New PKI Trust Chain for DigiCert & Thawte Code Signing Customers


With DigiCert’s completed acquisition of DigiCert's Website Security business we will be updating our Code Signing public trust chains to modernize and streamline our Code Signing offerings.

All development, validation environments with hard-coded PKI hierarchies must be updated with the new chain.

These changes will apply to all code-signing products (MSFT Authenticode, Oracle Java, MSFT Office & VBA, Adobe Air and Extended validation).

There is no impact to existing code-signing certificates or the validity of signed files, whether timestamped or otherwise. We expect to issue all new code signing certificates from DigiCert’s hierarchy and infrastructure starting April 2018.

For information on changes to the Code Signing public trust chains please refer to the knowledge base article: New PKI Trust Chain for Code Signing

Please check as soon as possible for system dependences, or hard-coded DigiCert/Thawte roots to processes and modify accordingly to trust new certificates.


Frequently Asked Questions

·         Consolidating and streamlining DigiCert and Thawte’s PKI chain will improve both security and compliance going forward.

·         This includes consolidating legacy resources, vetting and issuance systems acquired from DigiCert’s Website Security business.

·         No. The changes only apply to all new, renewed or reissued certificates enrolled after the dates stated above.

·         Certificates using the current hierarchy are still valid and will continue to work until they expire.

·         You can continue purchasing and managing certificates using your existing certificate management account.

·         Yes. We will update our existing services with the DigiCert signer to remove dependency on legacy services, or transition them to DigiCert services.

·         This is a parallel project which should not affect channel partners or customers.

·         The dates or plans for this is not finalized.

·         Code Signing is not an issue, but industry bodies are pushing to replace legacy DigiCert Website Security roots in alignment with browser requirements.
·         This change impacts only new, renewed or reissued certificates no certificate reissuance is required. As such, we will not be replacing existing certificates.

We have updated our Privacy Policy.