Knowledge Base

New industry requirements for public Secure Email (S/MIME) certificates

On August 29, 2023, at 10:00 MDT (16:00 UTC), DigiCert made the changes listed below to our public Secure Email (S/MIME) certificate issuance process to comply with the CA/Brower Forum's new Baseline Requirements for the Issuance and Management of Publicly‐Trusted S/MIME Certificates.

These changes will apply to all newly issued certificates containing the emailProtection extendedKeyUsage and at least one email address. If you can use your certificate to sign, verify, encrypt, or decrypt email, then your new, reissued, and renewed certificates will be affected by these new industry requirements starting August 29, 2023, at 10:00 MDT (16:00 UTC).

The DigiCert Certification Practice Statement (CPS) has been updated to reflect the changes we made to comply with S/MIME certificate baseline requirements. To view our CPS and other such documents, visit the DigiCert Legal Repository.

Protect your brand and your users with a DigiCert Verified Mark Certificate.

New requirements for public Secure Email (S/MIME) certificates:

• Deprecate organization units (OUs).
  The OU field in S/MIME certificates allows optional metadata to be stored in a certificate. However, its intended purpose is limited, and including the OU requires additional validation. To reduce confusion around this optional field and to help improve validation times, DigiCert will remove it from our public S/MIME certificates.
  
• New organization validation requirements for certificates issued with organization information (organization-validated and sponsor-validated).
  If your S/MIME certificate contains organization information, DigiCert must revalidate the organization (Legal Entity) per the new S/MIME organization validation requirements as outlined in the Baseline Requirements for the Issuance and Management of Publicly-Trusted S/MIME Certificates.
• New email domain validation requirements for certificates issued with organization information (organization-validated and sponsor-validated).
  If your public S/MIME certificates contain organization information, they can only contain email addresses with domains if the organization can demonstrate control over the entire domain.
  For these types of S/MIME certificates, you can no longer add Gmail (@gmail.com), Outlook (@outlook.com), Yahoo (yahoo.com), or other email addresses to your certificates. You can only include an email address in your certificate if you've completed the domain control validation (DCV) for the domain in the address.
• New Organization Identifier in the SubjectDN for organization-validated and sponsor-validated S/MIME certificates.
• New S/MIME certificate policy object identifiers (OIDs) based on the certificate type.
  For public S/MIME certificates, certificate authorities (CAs) must include the correct certificate policy OID per the new baseline requirements:
  • Mailbox-validated OID: 2.23.140.1.5.1.1 - S/MIME certificates for individuals
  • Organization-validated OID: 2.23.140.1.5.2.1 - S/MIME certificate for an organization
  • Sponsor-validated OID: 2.23.140.1.5.3.1 - S/MIME certificate for an organization to issue to its organization-sponsored individuals
  • 2.16.840.1.114412.4.1.1
  • 2.16.840.1.114412.4.1.2
  • 2.16.840.1.114412.4.2
  • 2.16.840.1.114412.4.3

  
  New intermediate CA certificates coming in 2024

  The new S/MIME certificate baseline requirements also affect the intermediate CA (ICA) certificates used to issue S/MIME certificates. However, to limit the impact of the new requirements, the industry (CA/Browser Forum) allows certificate authorities to continue using the current ICA certificate to issue new S/MIME certificates for one year.

  On June 26, 2024, DigiCert began moving the default issuance of public Secure Email (S/MIME) certificates to new industry-compliant public intermediate CA (ICA) certificates. By September 3, 2024, DigiCert must move all our S/MIME certificate issuance to new industry-compliant intermediate CA certificates.

  For more information about the new industry-compliant S/MIME intermediate CA certificates and to view the timeline for the change, see our New Secure Email (S/MIME) Intermediate CA certificates 2024 article.

  
  How do the new industry requirements affect my public Secure Email (S/MIME) certificates?

  
  Newly issued S/MIME certificates

  Starting August 29, 2023, at 10:00 MDT (16:00 UTC), all newly issued S/MIME certificates, including new, reissued, and renewed certificates, must comply with the CA/Browser Forum's new Baseline Requirements for the Issuance and Management of Publicly-Trusted S/MIME Certificates.

  These changes will apply to all newly issued certificates containing the emailProtection extendedKeyUsage and at least one email address. If you can use your certificate to sign, verify, encrypt, or decrypt email, then your new, reissued, and renewed certificates will be affected by these new industry requirements.

  
  Existing S/MIME certificates

  The industry changes do not affect S/MIME certificates issued before August 29, 2023, 10:00 MDT (16:00 UTC). You can continue to use these existing certificates until they expire.

  Remember, your certificate replacements and renewals will be affected by the industry changes coming to S/MIME certificates.

  
  What can I do?

  
  Get needed Secure Email S/MIME certificates before August 29, 2023

  If you have S/MIME certificate renewals, reissues, or new orders scheduled for the end of August and the month of September, do these certificate-related activities early—before August 29. That way, your S/MIME certificate issuance will remain the same, eliminating potential surprises from the modifications to certificate profiles and the validation process. Certificates issued before August 29, 2023, can still contain the organization unit information and email-validated addresses, as needed.

  
  Move to private Secure Email (S/MIME) certificates

  DigiCert recommends moving to privately trusted S/MIME certificates if public trust is not required. The rules for public S/MIME certificates do not apply to locally trusted S/MIME certificates. Contact your account representative or DigiCert Support to learn about DigiCert Private Secure Email (S/MIME) certificates.

  
  Platform-specific changes

  One of the benefits of the new S/MIME certificate baseline requirements is that it will standardize public S/MIME certificates for all certificate authorities and, more specifically, for all DigiCert platforms.

  Learn more about the changes coming to your platform and what you need to do to prepare for the changes to DigiCert's public Secure Email (S/MIME) certificate issuance process coming August 29, 2023, at 10:00 MDT (16:00 UTC):

  • CertCentral: Updates to S/MIME certificates issuance process
  • TrustLink Enterprise: Updates to S/MIME certificates issuance process
  • PKI Platform 8: Updates to S/MIME certificates issuance process
  • Trust Lifecycle Manager: Updates to S/MIME certificates issuance process

  
  CertCentral: Updates to S/MIME certificates issuance process

  

  On August 29, 2023, at 10:00 MDT (16:00 UTC), CertCentral will make changes to their S/MIME certificate issuance process to align with the new Baseline Requirements for the Issuance and Management of Publicly‐Trusted S/MIME Certificates.

  CertCentral currently offers the following S/MIME-related certificates affected by the new Secure Email (S/MIME) baseline requirements:

  • Digital Signature Plus
  • Email Security Plus
  • Premium
  • Class 1 S/MIME

  By August 29, 2023, CertCentral will change its current offerings to align with three new types of industry-compliant S/MIME certificates:

  • Mailbox-validated – Secure Email (S/MIME) certificates for individuals
  • Organization-validated – Secure Email (S/MIME) certificates for organizations
  • Sponsor-validated – Secure Email (S/MIME) certificates for an organization to issue to its organization-sponsored individuals

  DigiCert is evaluating offering individual-validated Secure Email (S/MIME) certificates based on customer demand. Contact your account manager if you are interested in S/MIME certificates issued to individuals.

  How does this affect my pending Secure Email (S/MIME) certificate orders?

  On August 29, we will cancel pending orders submitted prior to August 29, 2023, at 10:00 MDT (16:00 UTC). These requests do not adhere to the new industry requirements and cannot be issued.

  To get your canceled S/MIME certificate, resubmit the request. Remember, your new S/MIME certificate will follow the new industry guidelines, such as no longer including an organization unit, etc.

  
  Items to note:

  • For organization-validated and sponsor-validated S/MIME certificates, DigiCert must validate the organization included in the certificate for S/MIME certificates before we can issue the certificate. Organization validation is valid for 825 days.
    The new certificate request forms will include a process for completing the required organization validation as part of the certificate issuance process. You do not need to submit the organization information separately for prevalidation.
  • Organization units (OU) are no longer supported in public S/MIME certificates.
    This change does not affect your existing S/MIME certificates that include an OU. It does apply to certificate re-issuance, rekey, and certificate modifications made after we update our process on August 29, 2023.
    
  • Organization-validated and sponsor-validated certificates can only contain email addresses with a domain controlled by the organization. This limits the use of sponsor-validated certificates on email services such as gmail.com, outlook.com, or similar email addresses.
    
  • To get an S/MIME certificate with a shared email address such as gmail.com or hotmail.com, you must order a mailbox-validated S/MIME certificate.
  • We will include the correct Certificate Policy according to the new S/MIME baseline requirements.
    • Mailbox-validated: 2.23.140.1.5.1.1
    • Organization-validated: 2.23.140.1.5.2.1
    • Sponsor-validated: 2.23.140.1.5.3.1

    CertCentral Services API

    On August 29, 2023, at 10:00 MDT (16:00 UTC), we will remap existing API integrations to issue the new industry-compliant S/MIME certificates without requiring any update on existing S/MIME certificate integrations. These changes do not require updates to your API integrations.

    Mailbox-validated S/MIME certificates

    To issue industry-compliant mailbox-validated S/MIME certificates, we will do the following:

    

    • Remove all unsupported subject distinguished name (SubjectDN) fields before signing the certificate. Note that only a common name and email are allowed.
    • The common name must be an email address and match the address in the SubjectDN:Email and SAN:Name (if present).
    • Include the correct Certificate Policy OID: 2.23.140.1.5.1.1
    • Send an email challenge to the recipient to validate the mailbox before issuing the certificate.

    
    Organization-validated and sponsor-validated S/MIME certificates

    To issue industry-compliant organization-validated and sponsor-validated S/MIME certificates, we will do the following:

    • Submit the organization for S/MIME certificate validation if needed.
    • Organization units (OU) are no longer supported. If the Subject DN:OU is included in the certificate request, we will ignore the value and issue the certificate without it.
    • Include a new Organization Identifier in the SubjectDN with your validated customer Org ID.
    • Include the correct Certificate Policy OID:
      • Organization-validated: 2.23.140.1.5.2.1
      • Sponsor-validated: 2.23.140.1.5.3.1

      
      Improvements to the CertCentral Services API workflow for managing Secure Email (S/MIME) certificates

      As we update our systems to comply with the new Secure Email (S/MIME) baseline requirements, we will need to update the Services API workflows for managing S/MIME certificates in CertCentral:

      New Secure Email (S/MIME) certificate request endpoints

      • Individual Secure Email
      • Organization Secure Email
      • Organization-sponsored Secure Email
        

      For organization and organization-sponsored Secure Email (S/MIME) certificates, DigiCert must validate the organization included in the S/MIME certificates before we can issue the certificate.

      See Services API updates for client certificate workflows in our developer portal for more detailed information about the API changes. Make sure to save this page and check it frequently, as we will update this article as new information becomes available.

      
      TrustLink Enterprise: Updates to S/MIME certificates issuance process

      On August 29, 2023, at 10:00 MDT (16:00 UTC), you can no longer get your S/MIME certificates from TrustLink Enterprise. However, you can continue to view and, if needed, revoke your existing S/MIME certificates from your TrustLink Enterprise account until they expire.

      To modify, renew, or get new S/MIME certificates, you must upgrade to a CertCentral EU account. Once you've set up your new account and the new S/MIME certificates are available, you can begin ordering these certificates along with other types of certificates (such as TLS and code signing).

      Are you using a gateway service?

      If using a gateway service, you must also set up a Trust Lifecycle Manager account as follows:

      1. Contact your DigiCert account manager or sales engineer to help set up your Trust Lifecycle Manager account.
      2. Once set up, create a profile from the new Trust Lifecycle Manager template.
         1. After saving the new profile, a unique certificate management protocol (CMP) URL is generated.
         2. Paste this link into your email gateway software.

         
         Items to note about the new S/MIME certificate process:

         • DigiCert must validate the organization included in the certificate for S/MIME certificates before we can issue the S/MIME certificate.
           Organization validation is valid for 825 days. DigiCert can complete the organization validation when you request a certificate in CertCentral Europe as part of the certificate issuance process.
         • Organization-validated and sponsor-validate certificates can only contain email addresses with a domain you can demonstrate control over (i.e., can't include a gmail.com, outlook.com, or similar email address).
         • To get an S/MIME certificate with a shared email address such as gmail.com or outlook.com, you must order a mailbox-validated S/MIME certificate.
         • Organization units (OUs) are no longer supported in public S/MIME certificates.
         • Your S/MIME certificate must have an email address in the SAN:Name field.
         • We will include the correct Certificate Policy OID according to the new S/MIME baseline requirements:
           • Mailbox-validated: 2.23.140.1.5.1.1
           • Organization-validated: 2.23.140.1.5.2.1
           • Sponsor-validated: 2.23.140.1.5.3.1

           
           PKI Platform 8: Updates to S/MIME certificates issuance process

           On August 29, 2023, at 10:00 MDT (16:00 UTC), PKI Platform 8 will make changes to its S/MIME certificate issuance process to align with the new Baseline Requirements for the Issuance and Management of Publicly-Trusted S/MIME Certificates.

           Important: No profile migrations are required!

           
           The PKI Platform 8 backend will check the S/MIME certificate request for a validated email domain. Based on that check, we will issue the correct certificate type: a mailbox-validated S/MIME certificate, an organization-validated S/MIME certificate, or a sponsor-validated S/MIME certificate.

           
           Mailbox-validated S/MIME certificates

           The mailbox-validated S/MIME changes affect the following templates:

           • Secure Email
           • S/MIME (Digital Signature only)
           • S/MIME (Encryption only)

           To issue industry-compliant mailbox-validated S/MIME certificates, we will do the following:

           • Remove all unsupported subject distinguished name (SubjectDN) fields before signing the certificate. Note that only a common name and email are allowed.
             • The common name must be an email address and match the address in the SubjectDN:Email and SAN:rfc822Name fields, if present.
             • SubjectDN:Email
               If the SubjectDN:Email is different from the SAN:rfc822Name value, we will automatically copy the SAN value to the SubjectDN:Email.
               Any email address value encountered in the SubjectDN:Email must be copied to the SAN:rfc822Name value. Note that we only support one email address in the SAN:rfc822Name.
               • New requests
                 We will overwrite the values in the SubjectDN fields with the SAN:rfc822Name value if the value is in email format and is different from SAN:rfc822Name, provided the email domain has been validated.
               • Renewal requests
                 If any of the SubjectDN fields contains a different email other than SAN:rfc822Name, we will reject the request.
               • If a new request contains a valid lowercase country, we will convert it to uppercase to be compliant.
               • If a renewal request contains lowercase (noncapitalized) country codes, we will reject it.
               • Links are ONLY valid for 24 hours.
               • If you don't get your certificate within 24 hours, your link must be reset.

               
               Sponsor-validated and organization-validated S/MIME certificates

               The S/MIME changes affect the following templates:

               • Sponsor-validated:
                 • Secure Email
                 • S/MIME (Digital Signature only)
                 • S/MIME (Encryption only)
                 • S/MIME (Digital Signature only) for Intune
                 • Secure Email Gateway

                 To issue industry-compliant sponsor S/MIME certificates, we will do the following:

                 • Continue to support the existing location-based subject distinguished name (SubjectDN) fields (e.g., Country, State, Locality, Street address).
                   If present in the profile, the value must come from the validated organization details.
                 • Continue to support existing SubjectDN fields added to the certificate- details.
                   The organization is responsible for vetting this information and includes fields such as given name, last name, pseudonym, job title, unique identifier, and user ID.
                 • Organization units (OUs) are no longer supported.
                   If the Subject DN:OU is included in the certificate request or the profile as a fixed value, we will ignore the value and issue the certificate without it, even if you have it configured in your certificate profile.
                 • SubjectDN:Email
                   If the SubjectDN:Email is different from the SAN:rfc822Name value, we will automatically copy the SAN value into the SubjectDN:Email.
                   Any email address value encountered in the SubjectDN:Email must be copied to the SAN:rfc822Name value. Note that we only support one email address in the SAN:rfc822Name.
                   • New requests
                     We will overwrite the values in the SubjectDN fields with the SAN:rfc822Name value if the value is in email format and is different from SAN:rfc822Name, provided the email domain has been validated.
                   • Renewal requests
                     If any of the SubjectDN fields contains a different email other than SAN:rfc822Name, we will reject the request.
                   • If a new request contains a valid lowercase country, we will convert it to uppercase to be compliant.
                   • If a renewal request contains lowercase (noncapitalized) country codes, we will reject it.
                   • The Pseudonym MUST be unique for the User seat the certificate is being issued to. Duplicate values are allowed for the same Seat ID. If the same value is encountered for a request bound to a different Seat ID in the account, we will return an error.
                   • The request MUST NOT include the Given Name and Surname fields. If the Pseudonym is present and the request includes a Given Name or Surname, we will return an error.

                   DigiCert is revalidating all Organizations and acquiring their Organization Identifier value to automatically include in the signed certificate. If you are blocked by any validation errors, contact DigiCert Support.

                   • Sponsor-validated: 2.23.140.1.5.3.1
                   • Organization-validated: 2.23.140.1.5.2.1

                   
                   Certificate renewals

                   Your certificate renewal process will remain as-is for all S/MIME interfaces, e.g., web-based flows (OS/Browser, CSR, DigiCert Desktop Client) and automated flows (PKI Client / Enterprise Gateway, API).

                   However, per the new S/MIME Baseline Requirements, your renewed certificates will contain the correct Subject DN and Certificate Policy OIDs based on the renewed certificate type: Mailbox-validated or Sponsor-validated.

                   
                   PKI Platform 8 API integrations

                   Update your API integration to ensure your application adheres to the appropriate profile restrictions to meet the new S/MIME baseline requirements. Note that if an API request contains non-supported fields for a sponsor-validated certificate type (e.g., Organization Unit), we will ignore those fields and continue to sign the appropriate certificate type (with its certificate policy OID).

                   Email domain validation

                   • The PKI Platform automated workflows, including SOAP/REST API, check the email domains in public S/MIME certificate requests against an allowlist containing prevalidated email domains.
                   • The automated flow or API will return an error if the email domain has not been prevalidated.
                   • DigiCert cannot issue a mailbox-validated S/MIME certificate submitted via the API or automated workflows (e.g., MS Autoenrollment, SCEP, etc.).

                   
                   Trust Lifecycle Manager: Updates to S/MIME certificates issuance process

                   

                   On August 29, 2023, at 10:00 MDT (16:00 UTC), Trust Lifecycle Manager will make changes to its S/MIME certificate issuance process to align with the new Baseline Requirements for the Issuance and Management of Publicly‐Trusted S/MIME Certificates.

                   Important: No profile migration is required!

                   Trust Lifecycle Manager relies on PKI Platform 8 to issue its public S/MIME certificates. Thus, PKI Platform 8 will check the S/MIME certificate request submitted via Trust Lifecycle manager for a validated email domain. Trust Lifecycle Manager currently supports sponsor-validated certificate types.

                   Sponsor-validated S/MIME certificates

                   The S/MIME changes affect the 'Public S/MIME Secure Email (via PKI Platform 8)' template. This email template only supports the sponsor-validated S/MIME certificate type.

                   To issue industry-compliant sponsor-validated S/MIME certificates for Trust Lifecycle Manager, PKI Platform 8 will do the following:

                   • Continue to support the existing location-based subject distinguished name (SubjectDN) fields (e.g., Country, State, Locality, Street address).
                     If present in the profile, the value will come from the validated organization details and inserted as signed into the certificate.
                   • Continue to support existing SubjectDN fields added to the certificate details.
                     The organization is responsible for vetting this information which includes fields such as given name, last name, pseudonym, job title, unique identifier, and user ID.
                   • Organization units (OUs) are no longer supported.
                     If the Subject DN:OU is included in the certificate request or the profile as a fixed value, we will ignore the value and issue the certificate without it, even if you have it configured in your certificate profile.
                   • SubjectDN:Email
                     If the SubjectDN:Email is different from the SAN:rfc822name value, we will automatically copy the SAN value into the SubjectDN:Email.
                     Any email address value encountered in the SubjectDN:Email must be copied to the SAN:rfc822Name value. Note that we only support one email address in the SAN:rfc822Name.
                     • New requests
                       We will overwrite the values in the SubjectDN fields with the SAN:rfc822Name value if the value is in email format and is different from SAN:rfc822Name, provided the email domain has been validated.
                     • Renewal requests
                       If any of the SubjectDN fields contains a different email other than SAN:rfc822Name, we will reject the request.
                     • If a new request contains a valid lowercase country, we will convert it to uppercase to be compliant.
                     • If a renewal request contains lowercase (noncapitalized) country codes, we will reject it.

                     DigiCert is revalidating all Organizations and acquiring their Organization Identifier value to automatically include in the signed certificate. If you are blocked by any validation errors, contact DigiCert Support.

                     
                     Certificate renewals

                     Your certificate renewal process will remain as-is for all S/MIME interfaces, e.g., web-based flows (Browser PKCS12, CSR, DigiCert Trust Assistant) and automated flows via REST API.

                     However, per the new S/MIME Baseline Requirements, your renewed certificates will contain the correct Subject DN and Certificate Policy OIDs based on the renewed certificate type: Sponsor-validated.

                     
                     Trust Lifecycle Manager API integrations

                     Update your API integration to ensure your application adheres to the appropriate profile restrictions to meet the new S/MIME baseline requirements. Note that if an API request contains non-supported fields for a sponsor-validated certificate type (e.g., Organization Unit), we will ignore those fields and continue to sign the appropriate certificate type (with its certificate policy OID).

                     
                     Email domain validation

                     The Trust Lifecycle automated workflows, including REST API, check the email domains in public S/MIME certificate requests against an allowlist containing prevalidated email domains.

                     • The API will return an error if the email domain has not been prevalidated.
                     • DigiCert cannot issue a mailbox-validated S/MIME certificate submitted via the API.