Unlike TLS certificates, code signing certificates need to be able to create signatures that will remain secure well into the future. Shorter keys are less resistant to future cryptographic attacks, which means weaker trust in signed code.

With this challenge in mind, regulatory bodies are working to find a solution that will keep code signing secure for a long time to maintain the trust of signed code. The National Institute of Standards and Technology (NIST) issued their recommendations for key management in NIST SP 800-57. They recommend that 2048-bit RSA keys should be retired by 2030. While 2030 is still years away, many of the certificates and signatures being made now will still be in use at that time.

Microsoft has followed this guidance and made changes to their policies. Microsoft now requires all new root keys for code signing and time stamping to use 4096-bit RSA. Additionally, Microsoft will not trust 2048-bit RSA root certificates after 2030.

Finally, new CA/Browser Forum requirements entail that the minimum key requirement for publicly trusted code signing and time-stamping certificates will be 3072-bit RSA. Changes to the Code Singing baseline requirements will go into effect on June 1, 2021; however, we will begin using longer keys earlier to remain compliant. The larger key requirements will also mean possible hardware or token purchases or migrating to a managed signing service.

When will DigiCert enforce 3072-bit RSA keys on Code Signing products?

DigiCert will require 3072-bit keys or larger for new or renewed code signing certificates starting on May 27, 2021. You should speak with your DigiCert account representative about making the transition before May 27. However, certificates issued prior to May 27 will remain valid until they expire. After that date, any reissues, renewals or new certificates must have a minimum of 3072-bit RSA.

What is DigiCert’s stance on the change?

At DigiCert, we agree that this is a positive move for security and complies with coming industry standards. However, we understand the burden it puts on customers to make the change. To make migration as easy as possible, we recommend you take advantage of DigiCert^® Software Trust Manager, which aligns with the new requirements without the need for hardware. Additionally, since it is built on DigiCert ONE™, DigiCert Software Trust Manager can support full automation of code signing so that signing can be scripted and integrated with developer build tools, such as Jenkins and Azure.

Using DigiCert Software Trust Manager, you can automate EV code signing, as opposed to using the token PIN for each singing. DigiCert Software Trust Manager inherently only supports workflows aligned with current compliance requirements, and it supports key generation and protection so that you can be assured it always remains complaint, regardless of future policy changes.

DigiCert Software Trust Manager

DigiCert Software Trust Manager is a service approach to manage code signing by enabling automated security across Continuous Integration/Continuous Delivery (CI/CD) pipelines with portable, flexible deployment models and secure key management. DigiCert Software Trust Manager supports code signing best practices like unique key and certificate per signing for private signing, on-demand keys and rotating keys. It is compatible with major platforms and libraries like Docker, Microsoft, Java, Android and more. Using DigiCert Software Trust Manager, enterprises integrate code into their product development processes easily, while delegating cryptographic operations, signing activities and management in a controlled, auditable way. As a part of DigiCert ONE, DigiCert Software Trust Manager offers a quick deployment of high volumes of certificates within minutes, plus the flexibility to deploy on-premises, in-country or in the cloud.

With these changes to code signing certificate management, it may be time to consider a modern managed signing service. See the DigiCert Software Trust Manager page for more information.