筛选方式: industry changes x 清除

六月 1, 2023

code signing HSM OV code signing FIPS 140 Level 2 CA/B Forum private key storage hardware token Common Criteria EAL 4+ Hardware Security Module standard code signing industry changes
compliance

New private key storage requirement for OV code signing certificates

Update: To provide you with more time to prepare for the new OV code signing certificate private key storage requirement, the industry has postponed the rollout until June 1, 2023. See Voting results Ballot CSCWG-17: Subscriber Private Key Extension.

Starting on June 1, 2023, at 00:00 UTC, industry standards will require private keys for OV code signing certificates to be stored on hardware certified as FIPS 140 Level 2, Common Criteria EAL 4+, or equivalent. This change strengthens private key protection for code signing certificates and aligns it with EV (Extended Validation) code signing certificate private key protection. See Code Signing Baseline Requirements, current version.

How do these new requirements affect my code signing certificate process?

The new private storage key requirement affects code signing certificates issued from June 1, 2023, and impacts the following parts of your code signing process:

  • Private key storage and certificate installation
     Certificate Authorities (CAs) can no longer support browser-based key generation and certificate installation or any other process that includes creating a CSR (Certificate Signing Request) and installing your certificate on a laptop or server. Private keys and certificates must be stored and installed on tokens or HSMs (hardware security modules) certified as at least FIPS 140-2 Level 2 or Common Criteria EAL 4+.
  • Signing code
     To use a token-based code signing certificate, you need access to the token or HSM and the credentials to use the certificate stored on it.
  • Ordering and renewing certificates
    When ordering and renewing an OV code signing certificate, you must specify the hardware on which you will store the private key:
    • DigiCert-provided hardware token
    • Existing supported hardware token
    • Hardware security module (HSM)
  • Reissuing certificates
    When reissuing code signing certificates, you must install the certificate on a supported hardware token or HSM. If you do not have a token, you can purchase a token from DigiCert at that time.

Want to eliminate the need for hardware tokens?

Transition to DigiCert® Secure Software Manager to improve your software security with code-signing workflow automation that reduces points of vulnerability with end-to-end company-wide security and control in the code signing process—all without slowing down your process.

Key capabilities:

  • HSM key storage—industry compliant
  • Policy enforcement
  • Centralized management
  • Integration with CI/CD pipelines
  • And more

To learn more about how DigiCert Secure Software Manager has helped other organizations, see our case study Automated Signing Speeds Build Times While Improving the User Experience.

五月 27, 2021

industry standards root certificates certificate signing request reissued certificates new certificates 3072-bit eToken ECC renewed certificates HSM code signing certificates RSA intermediate CA certificates ev code signing certificates industry changes
compliance

Industry moves to 3072-bit key minimum RSA code signing certificates

Starting May 27, 2021, to comply with new industry standards for code signing certificates, DigiCert will make the following changes to our code signing certificate process.

  • Stop issuing 2048-bit key code signing certificates
  • Only issue 3072-bit key or stronger code signing certificates
  • Use 4096-bit key intermediate CA and root certificates to issue our code signing certificates.

See Appendix A in the Baseline Requirements for the Issuance and Management of Publicly-Trusted Code Signing Certificates to learn more about these industry changes,

How do these changes affect my existing 2048-bit key certificates?

All existing 2048-bit key size code signing certificates issued before May 27, 2021, will remain active. You can continue to use these certificates to sign code until they expire.

What if I need 2048-bit key code signing certificates?

Take these actions, as needed, before May 27, 2021:

  • Order new 2048-bit key certificates
  • Renew expiring 2048-bit key certificates
  • Reissue 2048-bit key certificates

How do these changes affect my code signing certificate process starting May 27, 2021?

Reissues for code signing certificate

Starting May 27, 2021, all reissued code signing certificates will be:

  • 3072-bit key or stronger. See eTokens for EV code signing certificates and HSMs for EV code signing certificates below.
  • Automatically issued from new intermediate CA and root certificates. See New ICA and root certificates below.

New and renewed code signing certificates

Starting May 27, 2021, all new and renewed code signing certificates will be:

  • 3072-bit key or stronger. See eTokens for EV code signing certificates and HSMs for EV code signing certificates below.
  • Automatically issued from new intermediate CA and root certificates. See New ICA and root certificates below.

CSRs for code signing certificates

Starting May 27, 2021, you must use a 3072-bit RSA key or larger to generate all certificate signing requests (CSR). We will no longer accept 2048-bit key CSRs for code signing certificate requests.

eTokens for EV code signing certificates

Starting May 27, 2021, you must use an eToken that supports 3072-bit keys when you reissue, order, or renew an EV code signing certificate.

  • When you order or renew an EV code signing certificate, DigiCert includes a 3072-bit eToken with your purchase. DigiCert provides an eToken with the Preconfigured Hardware Token provisioning option.
  • When your reissue your EV code signing certificate reissues, you must provide your own 3072-bit eToken. If you don't have one, you will be unable to install your reissued certificate on your eToken.
  • You must have a FIPS 140-2 Level 2 or Common Criteria EAL4+ compliant device.

HSMs for EV code signing certificates

Starting May 27, 2021, you must use an HSM that supports 3072-bit keys. Contact your HSM vendor for more information.

New ICA and root certificates

Starting May 27, 2021, DigiCert will issue all new code signing certificates from our new RSA and ECC intermediate CA and root certificates (new, renewed, and reissued).

RSA ICA and root certificates:

  • DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1
  • DigiCert Trusted Root G4

ECC ICA and root certificates:

  • DigiCert Global G3 Code Signing ECC SHA384 2021 CA1
  • DigiCert Global Root G3

No action is required unless you practice certificate pinning, hard code certificate acceptance, or operate a trust store.

If you do any of these things, we recommend updating your environment as soon as possible. Stop pinning and hard coding ICAs or make the necessary changes to ensure certificates issued from the new ICA certificates are trusted (in other words, they can chain up to their issuing ICA and trusted root certificates).

References

If you have questions or concerns, please contact your account manager or our support team.

十二月 1, 2020

industry changes reissued certificates renewal code signing certificates intermediate CA certificates ev code signing certificates compliance SHA-1 SHA-2
compliance

DigiCert 停止颁发 SHA-1 代码签名证书

星期二, 2020 年 12 月 1 日 MST,DigiCert 将停止颁发 SHA-1 代码签名证书和 SHA-1 EV 代码签名证书。

注意:所有现有的 SHA-1 代码签名/EV 代码签名证书在到期前将一直有效。

DigiCert 为什么进行这些更改?

为了遵循新的行业标准,证书颁发机构 (CA) 必须在 2021 年 1 月 1 日之前进行以下更改:

  • 停止颁发 SHA-1 代码签名证书
  • 停止使用 SHA-1 中间证书 CA 和 SHA-1 根证书颁发 SHA-256 算法代码签名和时间戳证书

请参阅关于颁发和管理公共信任的代码签名证书的基准要求附录 A

SHA-1 代码签名证书更改对我有什么影响?

如果您依赖于 SHA-1 代码签名证书,请在 2020 年 12 月 1 日之前根据需要执行以下操作:

  • 获取新的 SHA-1 证书
  • 续订 SHA-1 证书
  • 补发和获取必需的 SHA-1 证书

有关 2020 年 12 月 1 日更改的更多信息,请参阅 我们的知识库文章 DigiCert 停止颁发 SHA-1 代码签名证书

如果您有其他疑问,请联系客户经理或我们的 支持团队

八月 27, 2020

product public ssl certificates compliance industry changes
compliance

DigiCert 将停止颁发 2 年期公共 SSL/TLS 证书

2020 年 8 月 27 日下午 5:59 MDT (23:59 UTC),DigiCert 将停止颁发 2 年期公共 SSL/TLS 证书,以准备实行行业针对公共 SSL/TLS 证书允许的最长有效期实施的更改。

8 月 27 日截止后,您只能购买 1 年期公共 SSL/TLS 证书。

我需要做些什么?

为了确保您在 8 月 27 日截止前获得您需要的 2 年期公共 SSL/TLS 证书,请执行以下操作:

  • 清点您需要的 2 年期证书,包括新证书和续订证书。
  • 在 8 月 13 日之前订购您需要的所有 2 年期证书。
  • 及时回应任何域和组织验证请求。

如需了解此更改对待处理的证书订单、补发证书和副本证书有什么影响,请参阅终止 2 年期 DV、OV 和 EV 公共 SSL/TLS 证书

DigiCert 服务 API

如果使用 DigiCert 服务 API,您需更新 API 工作流,以便在您于 8 月 27 日截止后提交的请求中纳入证书有效期最长不超过 397 天的最新要求。请参阅服务 API

2020 年 8 月 27 日之后

8 月 27 日后,您只能购买 1 年期公共 SSL/TLS 证书。但是,为了最大程度地延长 SSL/TLS 保障期限,请通过 DigiCert® 多年计划购买新证书。请参阅多年计划

DigiCert 为什么进行此更改?

2020 年 9 月 1 日,行业标准弃用了 2 年期证书。证书颁发机构 (CA) 以后只能颁发最长有效期不超过 398 天(大约 13 个月)的公共 DV、OV 和 EV SSL/TLS 证书。

DigiCert 将对所有公共 SSL/TLS 证书实施最长有效期不超过 397 天的规定,以确保考虑时差,避免颁发的公共 SSL/TLS 证书超过最长有效期为 398 天的最新要求。

请浏览我们的博客,以了解关于过渡到 1 年期公共 SSL/TLS 证书的更多信息:1 年期公共信托 SSL 证书:DigiCert 帮助

简介

DigiCert is the world's leading provider of scalable TLS/SSL, IoT and PKI solutions for identity and encryption. The most innovative companies, including 89% of the Fortune 500 and 97 of the 100 top global banks, choose DigiCert for its expertise in identity and encryption for web servers and Internet of Things devices. DigiCert supports TLS and other digital certificates for PKI deployments at any scale through its certificate lifecycle management solution, CertCentral®. The company is recognized for its enterprise-grade certificate management platform, fast and knowledgeable customer support, and market-leading security solutions. For the latest DigiCert news and updates, visit digicert.com or follow @digicert.

©2020 DigiCert, Inc. All rights reserved. DigiCert, its logo and CertCentral are registered trademarks of DigiCert, Inc. Norton and the Checkmark Logo are trademarks of NortonLifeLock Inc. used under license. Other names may be trademarks of their respective owners.