New RSA Key Size Requirements for DigiCert Code Signing Certificates
Starting from 27 May 2021, DigiCert Code Signing certificates will require 3072-bit RSA keys or higher to issue Code Signing certificates.
This change is due to tougher industry standards. The new RSA key size requirements apply to the entire certificate chain (root, end and all intermediate certificates). At the same time, the requirements for ECC keys remained unchanged.
All certificates issued before 27 May do not need to be changed. They will continue to operate until the end of their validity period. After 27 May, all new, renewed and re-issued Code Signing certificates from DigiCert will be automatically issued with updated chains (with new intermediate and root certificates). After 27 May, all Code Signing certificates will require RSA keys of 3072 bits or greater. For EV Code Signing certificates, you will need a new token (or HSM) that supports at least 3072-bit keys. Tokens and HSMs currently only support 2048-bit keys.
What do you need to do
If your environment does not have pinned or hard-coded links to intermediate and root certificates, you do not need to do anything. Otherwise, you will have to update your environment.
For EV Code Signing certificates, you will need to obtain an HSM/token that supports a 3072-bit RSA key size.
Subscribe to our updates to stay up to date with the latest changes in the world of SSL.