CertCentral: DigiCert KeyGen, our new key generation service
DigiCert is happy to announce our new key generation service—KeyGen. Use KeyGen to generate and install your client and code signing certificates from your browser. KeyGen can be used on macOS and Windows and is supported by all major browsers.
With KeyGen, you don't need to generate a CSR to order your client and code signing certificates. Place your order without a CSR. Then after we process the order and your certificate is ready, DigiCert sends a "Generate your Certificate" email with instructions on using KeyGen to get your certificate.
How does KeyGen work?
KeyGen generates a keypair and then uses the public key to create a certificate signing request (CSR). KeyGen sends the CSR to DigiCert, and DigiCert sends the certificate back to KeyGen. Then KeyGen downloads a PKCS12 (.p12) file to your desktop that contains the certificate and the private key. The password you create during the certificate generation process protects the PKCS12 file. When you use the password to open the certificate file, the certificate gets installed in your personal certificate store.
To learn more about generating client and code signing certificates from your browser, see the following instructions:
Verified Mark Certificates (VMC): Three new approved trademark offices
We are happy to announce that DigiCert now recognizes three more intellectual property offices for verifying the logo for your VMC certificate. These new offices are in Korea, Brazil, and India.
New approved trademark offices:
Other approved trademark offices:
What is a Verified Mark Certificate?
Verified Mark Certificates (VMCs) are a new type of certificate that allows companies to place a certified brand logo next to the “sender” field in customer inboxes.
Bugfix: Code Signing (CS) certificate generation email sent only to CS verified contact
We fixed a bug in the Code Signing (CS) certificate issuance process where we were sending the certificate generation email to only the CS verified contact. This bug only happened when the requestor did not include a CSR with the code signing certificate request.
Now, for orders submitted without a CSR, we send the code signing certificate generation email to:
Note: DigiCert recommends submitting a CSR with your Code Signing certificate request. Currently, Internet Explorer is the only browser that supports keypair generation. See our knowledgebase article: Keygen support dropped with Firefox 69.
Industry moves to 3072-bit key minimum RSA code signing certificates
Starting May 27, 2021, to comply with new industry standards for code signing certificates, DigiCert will make the following changes to our code signing certificate process.
See Appendix A in the Baseline Requirements for the Issuance and Management of Publicly-Trusted Code Signing Certificates to learn more about these industry changes,
How do these changes affect my existing 2048-bit key certificates?
All existing 2048-bit key size code signing certificates issued before May 27, 2021, will remain active. You can continue to use these certificates to sign code until they expire.
What if I need 2048-bit key code signing certificates?
Take these actions, as needed, before May 27, 2021:
How do these changes affect my code signing certificate process starting May 27, 2021?
Reissues for code signing certificate
Starting May 27, 2021, all reissued code signing certificates will be:
New and renewed code signing certificates
Starting May 27, 2021, all new and renewed code signing certificates will be:
CSRs for code signing certificates
Starting May 27, 2021, you must use a 3072-bit RSA key or larger to generate all certificate signing requests (CSR). We will no longer accept 2048-bit key CSRs for code signing certificate requests.
eTokens for EV code signing certificates
Starting May 27, 2021, you must use an eToken that supports 3072-bit keys when you reissue, order, or renew an EV code signing certificate.
HSMs for EV code signing certificates
Starting May 27, 2021, you must use an HSM that supports 3072-bit keys. Contact your HSM vendor for more information.
New ICA and root certificates
Starting May 27, 2021, DigiCert will issue all new code signing certificates from our new RSA and ECC intermediate CA and root certificates (new, renewed, and reissued).
RSA ICA and root certificates:
ECC ICA and root certificates:
No action is required unless you practice certificate pinning, hard code certificate acceptance, or operate a trust store.
If you do any of these things, we recommend updating your environment as soon as possible. Stop pinning and hard coding ICAs or make the necessary changes to ensure certificates issued from the new ICA certificates are trusted (in other words, they can chain up to their issuing ICA and trusted root certificates).
References
If you have questions or concerns, please contact your account manager or our support team.
DigiCert 停止颁发 SHA-1 代码签名证书
星期二, 2020 年 12 月 1 日 MST,DigiCert 将停止颁发 SHA-1 代码签名证书和 SHA-1 EV 代码签名证书。
注意:所有现有的 SHA-1 代码签名/EV 代码签名证书在到期前将一直有效。
DigiCert 为什么进行这些更改?
为了遵循新的行业标准,证书颁发机构 (CA) 必须在 2021 年 1 月 1 日之前进行以下更改:
请参阅关于颁发和管理公共信任的代码签名证书的基准要求附录 A。
SHA-1 代码签名证书更改对我有什么影响?
如果您依赖于 SHA-1 代码签名证书,请在 2020 年 12 月 1 日之前根据需要执行以下操作:
有关 2020 年 12 月 1 日更改的更多信息,请参阅 我们的知识库文章 DigiCert 停止颁发 SHA-1 代码签名证书。
如果您有其他疑问,请联系客户经理或我们的 支持团队。
Microsoft 将停止支持第三方内核模式驱动程序包数字签名
签署内核模式驱动程序包的流程将更改。从 2021 年开始,Microsoft 将成为生产内核模式代码签名的唯一提供商。以后,您需开始依照 Microsoft 更新的说明签署任何新的内核模式驱动程序包。请参阅 Windows 硬件合作伙伴中心。
DigiCert 正如何应对?
作为该弃用流程的第一步,DigiCert 从代码签名证书表单中移除了 Microsoft 内核模式代码平台选项:新、补发和续订。
这意味着,您以后无法再为内核模式平台订购、补发或续订代码签名证书。
这对我现有的内核模式代码签名证书有什么影响?
您可以继续使用现有的证书签署内核模式驱动程序包,直至证书链中的交叉签名根到期。DigiCert 品牌的交叉签名根证书于 2021 年到期。
有关更多详情,请参阅我们的知识库文章,Microsoft 停止支持具有内核模式签名功能的交叉签名根证书。
CertCentral:域验证范围设置仅适用于 TLS 订单
在“分区首选项”页面的域控制验证 (DCV) 下,我们更新了域验证范围设置:提交要验证的准确域和提交要验证的基域。通过这些更新的设置,您在通过 TLS 证书订购流程提交新域时可以定义默认的域验证行为:EV、OV 和 DV。这些设置不再适用于域预验证流程。*
*这些更改对域预验证流程有什么影响?
在提交域进行预验证时,可以在任何级别(基域或任何更低级别的子域:example.com、sub1.example.com、sub2.sub1.example.com,等等)验证域。请参阅域预验证。
适用于浏览器生成的代码签名证书订单的"重新发送创建证书电子邮件"选项
在支持的浏览器中生成证书的订单的代码签名证书流程中,新增了重新发送创建证书电子邮件选项:IE 11、Safari、Firefox 68 和便携式 Firefox。
现在,当代码签名证书订单的状态为已发送电子邮件给收件人时,,可以重新发送证书生成电子邮件。
有关更多信息,请参阅重新发送"创建 DigiCert 代码签名证书"电子邮件。
Firefox 不再支持密钥生成
随着 Firefox 69 的发行,Firefox 最终终止支持 Keygen。Firefox 使用 Keygen 帮助生成密钥材料,用于在浏览器中生成代码签名、客户端和 SMIME 证书时提交公钥。
注意:Chrome 已经终止支持密钥生成,而 Edge 和 Opera 从不支持密钥生成。
对您有什么影响?
DigiCert 颁发代码签名、客户端或 SMIME 证书后,我们向您发送一封电子邮件,其中包含用于创建和安装证书的链接。
发行 Firefox 69 后,您只能使用两种浏览器生成这些证书:Internet Explorer 和 Safari。如果公司政策要求使用 Firefox,您可以使用 Firefox ESR 或 Firefox 的可携带副本。
有关更多信息,请参阅 Firefox 69 将终止支持 Keygen。
提示和技巧
我们已将新状态已发送电子邮件给收件人,添加到代码签名和客户端证书订单的订单和订单详情页面,使其更容易识别这些订单在证书颁发流程中所处的阶段。
该新状态表示 DigiCert 已经验证订单,且证书正在等待用户/电子邮件收件人在以下其中一种支持的浏览器中生成它:IE 11、Safari、Firefox 68 和便携式 Firefox。
(在侧栏菜单中,单击证书 > 订单。然后,在“订单”页,单击代码签名证书或客户端证书订单的订单编号。)
我们更新了扩展验证 (EV) 代码签名 (CS) 和文档签名 (DS) 证书补发流程,使您无需自动吊销当前证书(原始证书或之前补发的证书)就能补发这些证书。
注意:如果您不需要当前证书(原始证书或之前补发的证书),则需联系支持人员,请求他们为您吊销。
从现在起,当您下次补发 EV CS 或 DS 证书时,您可以让之前补发的证书在当前有效期内(或您需要的期间内)一直保持有效。
DigiCert 将继续为代码签名证书支持 SHA1 签名。我们将在 2019 年 12 月 30 日移除最长有效期限制。
