Changes Code Signing Certificates

Starting from May 27, 2021, 14:00 MDT (20:00 UTC), DigiCert® will require 3072-bit RSA keys or larger for code signing certificates.

7 May, 2021

This change is to comply with industry standards. These new RSA key size requirements apply to the complete certificate chain: end-entity, intermediate CA, and root. Note that ECC key requirements remain unchanged.

  • Code signing certificates issued before May 27 require no change and will work until they expire.
  • After May 27, new, renewed, and reissued code signing certificates from DigiCert will automatically issue with new intermediate CAs and roots.
  • After May 27, all code signing certificates will require CSRs with 3072-bit or larger RSA keys. EV code signing certificates will need a new token or an HSM that supports at least 3072-bit keys. Currently most tokens and HSMs only support the smaller 2048-bit keys.

Where are the new intermediate CA and root certificates?

DigiCert Trusted Authority Root Certificates

DigiCert Intermediate CA Certificates

DigiCert Root Certificate Download Site

What if I need to reissue a code signing certificate?

All code signing certificates reissued after May 27 will include the new intermediate and root certificates.

If your environment includes hard-coded or hard-coded references to the previous root and intermediate certificates, you will need to update your environment, adding the new certificates.

For EV code signing certificates, a token or HSM is required that supports at least the RSA key size of 3072 bits.

Pin, Hard Code or Trust Store for your code signing certificates?

You need to update your environment with the new root and intermediate CA. It is recommended that you stop pinning and hardcoding certificates. Before putting a Code Signing certificate issued after May 27, 2021 online, make sure the certificates are trusted and connect them to the new Intermediate CA and DigiCert Trusted Root G4.

Contact Us

for more information about our solutions and products.