Beginning on May 31, 2021, the minimum RSA key size for code signing and EV code signing certificates issued by SSL.com will increase from 2048 to 3072 bits. SSL.com is making this change as part of its continual effort to follow current industry best practices and remain in compliance with all applicable standards, including the CA/Browser forum’s Baseline Requirements for code signing and EV code signing guidelines. Minimum sizes for ECC code signing keys will remain unchanged. SSL.com’s customers can expect the following effects from this change:
- Code signing and EV code signing certificates issued before May 31, 2021 (including those with 2048-bit RSA keys) will continue to work as usual until they expire. So, if you already have a code signing certificate, no action is necessary at the present time.
- eSigner EV code signing certificates will be issued with 3072-bit RSA keys following this change. If you have already enrolled an EV code signing certificate in eSigner, no further action is necessary.
- Because the YubiKey FIPS tokens we use to distribute EV code signing certificates do not support RSA keys larger than 2048 bits, SSL.com will begin issuing ECC EV code signing certificates on YubiKey. Therefore, you should now choose only the ECCP256 or ECCP384 algorithm when generating keys for a new EV code signing certificate on Yubikey, not RSA2048:
- Windows users with YubiKey-installed ECC EV code signing certificates should also install the YubiKey Minidriver to prevent compatibility issues.
As always, if you have any questions about the new key size requirements or any other issue relating to SSL.com’s products and services, please contact us by email at Support@SSL.com, by phone at 1-877-SSL-SECURE, or by using the chat link on this page. You can also find answers to many common support questions in the SSL.com knowledgebase.