DigiCert KnowledgeBase - Technical Support-hero

Knowledge Base

New Certificate Profile Requirements for Public Secure Email (S/MIME) Certificates 2025

Solution ID : ALERT34
Last Modified : 04/04/2025

End of Life for the Legacy certificate profile

Important: This is a dynamic article. We will update it as new information becomes available. Save this page and check back periodically for the latest information.


The S/MIME Baseline Requirements currently support three certificate profiles for Secure Email (S/MIME) certificates: Strict, Multipurpose, and Legacy. The baseline requirements refer to these as generation profiles. However, according to the latest S/MIME Baseline Requirements, the industry will end of life the Legacy Generation profile in July 2025. For more information about this industry change, see section 1.2.1 Revisions in the latest S/MIME Baseline Requirements.

To learn more about what DigiCert® is doing to meet this new industry requirement, see DigiCert’s timeline for sunsetting the Legacy profile below.

Certificate profile comparison

Generation profile Maximum certificate validity1 Supported Key Usage Supported Extended Key Usage (EKU) Requirements specific to sponsor-validated certificates
Strict 825 days
  • Digital Signature
  • Key Encipherment
  • Non-Repudiation
  • Secure Email
Must include the recipient's first and last name or pseudonym in the subject of the certificate.
Multipurpose 825 days
  • Digital Signature
  • Key Encipherment
  • Non-Repudiation
  • Data Encipherment2
  • Secure Email
  • Client Authentication3
Must include the recipient's first and last name or pseudonym in the subject of the certificate.
Legacy 1185 days
  • Digital Signature
  • Key Encipherment
  • Non-Repudiation
  • Data Encipherment2
  • Secure Email
  • Client Authentication3
(Optional) May include the recipient's first and last name or pseudonym in the subject of the certificate. For the Legacy certificate profile adding this information is optional.
1 DigiCert's maximum certificate validity for Multipurpose and Strict profiles is 824 days and 1184 days for the Legacy profile to avoid exceeding the maximum allowed limit
2 Data encipherment allows you to use the certificate to sign documents.

3 Client authentication allows you to use the certificate as your Digital ID to authenticate to a server or remote computer.

 

DigiCert’s timeline for sunsetting the Legacy Generation profile

DigiCert's timeline ensures we update our S/MIME certificate issuance process to remove support for the Legacy certificate profile and stop issuing S/MIME certificates using it before the timeline specified in the S/MIME Baseline Requirements.

  • July 1, 2025: Stop accepting new S/MIME certificate requests using the Legacy certificate profile
    On July 1, 2025, at 10:00 MDT (16:00 UTC), DigiCert will no longer accept S/MIME certificate requests using the Legacy certificate profile. All new S/MIME certificate requests must use the Strict or Multipurpose certificate profile. This change affects new, renewed, and reissued certificate requests.

  • July 8, 2025: Stop issuing S/MIME certificates using the Legacy certificate profile
    On July 8, 2025, at 10:00 MDT (16:00 UTC), DigiCert will stop issuing S/MIME certificates using the Legacy certificate profile.


How does the new certificate profile requirement affect my public S/MIME certificates?

  • Existing S/MIME certificates using the Legacy certificate profile
    Your existing S/MIME certificates issued with the Legacy certificate profile are not affected by the new certificate profile requirement. You can continue to use these certificates until they expire. 
    However, starting July 1, 2025, if you reissue or when you renew S/MIME certificates with the Legacy profile, you must use the Strict or Multipurpose profile instead.

  • New S/MIME certificate requests starting July 1, 2025
    On July 1, 2025, we will change the default certificate profile from Legacy to either Strict or Multipurpose. See the Profile mappings table below.


Profile mappings

Product Certificate profiles before July 1, 2025 Certificate profiles starting July 1, 2025
  • Secure Email for Individual
  • Secure Email for Business
  • Secure Email for Organization
  • Legacy (default)
  • Strict
  • Multipurpose
  • Strict (default)4
  • Multipurpose
  • Email Security Plus
  • Digital Signature Plus
  • Premium
  • Class 1 S/MIME
Legacy  Multipurpose
4 In CertCentral®, on the Product Settings page, administrators can change the default certificate profile to Multipurpose, if needed.

 

What can I do?

  • Order S/MIME certificates with the Legacy certificate profile before July 1, 2025.
    To get a sponsor-validate S/MIME certificate with the recipient’s email address as the common name without the subject individual’s first and last name or pseudonym, you must order your S/MIME certificates with the Legacy certificate profile before July 1, 2025. See the Requirements specific to sponsor-validated certificates column in the Certificate profile comparison table above.

  • Prepare your S/MIME certificate process to align with the new certificate profile requirement
    Ultimately, the most important thing you can do is update your S/MIME certificate issuance to make sure it aligns with the new requirement and continues to work the way it did before July 1, 2025. See Platform-specific changes below.

Platform-specific changes

Learn more about the changes coming to your platform and what you need to do to prepare for the new certificate profile requirement for S/MIME certificate issuance coming July 1, 2025, at 10:00 MDT (16:00 UTC):


CertCentral: Updates to the S/MIME certificate process

Secure Email Products

Secure Email Certificate products already support Strict, Multipurpose, and Legacy certificate profiles. On July 1, 2025, we will remove the Legacy profile from the Profile options menu on all request forms. You must use the Strict or Multipurpose profile when ordering, reissuing, or renewing Secure Email certificates.

  • Secure Email for Individual | Mailbox validated
  • Secure Email for Business | Sponsor validated
  • Secure Email for Organization | Organization validated

To learn more about DigiCert’s Secure Email Certificate products, see Secure Email Certificates.


Old S/MIME Products

Old S/MIME certificate products use the Legacy certificate profile and currently do not support the Strict or Multipurpose profiles. On July 1, 2025, DigiCert will remove these products from CertCentral. You can no longer order or renew old S/MIME certificates in CertCentral; you must request a Secure Email Certificate instead.

However, you can still order these certificates through service API until we deprecate them in early 2026. Starting July 1, 2025, we will use the Multipurpose certificate profile to issue these certificates. So, do not procrastinate updating your API integrations with the new Secure Email Certificate products.

  • Email Security Plus | Sponsor validated
  • Digital Signature Plus | Sponsor validated
  • Premium | Sponsor validated
  • Class 1 S/MIME | Mailbox validated

Product and Certificate Profile Mapping

Product and enrollment method Before July 1, 2025 After July 1, 2025
  • Secure Email for Individual
  • Secure Email for Business
  • Secure Email for Organization
Enroll through CertCentral
  • Legacy (default)
  • Multipurpose
  • Strict
  • Multipurpose
  • Strict (default)5
Enroll through Service API
  • Legacy (default)
  • Multipurpose
  • Strict
  • Multipurpose
  • Strict (default)5
  • Email Security Plus
  • Digital Signature Plus
  • Premium
  • Class 1 S/MIME
Enroll through CertCentral Legacy End of Life
Enroll through Service API6 Legacy Multipurpose
5 In CertCentral, on the Product Settings page, administrators can change the default certificate profile to Multipurpose, if needed.
We will deprecate the API workflow for old S/MIME certificates in early 2026.

 

Pending S/MIME certificate orders using the Legacy profile

On July 1, 2025, DigiCert will stop accepting the S/MIME certificate requests with the Legacy certificate profile. On July 8, 2025, DigiCert will stop issuing pending S/MIME certificates using the Legacy certificate profile. If you still need the S/MIME certificate, cancel the pending order and order a new certificate using the Strict or Multipurpose certificate profile.

Reissuing S/MIME certificates issued with the Legacy certificate profile after July 1, 2025

If the primary certificate’s remaining validity is greater than the 824-day maximum validity allowed by the Strict and Multipurpose profiles, we will truncate your reissue without a refund.

Additional requirements for Sponsor validated products

When you order/reissue/renew the sponsor validated certificates with the email address as the common name, additional information is required based on the certificate profile.

  • For the Legacy profile, no other information is required when using the recipient’s email address as the common name. 
  • For the Strict and Multipurpose profiles, you must add the recipient’s first and last name or pseudonym when using the recipient’s email address as the common name.

Requirements for CertCentral

Product Certificate profile Common name
Additional requirements
  • Secure Email for Business
  • Email Security Plus7
  • Digital Signature Plus7
  • Premium7
Legacy Email address No other information is required.
  • Secure Email for Business
  • Multipurpose
  • Strict
Email address You must include the recipient’s first and last name or pseudonym.
7  On July 1, 2025, we will end of life the old S/MIME certificate enrollment workflow in CertCentral.

 

CertCentral Services API: Updates to Sponsor validated product Endpoint Integrations

If you are not including the recipient’s first and last name or pseudonym in your request, you must update your Services API endpoint integration before July 1, 2025. Or the Services API will return an error instead of a success message, and your Sponsor validated certificate requests will not work as they did before July 1, 2025.

Requirements for the CertCentral Services API

Product Certificate profile Additional requirements
Secure Email for Business Legacy When using the common_name_indicator = email_address, the recipient’s first and last name or pseudonym are optional.
  • Multipurpose
  • Strict
When using the common_name_indicator = email_address, you must send either the recipient’s first and last name or pseudonym in the individual array.
  • Email Security Plus8
  • Digital Signature Plus8
  • Premium8
Legacy9 When using the email address or the recipient’s name for the common_name value, you don’t need to include the recipient’s first and last name or pseudonym.
Multipurpose9 You must send either the recipient’s first and last name or pseudonym in the individual array10.
8 We will deprecate the Old S/MIME certificate enrollment workflow through the Services API in early 2026.
9  On July 1, 2025, we will change the certificate profile for old S/MIME products to Multipurpose from Legacy.
10 In May 2025, the Individual array for old S/MIME products will be available for these endpoints in the Services API.

 

Trust Lifecycle Manager: Updates to the S/MIME certificate process

The new certificate generation profile requirement affects DigiCert® Trust Lifecycle's S/MIME certificates that are issued using an S/MIME certificate template with the Legacy generation profile. Currently, Trust Lifecycle’s S/MIME base templates only use the Legacy generation profile to issue your S/MIME certificates:

  • Public S/MIME Secure Email (via CertCentral)
  • Public S/MIME Secure Email using Certificate Management Protocol (CMP) (via CertCentral)
  • Public Secure Email Gateway (via CertCentral) 
  • Public S/MIME (Digital Signature only) for Intune (via CertCentral)

Changes to S/MIME templates, certificate profiles, and certificate issuance

  • Starting July 1, 2025, Trust Lifecycle will block S/MIME certificate requests using the Legacy generation profile.
    Trust Lifecycle will also block certificate replacements using the Legacy generation profile. When issuing replacement certificates, such as reissues, duplicates, and renewals, Trust Lifecycle relies on the same certificate profile used to issue the original certificate.
  • Then, on July 8, 2025, Trust Lifecycle will stop issuing S/MIME certificates and processing pending requests placed using an S/MIME certificate template with the Legacy generation profile. These certificates no longer adhere to the new industry generation profile requirement.

What do I need to do before July 1, 2025?

If your S/MIME certificate profile is already configured with the Multipurpose or Strict certificate type, you do not have to do anything.

If you have a Legacy S/MIME certificate profile, use one the options below to update your S/MIME certificate issuance process before July 1.

  1. Create new S/MIME certificate profiles
    You can create new S/MIME certificate profiles using one of the S/MIME base templates and select the Multipurpose or Strict certificate generation option. Then, use these new S/MIME certificate profiles to issue compliant certificates.

    When creating new certificate profiles, we strongly recommend suspending the Legacy profile being replaced to make sure it can no longer be used to issue and renew certificates.

    See our Trust Lifecycle guide and the Create certificate profiles instructions.

  2. Update your existing S/MIME certificate profiles
    We will soon release a feature that allows you to edit your Legacy S/MIME profiles and change the certificate generation option from Legacy to Multipurpose or Strict. When this feature is ready, we will include it in the Trust Lifecycle Manager release notes.

    Once you’ve updated the profile, new certificates and their subsequent renewals will successfully issue as Multipurpose or Strict. However, certificates issued prior to your profile change will fail to renew starting July 1, as the certificates are linked to a non-compliant Legacy profile.

    Affected Base S/MIME templates:

    • Public S/MIME Secure Email (via CertCentral)
    • Public S/MIME Secure Email using Certificate Management Protocol (CMP) (via CertCentral) 
    • Public Secure Email Gateway (via CertCentral)
    • Public S/MIME (Digital Signature only) for Intune (via CertCentral)
WARNING: Starting July 1, Legacy generation S/MIME certificate renewals will fail from profiles still configured with the Legacy generation option. We strongly recommend that you Suspend these profiles to prevent any certificate renewal failures. To avoid disruptions to your S/MIME certificate issuance process, use one of the options above before July 1.