筛选方式: code signing certificates x 清除
compliance

Industry moves to 3072-bit key minimum RSA code signing certificates

Starting May 27, 2021, to comply with new industry standards for code signing certificates, DigiCert will make the following changes to our code signing certificate process.

  • Stop issuing 2048-bit key code signing certificates
  • Only issue 3072-bit key or stronger code signing certificates
  • Use 4096-bit key intermediate CA and root certificates to issue our code signing certificates.

See Appendix A in the Baseline Requirements for the Issuance and Management of Publicly-Trusted Code Signing Certificates to learn more about these industry changes,

How do these changes affect my existing 2048-bit key certificates?

All existing 2048-bit key size code signing certificates issued before May 27, 2021, will remain active. You can continue to use these certificates to sign code until they expire.

What if I need 2048-bit key code signing certificates?

Take these actions, as needed, before May 27, 2021:

  • Order new 2048-bit key certificates
  • Renew expiring 2048-bit key certificates
  • Reissue 2048-bit key certificates

How do these changes affect my code signing certificate process starting May 27, 2021?

Reissues for code signing certificate

Starting May 27, 2021, all reissued code signing certificates will be:

  • 3072-bit key or stronger. See eTokens for EV code signing certificates and HSMs for EV code signing certificates below.
  • Automatically issued from new intermediate CA and root certificates. See New ICA and root certificates below.

New and renewed code signing certificates

Starting May 27, 2021, all new and renewed code signing certificates will be:

  • 3072-bit key or stronger. See eTokens for EV code signing certificates and HSMs for EV code signing certificates below.
  • Automatically issued from new intermediate CA and root certificates. See New ICA and root certificates below.

CSRs for code signing certificates

Starting May 27, 2021, you must use a 3072-bit RSA key or larger to generate all certificate signing requests (CSR). We will no longer accept 2048-bit key CSRs for code signing certificate requests.

eTokens for EV code signing certificates

Starting May 27, 2021, you must use an eToken that supports 3072-bit keys when you reissue, order, or renew an EV code signing certificate.

  • When you order or renew an EV code signing certificate, DigiCert includes a 3072-bit eToken with your purchase. DigiCert provides an eToken with the Preconfigured Hardware Token provisioning option.
  • When your reissue your EV code signing certificate reissues, you must provide your own 3072-bit eToken. If you don't have one, you will be unable to install your reissued certificate on your eToken.
  • You must have a FIPS 140-2 Level 2 or Common Criteria EAL4+ compliant device.

HSMs for EV code signing certificates

Starting May 27, 2021, you must use an HSM that supports 3072-bit keys. Contact your HSM vendor for more information.

New ICA and root certificates

Starting May 27, 2021, DigiCert will issue all new code signing certificates from our new RSA and ECC intermediate CA and root certificates (new, renewed, and reissued).

RSA ICA and root certificates:

  • DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1
  • DigiCert Trusted Root G4

ECC ICA and root certificates:

  • DigiCert Global G3 Code Signing ECC SHA384 2021 CA1
  • DigiCert Global Root G3

No action is required unless you practice certificate pinning, hard code certificate acceptance, or operate a trust store.

If you do any of these things, we recommend updating your environment as soon as possible. Stop pinning and hard coding ICAs or make the necessary changes to ensure certificates issued from the new ICA certificates are trusted (in other words, they can chain up to their issuing ICA and trusted root certificates).

References

If you have questions or concerns, please contact your account manager or our support team.

compliance

DigiCert 停止颁发 SHA-1 代码签名证书

星期二, 2020 年 12 月 1 日 MST,DigiCert 将停止颁发 SHA-1 代码签名证书和 SHA-1 EV 代码签名证书。

注意:所有现有的 SHA-1 代码签名/EV 代码签名证书在到期前将一直有效。

DigiCert 为什么进行这些更改?

为了遵循新的行业标准,证书颁发机构 (CA) 必须在 2021 年 1 月 1 日之前进行以下更改:

  • 停止颁发 SHA-1 代码签名证书
  • 停止使用 SHA-1 中间证书 CA 和 SHA-1 根证书颁发 SHA-256 算法代码签名和时间戳证书

请参阅关于颁发和管理公共信任的代码签名证书的基准要求附录 A

SHA-1 代码签名证书更改对我有什么影响?

如果您依赖于 SHA-1 代码签名证书,请在 2020 年 12 月 1 日之前根据需要执行以下操作:

  • 获取新的 SHA-1 证书
  • 续订 SHA-1 证书
  • 补发和获取必需的 SHA-1 证书

有关 2020 年 12 月 1 日更改的更多信息,请参阅 我们的知识库文章 DigiCert 停止颁发 SHA-1 代码签名证书

如果您有其他疑问,请联系客户经理或我们的 支持团队

compliance

Microsoft 将停止支持第三方内核模式驱动程序包数字签名

签署内核模式驱动程序包的流程将更改。从 2021 年开始,Microsoft 将成为生产内核模式代码签名的唯一提供商。以后,您需开始依照 Microsoft 更新的说明签署任何新的内核模式驱动程序包。请参阅 Windows 硬件合作伙伴中心

DigiCert 正如何应对?

作为该弃用流程的第一步,DigiCert 从代码签名证书表单中移除了 Microsoft 内核模式代码平台选项:新、补发和续订。

这意味着,您以后无法再为内核模式平台订购、补发或续订代码签名证书。

这对我现有的内核模式代码签名证书有什么影响?

您可以继续使用现有的证书签署内核模式驱动程序包,直至证书链中的交叉签名根到期。DigiCert 品牌的交叉签名根证书于 2021 年到期。

有关更多详情,请参阅我们的知识库文章,Microsoft 停止支持具有内核模式签名功能的交叉签名根证书

compliance

Firefox 不再支持密钥生成

随着 Firefox 69 的发行,Firefox 最终终止支持 Keygen。Firefox 使用 Keygen 帮助生成密钥材料,用于在浏览器中生成代码签名、客户端和 SMIME 证书时提交公钥。

注意:Chrome 已经终止支持密钥生成,而 Edge 和 Opera 从不支持密钥生成。

对您有什么影响?

DigiCert 颁发代码签名、客户端或 SMIME 证书后,我们向您发送一封电子邮件,其中包含用于创建和安装证书的链接。

发行 Firefox 69 后,您只能使用两种浏览器生成这些证书:Internet Explorer 和 Safari。如果公司政策要求使用 Firefox,您可以使用 Firefox ESR 或 Firefox 的可携带副本。

有关更多信息,请参阅 Firefox 69 将终止支持 Keygen

提示和技巧

  • 您仍然可以使用 Firefox 69 进行客户端身份验证。首先,在 IE 11 或 Safari 中生成 SMIME 证书。然后,将 SMIME 证书导入到 Safari。
  • 为了绕过在浏览器中生成代码签名、客户端或 SMIME 证书,请通过订单生成和提交 CSR。DigiCert 不会提供链接,而是在电子邮件中以附件的形式添加证书。
new

我们已将新状态已发送电子邮件给收件人,添加到代码签名和客户端证书订单的订单订单详情页面,使其更容易识别这些订单在证书颁发流程中所处的阶段。

该新状态表示 DigiCert 已经验证订单,且证书正在等待用户/电子邮件收件人在以下其中一种支持的浏览器中生成它:IE 11、Safari、Firefox 68 和便携式 Firefox

(在侧栏菜单中,单击证书 > 订单。然后,在“订单”页,单击代码签名证书或客户端证书订单的订单编号。)

enhancement

我们更新了扩展验证 (EV) 代码签名 (CS)文档签名 (DS) 证书补发流程,使您无需自动吊销当前证书(原始证书或之前补发的证书)就能补发这些证书。

注意:如果您不需要当前证书(原始证书或之前补发的证书),则需联系支持人员,请求他们为您吊销。

从现在起,当您下次补发 EV CS 或 DS 证书时,您可以让之前补发的证书在当前有效期内(或您需要的期间内)一直保持有效。

enhancement

DigiCert 将继续为代码签名证书支持 SHA1 签名。我们将在 2019 年 12 月 30 日移除最长有效期限制。