Increased key length code signing certificates from June 1

7 May 2021

The CA / Browser forum has tightened the requirements for code signing certificates. From June 1, 2021, a minimum key size of 3072 bits is required. At the moment the minimum key size is 2048 bits. The reason for this is to improve security in order to be better prepared for future technological progress that enables extra computing power. In this article, we explain what this change means, and what the possible impact is on your certificates.

Why this change?

A code signing certificate currently has a maximum validity of 3 years. In addition, code signing uses timestamping, so that the signature remains valid even after the expiry of the certificate's validity. In practice, code signing certificates are usually used for a longer period of time. During this longer period, advances in technology can make the keys used vulnerable to brute force attacks. A solution to this is to make these certificates future-proof by increasing the key size. The Certificate Authority Browser Forum, the alliance between all browsers and Certificate authorities, has therefore decided to require a longer key length of 3072 bits from 1 June next. This is in line with the May 2020 NIST (National Institute of Standards and Technology) advice to stop using 2048-bit RSA keys after the year 2030.

What is the impact on code signing certificates and platforms?

• All code signing certificates issued from June 1 onwards are automatically signed by 3072-bits root certificates.
• For all code signing requests from June 1, a 3072-bit CSR and private key are required.
• All code signing certificates issued before June 1, 2021 will continue to work. However, it is recommended, especially with certificates with a longer term, to change them via reissue to a 3072-bit key.
• Some (outdated) platforms do not support 3072 bit certificates. In this case you can request a certificate with a 2048 bits key length before June 1, after this date the only option is to upgrade your environment.

What does the key length mean?

Each certificate consists of a key pair that is used for signing and encryption. The number of bits of this key pair determines how much computing power is needed to crack this key by means of a brute force attack. Currently, the minimum key size for a code signing certificate is 2048 bits. The minimum key length regularly shifts to withstand the increasing computing power of computers, for example until a few years ago this was 1024 bits. A 2048-bit key is therefore not insecure, but it is expected that it will become crackable in the future. The announced change makes the current code signing certificates future-proof.

Why code signing?

Code signing certificates are used by software developers to digitally sign products such as applications, executables or other programs. Signing software has a dual purpose: it gives end users the guarantee that the program they download actually originated from the maker of the software, by verifying the name of the organization in the signature. In addition, the signing gives the guarantee that the file has not been modified after signing, for example corrupted by a third party.

Questions?

Do you have any questions about the transition to 3072 bits code signing certificates? Please do not hesitate to contact us.