篩選依據: intermediate CA certificates x 清除
compliance

Industry moves to 3072-bit key minimum RSA code signing certificates

Starting May 27, 2021, to comply with new industry standards for code signing certificates, DigiCert will make the following changes to our code signing certificate process.

  • Stop issuing 2048-bit key code signing certificates
  • Only issue 3072-bit key or stronger code signing certificates
  • Use 4096-bit key intermediate CA and root certificates to issue our code signing certificates.

See Appendix A in the Baseline Requirements for the Issuance and Management of Publicly-Trusted Code Signing Certificates to learn more about these industry changes,

How do these changes affect my existing 2048-bit key certificates?

All existing 2048-bit key size code signing certificates issued before May 27, 2021, will remain active. You can continue to use these certificates to sign code until they expire.

What if I need 2048-bit key code signing certificates?

Take these actions, as needed, before May 27, 2021:

  • Order new 2048-bit key certificates
  • Renew expiring 2048-bit key certificates
  • Reissue 2048-bit key certificates

How do these changes affect my code signing certificate process starting May 27, 2021?

Reissues for code signing certificate

Starting May 27, 2021, all reissued code signing certificates will be:

  • 3072-bit key or stronger. See eTokens for EV code signing certificates and HSMs for EV code signing certificates below.
  • Automatically issued from new intermediate CA and root certificates. See New ICA and root certificates below.

New and renewed code signing certificates

Starting May 27, 2021, all new and renewed code signing certificates will be:

  • 3072-bit key or stronger. See eTokens for EV code signing certificates and HSMs for EV code signing certificates below.
  • Automatically issued from new intermediate CA and root certificates. See New ICA and root certificates below.

CSRs for code signing certificates

Starting May 27, 2021, you must use a 3072-bit RSA key or larger to generate all certificate signing requests (CSR). We will no longer accept 2048-bit key CSRs for code signing certificate requests.

eTokens for EV code signing certificates

Starting May 27, 2021, you must use an eToken that supports 3072-bit keys when you reissue, order, or renew an EV code signing certificate.

  • When you order or renew an EV code signing certificate, DigiCert includes a 3072-bit eToken with your purchase. DigiCert provides an eToken with the Preconfigured Hardware Token provisioning option.
  • When your reissue your EV code signing certificate reissues, you must provide your own 3072-bit eToken. If you don't have one, you will be unable to install your reissued certificate on your eToken.
  • You must have a FIPS 140-2 Level 2 or Common Criteria EAL4+ compliant device.

HSMs for EV code signing certificates

Starting May 27, 2021, you must use an HSM that supports 3072-bit keys. Contact your HSM vendor for more information.

New ICA and root certificates

Starting May 27, 2021, DigiCert will issue all new code signing certificates from our new RSA and ECC intermediate CA and root certificates (new, renewed, and reissued).

RSA ICA and root certificates:

  • DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1
  • DigiCert Trusted Root G4

ECC ICA and root certificates:

  • DigiCert Global G3 Code Signing ECC SHA384 2021 CA1
  • DigiCert Global Root G3

No action is required unless you practice certificate pinning, hard code certificate acceptance, or operate a trust store.

If you do any of these things, we recommend updating your environment as soon as possible. Stop pinning and hard coding ICAs or make the necessary changes to ensure certificates issued from the new ICA certificates are trusted (in other words, they can chain up to their issuing ICA and trusted root certificates).

References

If you have questions or concerns, please contact your account manager or our support team.

enhancement

CertCentral Services API: Auto-reissue support for Multi-year Plans

We are happy to announce that the CertCentral Services API now supports automatic certificate reissue requests (auto-reissue) for Multi-year Plans. The auto-reissue feature makes it easier to maintain SSL/TLS coverage on your Multi-year Plans.

You can enable auto-reissue for individual orders in your CertCentral account. When auto-reissue is enabled, we automatically create and submit a certificate reissue request 30 days before the most recently issued certificate on the order expires.

Enable auto-reissue for a new order

To give you control over the auto-reissue setting for new Multi-year Plans, we added a new request parameter to the endpoints for ordering DV, OV, and EV TLS/SSL certificates: auto_reissue.

By default, auto-reissue is disabled for all orders. To enable auto-reissue when you request a new Multi-year Plan, set the value of the auto_reissue parameter to 1 in the body of your request.

Example request body:

Example order request body with auto reissue enabled

Note: In new order requests, we ignore the auto_reissue parameter if:

  • The product does not support Multi-year Plans.
  • Multi-year Plans are disabled for the account.

Update auto-reissue setting for existing orders

To give you control over the auto-reissue setting for existing Multi-year Plans, we added a new endpoint: Update auto-reissue settings. Use this endpoint to enable or disable the auto-reissue setting for an order.

Get auto-reissue setting for an existing order

To help you track the auto-reissue setting for existing certificate orders, we added a new response parameter to the Order info endpoint: auto_reissue. The auto_reissue parameter returns the current auto-reissue setting for the order.

new

ICA certificate chain selection for public DV flex certificates

We are happy to announce that select public DV certificates now support Intermediate CA certificate chain selection:

  • GeoTrust DV SSL
  • Thawte SSL 123 DV
  • RapidSSL Standard DV
  • RapidSSL Wildcard DV
  • Encryption Everywhere DV

You can add a feature to your CertCentral account that enables you to control which DigiCert ICA certificate chain issues the end-entity certificate when you order these public DV products.

This feature allows you to:

  • Set the default ICA certificate chain for each supported public DV certificate.
  • Control which ICA certificate chains certificate requestors can use to issue their DV certificate.

Configure ICA certificate chain selection

To enable ICA selection for your account:

  1. Contact your account manager or our Support team.
  2. Then, in your CertCentral account, in the left main menu, go to Settings > Product Settings.
  3. On the Product Settings page, configure the default and allowed intermediates for each supported and available DV certificate.

For more information and step-by-step instructions, see the Configure the ICA certificate chain feature for your public TLS certificates.

new

DigiCert Services API: DV certificate support for ICA certificate chain selection

In the DigiCert Services API, we made the following updates to support ICA selection in your DV certificate order requests:

Pass in the issuing ICA certificate's ID as the value for the ca_cert_id parameter in your order request's body.

Example DV certificate request:

Example DV TLS certificate request

For more information about using ICA selection in your API integrations, see DV certificate lifecycle – Optional ICA selection.

compliance

DigiCert 停止發行 SHA-1 代碼簽署憑證

 2020 年 12 月 1 日星期二,MST,DigiCert 將停止發行 SHA-1 代碼簽署和 SHA-1 EV 代碼簽署憑證。

註:所有現有的 SHA-1 代碼簽署/EV 代碼簽署憑證將保持有效,直到到期為止。

為什麼 DigiCert 做這些變更?

為了符合新的業界標準,憑證授權機關 (CAs) 必須在 2021 年 1 月 1 日前做出以下的變更:

  • 停止發行 SHA-1 代碼簽署憑證
  • 停止使用 SHA-1 中介 CA 和 SHA-1 根憑證發行 SHA-256 運算法則代碼簽署和時間戳記憑證

請參閱發行和管理公共信任的代碼簽署憑證的基準要求附錄 A

SHA-1 代碼簽署憑證變更如何影響我?

如果您依賴 SHA-1 代碼簽署憑證,請在 2020 年 12 月 1 日前視需要採取以下的行動:

  • 取得您新的 SHA-1 憑證
  • 續訂您的 SHA-1 憑證
  • 重新發行和取得需要的 SHA-1 憑證

如需更多有關 2020 年 12 月 1 日變更的資訊,請參閱 我們的知識庫文章 DigiCert 停止發行 SHA-1 代碼簽署憑證

如果您有其他疑問,請聯絡您的帳戶管理器或我們的 支援團隊

new

DigiCert 取代多份中介 CA 憑證

2020 年 11 月 2 日,DigiCert 將取代多份中介 CA 憑證 (ICA)。關於正在取代的 ICA 憑證的淸單,請參閱我們的 DigiCert ICA 更新知識庫文章

這如何影響我?

推出新 ICA 不會影響現有的憑證。直到來自憑證商店的所有憑證到期前,我們不會將來自憑證商店的舊 ICA 刪除。這表示從取代的 ICA 發行的啟用的憑證將持續受到信任。

但如果您重新發行它們,其將會影響現有的憑證,因為將從新的 ICA 發行。建議您一律在您安裝的每份憑證中納入所提供的 ICA。這一直是確保 ICA 取代不受注意的建議最佳做法。

不需要執行任何動作,但以下任何情況除外:

  • 固定舊版的中介 CA 憑證
  • 將接受舊版中介 CA 憑證的寫入硬碼中
  • 經營包括舊版中介 CA 憑證的信任商店

如果您執行以上任一個事項,我們建議您盡快更新您的環境。停止固定或將 ICA 寫成硬碼,或做必要的修改以確保從新 ICA 發行的憑證受到信任 (也就是說串連到他們更新的 CA 和受信任的根)。

中介 CA 憑證取代

確定監控以下所列的頁面。這些是啟用的頁面,而且定期以 ICA 憑證取代資訊,以及多份新的 DigiCert 中介 CA 憑證更新。

為什麼 DigiCert 取代中介 CA 憑證?

我們取代 ICA 是為了:

  • 以 ICA 取代促進客戶靈活度
  • 從任何指定的 ICA 上縮小發行憑證的範圍,減輕業界標準和 CA/Browser 論壇準則中變更中介和終端實體憑證的影響。
  • 透過使用最新改進確保所有 ICA 運作來改進網際網路的安全性。

如果您有任何疑問,請聯絡您的帳戶管理器或我們的支援團隊

new

適用於公用 OV 和 EV 彈性憑證的 ICA 憑證鏈選擇

我們很榮幸宣佈,有彈性功能的公用 OV 和 EV 憑證現在支援中介 CA 憑證鏈選擇。

您可以新增選項到您的 CertCentral 帳戶中,讓您可以控制由哪一個 DigiCert ICA 憑證發行您的公用 OV 和 EV "彈性"憑證。

此選項允許您:

  • 設定每份公用 OV 和 EV 彈性憑證的預設 ICA 憑證鏈。
  • 控制憑證要求者可使用哪一個 ICA 憑證鏈發行他們的彈性憑證。

設定 ICA 憑證鏈選擇

若要關閉您的帳戶的 ICA 選擇,請聯絡您的帳戶管理器或我們的支援團隊。然後在您的 CertCentral 帳戶的「產品設定」頁面上 (在左側的主功能表中,前往設定 > 產品設定),設定每個類型的 OV 和 EV 彈性憑證的預設和允許的中介憑證。

如需更多資訊和逐步說明,請參閱適用於公用 OV 和 EV 彈性憑證的 ICA 憑證鏈選項

new

DigiCert Services API 支援 ICA 憑證鏈選擇

在 DigiCert Services API 中,我們做了以下的更新以支援您的 API 整合中的 ICA 選擇:

  • 建立新的 產品限制端點
    使用此端點取得針對您的帳戶中的每個分部啟用的產品的限制和設定有關的資訊。這包括用於每個產品的預設和允許的 ICA 憑證鏈的 ID 值。
  • 新增的對公用 TLS OV 和 EV 彈性憑證訂單要求的 ICA 選擇支援
    在您設定產品的允許中介憑證後,您可以選擇在您使用 API 提交訂單要求時,應發行您的憑證的 ICA 憑證鏈。
    在您的訂單要求的本文中,傳遞發行 ICA 憑證的值的 ID 作為 ca_cert_id 參數的值。

彈性憑證要求範例:

Example flex certificate request

如需更多有關在您的 API 整合中使用 ICA 選擇的資訊,請參閱 OV/EV 憑證生命週期 – (選用) ICA 選擇