Changes Code Signing Certificates
Starting from May 27, 2021, 14:00 MDT (20:00 UTC), DigiCert® will require 3072-bit RSA keys or larger for code signing certificates.
This change is to comply with industry standards. These new RSA key size requirements apply to the complete certificate chain: end-entity, intermediate CA, and root. Note that ECC key requirements remain unchanged.
- Code signing certificates issued before May 27 require no change and will work until they expire.
- After May 27, new, renewed, and reissued code signing certificates from DigiCert will automatically issue with new intermediate CAs and roots.
- After May 27, all code signing certificates will require CSRs with 3072-bit or larger RSA keys. EV code signing certificates will need a new token or an HSM that supports at least 3072-bit keys. Currently most tokens and HSMs only support the smaller 2048-bit keys.
Where are the new intermediate CA and root certificates?
DigiCert Trusted Authority Root Certificates
- DigiCert Trusted G4 (RSA default)
- DigiCert Global Root G3 (ECC default)
- DigiCert CS RSA 4096 Root G5
- DigiCert CS ECC P384 Root G5
DigiCert Intermediate CA Certificates
- DigiCert Global G3 Code Signing ECC SHA384 2021 CA1
- DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1
DigiCert Root Certificate Download Site
What if I need to reissue a code signing certificate?
All code signing certificates reissued after May 27 will include the new intermediate and root certificates.
If your environment includes hard-coded or hard-coded references to the previous root and intermediate certificates, you will need to update your environment, adding the new certificates.
For EV code signing certificates, a token or HSM is required that supports at least the RSA key size of 3072 bits.
Pin, Hard Code or Trust Store for your code signing certificates?
You need to update your environment with the new root and intermediate CA. It is recommended that you stop pinning and hardcoding certificates. Before putting a Code Signing certificate issued after May 27, 2021 online, make sure the certificates are trusted and connect them to the new Intermediate CA and DigiCert Trusted Root G4.