Industry moves to 3072-bit key minimum RSA code signing certificates
Starting May 27, 2021, to comply with new industry standards for code signing certificates, DigiCert will make the following changes to our code signing certificate process.
See Appendix A in the Baseline Requirements for the Issuance and Management of Publicly-Trusted Code Signing Certificates to learn more about these industry changes,
How do these changes affect my existing 2048-bit key certificates?
All existing 2048-bit key size code signing certificates issued before May 27, 2021, will remain active. You can continue to use these certificates to sign code until they expire.
What if I need 2048-bit key code signing certificates?
Take these actions, as needed, before May 27, 2021:
How do these changes affect my code signing certificate process starting May 27, 2021?
Reissues for code signing certificate
Starting May 27, 2021, all reissued code signing certificates will be:
New and renewed code signing certificates
Starting May 27, 2021, all new and renewed code signing certificates will be:
CSRs for code signing certificates
Starting May 27, 2021, you must use a 3072-bit RSA key or larger to generate all certificate signing requests (CSR). We will no longer accept 2048-bit key CSRs for code signing certificate requests.
eTokens for EV code signing certificates
Starting May 27, 2021, you must use an eToken that supports 3072-bit keys when you reissue, order, or renew an EV code signing certificate.
HSMs for EV code signing certificates
Starting May 27, 2021, you must use an HSM that supports 3072-bit keys. Contact your HSM vendor for more information.
New ICA and root certificates
Starting May 27, 2021, DigiCert will issue all new code signing certificates from our new RSA and ECC intermediate CA and root certificates (new, renewed, and reissued).
RSA ICA and root certificates:
ECC ICA and root certificates:
No action is required unless you practice certificate pinning, hard code certificate acceptance, or operate a trust store.
If you do any of these things, we recommend updating your environment as soon as possible. Stop pinning and hard coding ICAs or make the necessary changes to ensure certificates issued from the new ICA certificates are trusted (in other words, they can chain up to their issuing ICA and trusted root certificates).
If you have questions or concerns, please contact your account manager or our support team.
DigiCert 停止發行 SHA-1 代碼簽署憑證
2020 年 12 月 1 日星期二，MST,DigiCert 將停止發行 SHA-1 代碼簽署和 SHA-1 EV 代碼簽署憑證。
註：所有現有的 SHA-1 代碼簽署/EV 代碼簽署憑證將保持有效，直到到期為止。
為什麼 DigiCert 做這些變更？
為了符合新的業界標準，憑證授權機關 (CAs) 必須在 2021 年 1 月 1 日前做出以下的變更：
如果您依賴 SHA-1 代碼簽署憑證，請在 2020 年 12 月 1 日前視需要採取以下的行動：
如需更多有關 2020 年 12 月 1 日變更的資訊，請參閱 我們的知識庫文章 DigiCert 停止發行 SHA-1 代碼簽署憑證。