a 3072-bit eToken with your purchase. DigiCert provides an eToken with the Preconfigured Hardware Token provisioning option.
When your reissue your EV code signing certificate reissues, you must provide your own 3072-bit eToken. If you don't have one, you will be unable to install your reissued certificate on your eToken.
You must have a FIPS 140-2 Level 2 or Common Criteria EAL4+ compliant device.

HSMs for EV code signing certificates

Starting May 27, 2021, you must use an HSM that supports 3072-bit keys. Contact your HSM vendor for more information.

New ICA and root certificates

Starting May 27, 2021, DigiCert will issue all new code signing certificates from our new RSA and ECC intermediate CA and root certificates (new, renewed, and reissued).

RSA ICA and root certificates:

DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1
DigiCert Trusted Root G4

ECC ICA and root certificates:

DigiCert Global G3 Code Signing ECC SHA384 2021 CA1
DigiCert Global Root G3

No action is required unless you practice certificate pinning, hard code certificate acceptance, or operate a trust store.

If you do any of these things, we recommend updating your environment as soon as possible. Stop pinning and hard coding ICAs or make the necessary changes to ensure certificates issued from the new ICA certificates are trusted (in other words, they can chain up to their issuing ICA and trusted root certificates).

References

To learn more about the Code Signing certificate changes, see Code signing changes in 2021.
To get a copy of the new intermediate CA and root certificates, see DigiCert Trusted Root Authority Certificates

If you have questions or concerns, please contact your account manager or our support team.

Décembre 1, 2020

industry changes reissued certificates renewal code signing certificates intermediate CA certificates ev code signing certificates compliance SHA-1 SHA-2

DigiCert va cesser d'émettre certificats de signature de code en SHA-1

Le mardi 1er décembre 2020 HNR, DigiCert cessera d'émettre des certificats de signature de code SHA-1 et des certificats de signature de code EV SHA-1.

Remarque : Tous les certificats de signature de code/signature de code EV en SHA-1 resteront actifs jusqu'à leur expiration.

Pourquoi ces changements de la part de DigiCert ?

Pour respecter les nouvelles normes en vigueur dans l’industrie, les autorités de certification (AC) doivent effectuer les changements suivants d'ici au 1er janvier 2021 :

Cesser d'émettre des certificats de signature de code en SHA-1
Cesser d'émettre des certificats racines et des certificats d’AC intermédiaires en SHA-1 pour émettre des certificats d’horodatage et de signature de code utilisant l’algorithme SHA-256.

Reportez-vous à l’Annexe A des Exigences de base pour l’émission et la gestion des certificats de signature de code approuvés publiquement.

En quoi les changements concernant les certificats de signature de code SHA-1 me concernent-ils ?

Si vous devez utiliser des certificats de signature de code en SHA-1, prenez les mesures suivantes, si nécessaire, avant le 1er décembre 2020 :

Récupérez vos nouveaux certificats SHA-1
Renouvelez vos certificats SHA-1
Réémettez et récupérez les certificats SHA-1 dont vous avez besoin

Pour de plus amples informations sur les changements prévus au 1er décembre 2020, consultez notre article de la base de connaissances DigiCert va cesser d'émettre des certificats de signature de code en SHA-1.

Si vous avez d'autres questions, veuillez contacter votre gestionnaire de compte ou notre équipe de support.

Mars 2, 2020

reissues SHA1 ev code signing certificates sha256 hash algorithm

Option de hachage de signature sur les réémissions de certificats de signature de code EV

Nous avons mis à jour notre processus de réémission de la signature de code de validation étendue (EV). Désormais, lors de la réémission d'un certificat de signature de code EV, vous pouvez sélectionner le hachage de signature pour le certificat : SHA-256 ou SHA-1.

Pour obtenir plus d'informations, consultez la page Réémission ou réintroduction d'un certificat de signature de code EV .

Mai 27, 2021

Décembre 1, 2020

Mars 2, 2020

À propos de