Change log | docs.digicert.com

五月 24, 2022

reissued certificates new certificates ICAs DV SSL certificates intermediate CA certificates compliance New GeoTrust RapidSSL

CertCentral to issue GeoTrust and RapidSSL DV certificates from new intermediate CA certificates

On May 24, 2022, between 9:00 am and 11:00 am MDT (3:00 pm and 5:00 pm UTC), DigiCert will replace the GeoTrust and RapidSSL intermediate CA (ICA) certificates listed below. We can no longer issue maximum validity (397-day) DV certificates from these intermediates.

Old ICA certificates

GeoTrust TLS DV RSA Mixed SHA256 2020 CA-1
GeoTrust TLS DV RSA Mixed SHA256 2021 CA-1
RapidSSL TLS DV RSA Mixed SHA256 2020 CA-1
RapidSSL TLS DV RSA Mixed SHA256 2021 CA-1

New ICA certificates

GeoTrust Global TLS RSA4096 SHA256 2022 CA1
RapidSSL Global TLS RSA4096 SHA256 2022 CA1

See the DigiCert ICA Update KB article.

How does this affect me?

Rolling out new ICA certificates does not affect your existing DV certificates. Active certificates issued from the replaced ICA certificates will remain trusted until they expire.

However, all new certificates, including certificate reissues, will be issued from the new ICA certificates. To ensure ICA certificate replacements go unnoticed, always include the provided ICA certificate with every TLS certificate you install.

No action is required unless you do any of the following:

Pin the old versions of the intermediate CA certificates
Hard code the acceptance of the old versions of the intermediate CA certificates
Operate a trust store that includes the old versions of the intermediate CA certificates

Action required

If you practice pinning, hard code acceptance, or operate a trust store, update your environment as soon as possible. You should stop pinning and hard coding ICA certificates or make the necessary changes to ensure your GeoTrust DV and RapidSSL DV certificates issued from the new ICA certificates are trusted. In other words, make sure they can chain up to their new ICA certificate and trusted root.

See the DigiCert Trusted Root Authority Certificates page to download copies of the new Intermediate CA certificates.

What if I need more time?

If you need more time to update your environment, you can continue to use the old 2020 ICA certificates until they expire. Contact DigiCert Support, and they can set that up for your account. However, after May 31, 2022, RapidSSL DV and GeoTrust DV certificates issued from the 2020 ICA certificates will be truncated to less than one year.

八月 23, 2021

DV Certificates Revoke reissued certificates

We fixed a bug that changes the reissue workflow for DV certificates. After August 24, 2021, when you reissue a DV certificate and change or remove SANs, the original certificate and any previously reissued or duplicate certificates are revoked after a 72-hour delay.

五月 27, 2021

industry standards root certificates certificate signing request reissued certificates new certificates 3072-bit eToken ECC renewed certificates HSM code signing certificates RSA intermediate CA certificates ev code signing certificates industry changes

Industry moves to 3072-bit key minimum RSA code signing certificates

Starting May 27, 2021, to comply with new industry standards for code signing certificates, DigiCert will make the following changes to our code signing certificate process.

Stop issuing 2048-bit key code signing certificates
Only issue 3072-bit key or stronger code signing certificates
Use 4096-bit key intermediate CA and root certificates to issue our code signing certificates.

See Appendix A in the Baseline Requirements for the Issuance and Management of Publicly-Trusted Code Signing Certificates to learn more about these industry changes,

How do these changes affect my existing 2048-bit key certificates?

All existing 2048-bit key size code signing certificates issued before May 27, 2021, will remain active. You can continue to use these certificates to sign code until they expire.

What if I need 2048-bit key code signing certificates?

Take these actions, as needed, before May 27, 2021:

Order new 2048-bit key certificates
Renew expiring 2048-bit key certificates
Reissue 2048-bit key certificates

How do these changes affect my code signing certificate process starting May 27, 2021?

Reissues for code signing certificate

Starting May 27, 2021, all reissued code signing certificates will be:

3072-bit key or stronger. See eTokens for EV code signing certificates and HSMs for EV code signing certificates below.
Automatically issued from new intermediate CA and root certificates. See New ICA and root certificates below.

New and renewed code signing certificates

Starting May 27, 2021, all new and renewed code signing certificates will be:

3072-bit key or stronger. See eTokens for EV code signing certificates and HSMs for EV code signing certificates below.
Automatically issued from new intermediate CA and root certificates. See New ICA and root certificates below.

CSRs for code signing certificates

Starting May 27, 2021, you must use a 3072-bit RSA key or larger to generate all certificate signing requests (CSR). We will no longer accept 2048-bit key CSRs for code signing certificate requests.

eTokens for EV code signing certificates

Starting May 27, 2021, you must use an eToken that supports 3072-bit keys when you reissue, order, or renew an EV code signing certificate.

When you order or renew an EV code signing certificate, DigiCert includes a 3072-bit eToken with your purchase. DigiCert provides an eToken with the Preconfigured Hardware Token provisioning option.
When your reissue your EV code signing certificate reissues, you must provide your own 3072-bit eToken. If you don't have one, you will be unable to install your reissued certificate on your eToken.
You must have a FIPS 140-2 Level 2 or Common Criteria EAL4+ compliant device.

HSMs for EV code signing certificates

Starting May 27, 2021, you must use an HSM that supports 3072-bit keys. Contact your HSM vendor for more information.

New ICA and root certificates

Starting May 27, 2021, DigiCert will issue all new code signing certificates from our new RSA and ECC intermediate CA and root certificates (new, renewed, and reissued).

RSA ICA and root certificates:

DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1
DigiCert Trusted Root G4

ECC ICA and root certificates:

DigiCert Global G3 Code Signing ECC SHA384 2021 CA1
DigiCert Global Root G3

No action is required unless you practice certificate pinning, hard code certificate acceptance, or operate a trust store.

If you do any of these things, we recommend updating your environment as soon as possible. Stop pinning and hard coding ICAs or make the necessary changes to ensure certificates issued from the new ICA certificates are trusted (in other words, they can chain up to their issuing ICA and trusted root certificates).

References

To learn more about the Code Signing certificate changes, see Code signing changes in 2021.
To get a copy of the new intermediate CA and root certificates, see DigiCert Trusted Root Authority Certificates

If you have questions or concerns, please contact your account manager or our support team.

十二月 1, 2020

industry changes reissued certificates renewal code signing certificates intermediate CA certificates ev code signing certificates compliance SHA-1 SHA-2

DigiCert 停止颁发 SHA-1 代码签名证书

星期二， 2020 年 12 月 1 日 MST,DigiCert 将停止颁发 SHA-1 代码签名证书和 SHA-1 EV 代码签名证书。

注意：所有现有的 SHA-1 代码签名/EV 代码签名证书在到期前将一直有效。

DigiCert 为什么进行这些更改？

为了遵循新的行业标准，证书颁发机构 (CA) 必须在 2021 年 1 月 1 日之前进行以下更改：

停止颁发 SHA-1 代码签名证书
停止使用 SHA-1 中间证书 CA 和 SHA-1 根证书颁发 SHA-256 算法代码签名和时间戳证书

请参阅关于颁发和管理公共信任的代码签名证书的基准要求附录 A。

SHA-1 代码签名证书更改对我有什么影响？

如果您依赖于 SHA-1 代码签名证书，请在 2020 年 12 月 1 日之前根据需要执行以下操作：

获取新的 SHA-1 证书
续订 SHA-1 证书
补发和获取必需的 SHA-1 证书

有关 2020 年 12 月 1 日更改的更多信息，请参阅我们的知识库文章 DigiCert 停止颁发 SHA-1 代码签名证书。

如果您有其他疑问，请联系客户经理或我们的支持团队。

七月 15, 2019

api transaction summary reissued certificates days_remaining parameter certcentral-ui enhancement

我们改进了“补发订单证书”页面上的交易记录摘要，您可以看到证书即将到期的剩余天数。现在，当您补发证书时，交易记录摘要显示证书有效期以及即将到期的剩余天数，例如，1 年（在 43 天后到期）。

在 DigiCert 服务 API 中，我们更新了列出订单,订单信息,列出补发,和列出副本端点，您可以看到证书即将到期的剩余天数。对于这些端点，我们在其响应中返回 days_remaining 参数。

Example of the days_remaining response parameter.png

七月 1, 2019

reissue endpoint duplicate certificates duplicate endpoint api order forms enhancement SSL certificates order endpoints reissued certificates

我们改进了 Basic 和 Secure Site 单域证书组合（Standard SSL、EV SSL、Secure Site SSL 和 Secure Site EV SSL），将在证书中同时包括[your-domain].com 和 www.[your-domain].com 选项添加到这些证书的订购、补发和副本表单中。该选项可用于选择是否在这些单域证书中免费包括两个版本的公用名 (FQDN)。

要获取两个版本的公用名 (FQDN)，请选中在证书中同时包括[your-domain].com 和 www.[your-domain].com。
要仅获取公用名 (FQDN)，请取消选中在证书中同时包括[your-domain].com 和 www.[your-domain].com。

请参阅订购 SSL/TLS 证书。

子域同上

该新选项可用于同时获取基域和子域版本。现在，要获取两个版本的子域，请将该子域添加到公用名框 (sub.domain.com)，然后选中在证书中同时包括[your-domain].com 和 www.[your-domain].com。当 DigiCert 颁发您的证书时，它将在证书上包括两个版本的子域：[sub.domain].com 和 www.[sub.doman].com。

删除为子域使用 Plus 功能

在证书中同时包括[your-domain].com 和 www.[your-domain].com 选项将使 Plus 功能 - 为子域使用 Plus 功能失效。因此，我们从“分区首选项”页面上移除了该选项（在侧栏菜单中，单击设置 > 首选项）。

在 DigiCert 服务 API 中，我们更新了订购 OV/EV SSL,订购 SSL (type_hint),订购 Secure Site SSL,订购私有 SSL,补发证书,和副本证书端点，如下所列。这些更改使您在请求、补发和重复单域证书时拥有更大的控制权，可选择是否在这些单域证书上免费包括特定的附加 SAN。

/ssl_plus
/ssl_ev_plus
/ssl_securesite
/ssl_ev_securesite
/private_ssl_plus
/ssl*
/补发
/duplicate

*注意：对于订购 SSL (type_hint) 端点，仅使用下面描述的 dns_names[] 参数添加免费 SAN。

要获取域的两个版本（[your-domain].com 和 www.[your-domain].com)，在您的请求中使用 common_name 参数添加域 ([your-domain].com)，使用 dns_names[] 参数添加域的另一个版本 (www.[your-domain].com)。

当 DigiCert 颁发您的证书时，它将保护域的两个版本。

要仅获取公用名 (FQDN)，忽略请求中的 dns_names[] 参数即可。