OV code signing certificates requirements are changing
Starting on November 15, 2022, at 00:00 UTC, industry standards will require private keys for OV code signing certificates to be stored on hardware certified as FIPS 140 Level 2, Common Criteria EAL 4+, or equivalent. This change strengthens private key protection for code signing certificates and aligns it with EV (Extended Validation) code signing certificate private key protection. See Code Signing Baseline Requirements, current version.
How do these new requirements affect my code signing certificate process?
The new private storage key requirement affects code signing certificates issued from November 15, 2022, and impacts the following parts of your code signing process:
Want to eliminate the need for individual tokens?
Transition to DigiCert® Secure Software Manager to improve your software security with code-signing workflow automation that reduces points of vulnerability with end-to-end company-wide security and control in the code signing process—all without slowing down your process.
Key capabilities:
To learn more about how DigiCert Secure Software Manager has helped other organizations, see our case study Automated Signing Speeds Build Times While Improving the User Experience.
Industry moves to 3072-bit key minimum RSA code signing certificates
Starting May 27, 2021, to comply with new industry standards for code signing certificates, DigiCert will make the following changes to our code signing certificate process.
See Appendix A in the Baseline Requirements for the Issuance and Management of Publicly-Trusted Code Signing Certificates to learn more about these industry changes,
How do these changes affect my existing 2048-bit key certificates?
All existing 2048-bit key size code signing certificates issued before May 27, 2021, will remain active. You can continue to use these certificates to sign code until they expire.
What if I need 2048-bit key code signing certificates?
Take these actions, as needed, before May 27, 2021:
How do these changes affect my code signing certificate process starting May 27, 2021?
Reissues for code signing certificate
Starting May 27, 2021, all reissued code signing certificates will be:
New and renewed code signing certificates
Starting May 27, 2021, all new and renewed code signing certificates will be:
CSRs for code signing certificates
Starting May 27, 2021, you must use a 3072-bit RSA key or larger to generate all certificate signing requests (CSR). We will no longer accept 2048-bit key CSRs for code signing certificate requests.
eTokens for EV code signing certificates
Starting May 27, 2021, you must use an eToken that supports 3072-bit keys when you reissue, order, or renew an EV code signing certificate.
HSMs for EV code signing certificates
Starting May 27, 2021, you must use an HSM that supports 3072-bit keys. Contact your HSM vendor for more information.
New ICA and root certificates
Starting May 27, 2021, DigiCert will issue all new code signing certificates from our new RSA and ECC intermediate CA and root certificates (new, renewed, and reissued).
RSA ICA and root certificates:
ECC ICA and root certificates:
No action is required unless you practice certificate pinning, hard code certificate acceptance, or operate a trust store.
If you do any of these things, we recommend updating your environment as soon as possible. Stop pinning and hard coding ICAs or make the necessary changes to ensure certificates issued from the new ICA certificates are trusted (in other words, they can chain up to their issuing ICA and trusted root certificates).
References
If you have questions or concerns, please contact your account manager or our support team.
DigiCert 停止颁发 SHA-1 代码签名证书
星期二, 2020 年 12 月 1 日 MST,DigiCert 将停止颁发 SHA-1 代码签名证书和 SHA-1 EV 代码签名证书。
注意:所有现有的 SHA-1 代码签名/EV 代码签名证书在到期前将一直有效。
DigiCert 为什么进行这些更改?
为了遵循新的行业标准,证书颁发机构 (CA) 必须在 2021 年 1 月 1 日之前进行以下更改:
请参阅关于颁发和管理公共信任的代码签名证书的基准要求附录 A。
SHA-1 代码签名证书更改对我有什么影响?
如果您依赖于 SHA-1 代码签名证书,请在 2020 年 12 月 1 日之前根据需要执行以下操作:
有关 2020 年 12 月 1 日更改的更多信息,请参阅 我们的知识库文章 DigiCert 停止颁发 SHA-1 代码签名证书。
如果您有其他疑问,请联系客户经理或我们的 支持团队。
DigiCert 将停止颁发 2 年期公共 SSL/TLS 证书
2020 年 8 月 27 日下午 5:59 MDT (23:59 UTC),DigiCert 将停止颁发 2 年期公共 SSL/TLS 证书,以准备实行行业针对公共 SSL/TLS 证书允许的最长有效期实施的更改。
8 月 27 日截止后,您只能购买 1 年期公共 SSL/TLS 证书。
我需要做些什么?
为了确保您在 8 月 27 日截止前获得您需要的 2 年期公共 SSL/TLS 证书,请执行以下操作:
如需了解此更改对待处理的证书订单、补发证书和副本证书有什么影响,请参阅终止 2 年期 DV、OV 和 EV 公共 SSL/TLS 证书。
DigiCert 服务 API
如果使用 DigiCert 服务 API,您需更新 API 工作流,以便在您于 8 月 27 日截止后提交的请求中纳入证书有效期最长不超过 397 天的最新要求。请参阅服务 API。
2020 年 8 月 27 日之后
8 月 27 日后,您只能购买 1 年期公共 SSL/TLS 证书。但是,为了最大程度地延长 SSL/TLS 保障期限,请通过 DigiCert® 多年计划购买新证书。请参阅多年计划。
DigiCert 为什么进行此更改?
2020 年 9 月 1 日,行业标准弃用了 2 年期证书。证书颁发机构 (CA) 以后只能颁发最长有效期不超过 398 天(大约 13 个月)的公共 DV、OV 和 EV SSL/TLS 证书。
DigiCert 将对所有公共 SSL/TLS 证书实施最长有效期不超过 397 天的规定,以确保考虑时差,避免颁发的公共 SSL/TLS 证书超过最长有效期为 398 天的最新要求。
请浏览我们的博客,以了解关于过渡到 1 年期公共 SSL/TLS 证书的更多信息:1 年期公共信托 SSL 证书:DigiCert 帮助。