Industry moves to 3072-bit key minimum RSA code signing certificates
Starting May 27, 2021, to comply with new industry standards for code signing certificates, DigiCert will make the following changes to our code signing certificate process.
See Appendix A in the Baseline Requirements for the Issuance and Management of Publicly-Trusted Code Signing Certificates to learn more about these industry changes,
How do these changes affect my existing 2048-bit key certificates?
All existing 2048-bit key size code signing certificates issued before May 27, 2021, will remain active. You can continue to use these certificates to sign code until they expire.
What if I need 2048-bit key code signing certificates?
Take these actions, as needed, before May 27, 2021:
How do these changes affect my code signing certificate process starting May 27, 2021?
Reissues for code signing certificate
Starting May 27, 2021, all reissued code signing certificates will be:
New and renewed code signing certificates
Starting May 27, 2021, all new and renewed code signing certificates will be:
CSRs for code signing certificates
Starting May 27, 2021, you must use a 3072-bit RSA key or larger to generate all certificate signing requests (CSR). We will no longer accept 2048-bit key CSRs for code signing certificate requests.
eTokens for EV code signing certificates
Starting May 27, 2021, you must use an eToken that supports 3072-bit keys when you reissue, order, or renew an EV code signing certificate.
HSMs for EV code signing certificates
Starting May 27, 2021, you must use an HSM that supports 3072-bit keys. Contact your HSM vendor for more information.
New ICA and root certificates
Starting May 27, 2021, DigiCert will issue all new code signing certificates from our new RSA and ECC intermediate CA and root certificates (new, renewed, and reissued).
RSA ICA and root certificates:
ECC ICA and root certificates:
No action is required unless you practice certificate pinning, hard code certificate acceptance, or operate a trust store.
If you do any of these things, we recommend updating your environment as soon as possible. Stop pinning and hard coding ICAs or make the necessary changes to ensure certificates issued from the new ICA certificates are trusted (in other words, they can chain up to their issuing ICA and trusted root certificates).
If you have questions or concerns, please contact your account manager or our support team.
DigiCert to stop issuing SHA-1 code signing certificates
On Tuesday, December 1, 2020 MST, DigiCert will stop issuing SHA-1 code signing and SHA-1 EV code signing certificates.
Note: All existing SHA-1 code signing/EV code signing certificates will remain active until they expire.
Why is DigiCert making these changes?
To comply with the new industry standards, certificate authorities (CAs) must make the following changes by January 1, 2021:
How do the SHA-1 code signing certificate changes affect me?
If you rely on SHA-1 code signing certificates, take these actions as needed before December 1, 2020:
For more information about the December 1, 2020 changes, see our knowledgebase article DigiCert to Stop Issuing SHA-1 Code Signing Certificates.
If you have additional questions, please contact your account manager or our support team.
我們改良我們的 Basic 和 Secure Site 單一網域憑證方案 (Standard SSL、EV SSL、Secure Site SSL 和 Secure Site EV SSL)，新增在憑證中納入[your-domain].com 和 www.[your-domain].com 選項到這些憑證的訂單中、重新發行和重複的表格。此選項允許您選擇是否在這些單一網域憑證中，免費納入兩個版本的一般名稱 (FQDN)。
請參閱訂購您的 SSL/TLS 憑證。
新選項允許您取得兩個版本的基礎和子網域。現在，若要保護兩個版本的子網域的安全，請新增子網域到一般名稱方塊中 (sub.domain.com)，然後勾選納入兩個[your-domain].com 和 www.[your-domain].com 到憑證中。當 DigiCert 發行您的憑證時，將納入憑證上兩個版本的子網域：[sub.domain].com 和 www.[sub.doman].com。
在憑證中納入[your-domain].com 和 www.[your-domain].com 選項，使附加功能 -- 使用子網域的附加功能過時。因此，我們從「分區喜好設定」頁面移除選項 (在資訊看板功能表中，按一下設定 > 喜好設定)。
*註：關於 Order SSL (type_hint) 端點，僅限使用如下述的
dns_names 參數來新增免費的 SAN。
保護您的兩個版本的網域的安全 ([your-domain].com 和 www.[your-domain].com)，在您的要求中，使用
common_name 參數新增網域 ([your-domain].com) 和
dns_names 參數新增其他版本的網域 (www.[your-domain].com)。
當 DigiCert 發行您的憑證時，將保護您的兩個版本的網域的安全。
若只要保護一般名稱 (FQDN) 的安全，只要從您的要求中省略