Sectigo Code-signing Certificates: Key Length Baseline Requirements

As of June 1, 2021 and in compliance with the CA/Browser Forum Code-signing Baseline Requirements , Sectigo will require RSA keys be a minimum of 3072 bits in size.

When generating keys and CSRs for code-signing certificates, please ensure you select an RSA key with a 3072- or 4096-bit key size.

Only the size of the keys is to change, the rest of the process remains the same.

We have also signed new issuing CAs for code-signing that meet this requirement and are still trusted fully on all the same platforms.

Existing RSA 2048bit certificates will continue to work and no changes are needed to them.

Certificates requested with ECC (elliptic curve) keys are unaffected and we will still sign certificates with keys using the NIST P-256 and P-384 curves.


Question: Will Sectigo be able to issue certificates with a 2048 key length to work with my legacy application (or hardware) on an exception basis?
Answer: No. The requirement is from the CA/B Forum Baseline Requirements for Code-signing and does not allow for exceptions.

Question: What certificate types will be affected by this key size change?
Answer: Only code-signing certificates.

Question: Will the certificate key size change include TimeStamping?
Answer: No.

Question: Will Sectigo Certificate Manager (SCM) check the Certificate Signing Request (CSR) to ensure compliance and what happens if it fails?
Answer: Yes, and the CSR should be rejected.

Question: Will my Sectigo Certificate Manager (SCM) templates (global or otherwise) be changing along with the June 1, 2021 CA/Browser Forum Code-signing Baseline Requirements change?
Answer: Yes, requiring minimum key-sizes for public code-signing certificates.

Should you have any other questions or concerns please do not hesitate to contact Support