篩選依據: industry changes x 清除
compliance

Industry moves to 3072-bit key minimum RSA code signing certificates

Starting May 27, 2021, to comply with new industry standards for code signing certificates, DigiCert will make the following changes to our code signing certificate process.

  • Stop issuing 2048-bit key code signing certificates
  • Only issue 3072-bit key or stronger code signing certificates
  • Use 4096-bit key intermediate CA and root certificates to issue our code signing certificates.

See Appendix A in the Baseline Requirements for the Issuance and Management of Publicly-Trusted Code Signing Certificates to learn more about these industry changes,

How do these changes affect my existing 2048-bit key certificates?

All existing 2048-bit key size code signing certificates issued before May 27, 2021, will remain active. You can continue to use these certificates to sign code until they expire.

What if I need 2048-bit key code signing certificates?

Take these actions, as needed, before May 27, 2021:

  • Order new 2048-bit key certificates
  • Renew expiring 2048-bit key certificates
  • Reissue 2048-bit key certificates

How do these changes affect my code signing certificate process starting May 27, 2021?

Reissues for code signing certificate

Starting May 27, 2021, all reissued code signing certificates will be:

  • 3072-bit key or stronger. See eTokens for EV code signing certificates and HSMs for EV code signing certificates below.
  • Automatically issued from new intermediate CA and root certificates. See New ICA and root certificates below.

New and renewed code signing certificates

Starting May 27, 2021, all new and renewed code signing certificates will be:

  • 3072-bit key or stronger. See eTokens for EV code signing certificates and HSMs for EV code signing certificates below.
  • Automatically issued from new intermediate CA and root certificates. See New ICA and root certificates below.

CSRs for code signing certificates

Starting May 27, 2021, you must use a 3072-bit RSA key or larger to generate all certificate signing requests (CSR). We will no longer accept 2048-bit key CSRs for code signing certificate requests.

eTokens for EV code signing certificates

Starting May 27, 2021, you must use an eToken that supports 3072-bit keys when you reissue, order, or renew an EV code signing certificate.

  • When you order or renew an EV code signing certificate, DigiCert includes a 3072-bit eToken with your purchase. DigiCert provides an eToken with the Preconfigured Hardware Token provisioning option.
  • When your reissue your EV code signing certificate reissues, you must provide your own 3072-bit eToken. If you don't have one, you will be unable to install your reissued certificate on your eToken.
  • You must have a FIPS 140-2 Level 2 or Common Criteria EAL4+ compliant device.

HSMs for EV code signing certificates

Starting May 27, 2021, you must use an HSM that supports 3072-bit keys. Contact your HSM vendor for more information.

New ICA and root certificates

Starting May 27, 2021, DigiCert will issue all new code signing certificates from our new RSA and ECC intermediate CA and root certificates (new, renewed, and reissued).

RSA ICA and root certificates:

  • DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1
  • DigiCert Trusted Root G4

ECC ICA and root certificates:

  • DigiCert Global G3 Code Signing ECC SHA384 2021 CA1
  • DigiCert Global Root G3

No action is required unless you practice certificate pinning, hard code certificate acceptance, or operate a trust store.

If you do any of these things, we recommend updating your environment as soon as possible. Stop pinning and hard coding ICAs or make the necessary changes to ensure certificates issued from the new ICA certificates are trusted (in other words, they can chain up to their issuing ICA and trusted root certificates).

References

If you have questions or concerns, please contact your account manager or our support team.

compliance

DigiCert 停止發行 SHA-1 代碼簽署憑證

 2020 年 12 月 1 日星期二,MST,DigiCert 將停止發行 SHA-1 代碼簽署和 SHA-1 EV 代碼簽署憑證。

註:所有現有的 SHA-1 代碼簽署/EV 代碼簽署憑證將保持有效,直到到期為止。

為什麼 DigiCert 做這些變更?

為了符合新的業界標準,憑證授權機關 (CAs) 必須在 2021 年 1 月 1 日前做出以下的變更:

  • 停止發行 SHA-1 代碼簽署憑證
  • 停止使用 SHA-1 中介 CA 和 SHA-1 根憑證發行 SHA-256 運算法則代碼簽署和時間戳記憑證

請參閱發行和管理公共信任的代碼簽署憑證的基準要求附錄 A

SHA-1 代碼簽署憑證變更如何影響我?

如果您依賴 SHA-1 代碼簽署憑證,請在 2020 年 12 月 1 日前視需要採取以下的行動:

  • 取得您新的 SHA-1 憑證
  • 續訂您的 SHA-1 憑證
  • 重新發行和取得需要的 SHA-1 憑證

如需更多有關 2020 年 12 月 1 日變更的資訊,請參閱 我們的知識庫文章 DigiCert 停止發行 SHA-1 代碼簽署憑證

如果您有其他疑問,請聯絡您的帳戶管理器或我們的 支援團隊

compliance

DigiCert 將不再提供 2 年期公用 SSL/TLS 憑證

2020 年 8 月 27 日 5:59 PM MDT (23:59 UTC),DigiCert將停止發行 2 年期公用 SSL/TLS 憑證,準備業界變更公用 SSL/TLS 憑證的最大允許有效期。

在截止期限 8 月 27 曰後,您只能購買 1 年期公用 SSL/TLS 憑證。

我需要做什麼?

若要確保您在截止日期 8 月 27 日前取得需要的 2 年期公用 SSL/TLS 憑證:

  • 採用所需的 2 年期憑證的存量 — 新的與續訂。
  • 在 8 月 13 日前訂購您需要的任何 2 年期憑證。
  • 及時回應任何網域和組織驗證要求。

若要瞭解此變更如何影響擱置的憑證訂單、重新發行和複製,請參閱 2 年期 DV、OV 和 EV 公用 SSL/TLS 憑證結束

DigiCert Services API

對於使用 DigiCert Services API 者,您需要更新您的 API 工作流程,以反映出在 8 月 27 日截止期限後下的要求有新的最長 397 天憑證有效期。請參閱 Services API

2020 年 8 月 27 日後

8 月 27 曰後,您只能購買 1 年期公用 SSL/TLS 憑證。但為了最大化您的 SSL/TLS 涵蓋時間,請購買有新的 DigiCert® 多年套餐的新憑證。請參閱多年套餐

為什麼 DigiCert 做此變更?

2020 年 9 月 1 日,業界告別了 2 年期憑證。往後,憑證授權機關 (CA) 可能僅發行最長有效期 398 天 (約 13 個月) 的公用 DV、OV 和 EV SSL/TLS 憑證。

DigiCert 將對所有公用 SSL/TLS 憑證實施最 397 天的有效期作為安全防護,以反映出時區的差異和避免發行超過新的 398 天最長有效期要求的公用 SSL/TLS 憑證。

若要瞭解更多有關轉換至 1 年期公用 SSL/TLS 憑證的資訊,請查看我們的部落格。一年期公開信任 SSL 憑證:DigiCert 在此提供協助