Important: This is a dynamic article. We will update it as new information becomes available. Save this page and check back periodically for the latest information. |
The S/MIME Baseline Requirements currently support three certificate profiles for Secure Email (S/MIME) certificates: Strict, Multipurpose, and Legacy. The baseline requirements refer to these as generation profiles. However, according to the latest S/MIME Baseline Requirements, the industry will end of life the Legacy Generation profile in July 2025. For more information about this industry change, see section 1.2.1 Revisions in the latest S/MIME Baseline Requirements.
To learn more about what DigiCert® is doing to meet this new industry requirement, see DigiCert’s timeline for sunsetting the Legacy profile below.
Generation profile | Maximum certificate validity1 | Supported Key Usage | Supported Extended Key Usage (EKU) | Requirements specific to sponsor-validated certificates |
Strict | 825 days |
|
|
Must include the recipient's first and last name or pseudonym in the subject of the certificate. |
Multipurpose | 825 days |
|
|
Must include the recipient's first and last name or pseudonym in the subject of the certificate. |
Legacy | 1185 days |
|
|
(Optional) May include the recipient's first and last name or pseudonym in the subject of the certificate. For the Legacy certificate profile adding this information is optional. |
1 DigiCert's maximum certificate validity for Multipurpose and Strict profiles is 824 days and 1184 days for the Legacy profile to avoid exceeding the maximum allowed limit 2 Data encipherment allows you to use the certificate to sign documents. 3 Client authentication allows you to use the certificate as your Digital ID to authenticate to a server or remote computer. |
DigiCert's timeline ensures we update our S/MIME certificate issuance process to remove support for the Legacy certificate profile and stop issuing S/MIME certificates using it before the timeline specified in the S/MIME Baseline Requirements.
Product | Certificate profiles before July 1, 2025 | Certificate profiles starting July 1, 2025 |
|
|
|
|
Legacy | Multipurpose |
4 In CertCentral®, on the Product Settings page, administrators can change the default certificate profile to Multipurpose, if needed. |
Learn more about the changes coming to your platform and what you need to do to prepare for the new certificate profile requirement for S/MIME certificate issuance coming July 1, 2025, at 10:00 MDT (16:00 UTC):
Secure Email Certificate products already support Strict, Multipurpose, and Legacy certificate profiles. On July 1, 2025, we will remove the Legacy profile from the Profile options menu on all request forms. You must use the Strict or Multipurpose profile when ordering, reissuing, or renewing Secure Email certificates.
To learn more about DigiCert’s Secure Email Certificate products, see Secure Email Certificates.
Old S/MIME certificate products use the Legacy certificate profile and currently do not support the Strict or Multipurpose profiles. On July 1, 2025, DigiCert will remove these products from CertCentral. You can no longer order or renew old S/MIME certificates in CertCentral; you must request a Secure Email Certificate instead.
However, you can still order these certificates through service API until we deprecate them in early 2026. Starting July 1, 2025, we will use the Multipurpose certificate profile to issue these certificates. So, do not procrastinate updating your API integrations with the new Secure Email Certificate products.
Product and enrollment method | Before July 1, 2025 | After July 1, 2025 | |
|
Enroll through CertCentral |
|
|
Enroll through Service API |
|
|
|
|
Enroll through CertCentral | Legacy | End of Life |
Enroll through Service API6 | Legacy | Multipurpose | |
5 In CertCentral, on the Product Settings page, administrators can change the default certificate profile to Multipurpose, if needed. 6 We will deprecate the API workflow for old S/MIME certificates in early 2026. |
On July 1, 2025, DigiCert will stop accepting the S/MIME certificate requests with the Legacy certificate profile. On July 8, 2025, DigiCert will stop issuing pending S/MIME certificates using the Legacy certificate profile. If you still need the S/MIME certificate, cancel the pending order and order a new certificate using the Strict or Multipurpose certificate profile.
If the primary certificate’s remaining validity is greater than the 824-day maximum validity allowed by the Strict and Multipurpose profiles, we will truncate your reissue without a refund.
When you order/reissue/renew the sponsor validated certificates with the email address as the common name, additional information is required based on the certificate profile.
Product | Certificate profile | Common name | Additional requirements |
|
Legacy | Email address | No other information is required. |
|
|
Email address | You must include the recipient’s first and last name or pseudonym. |
7 On July 1, 2025, we will end of life the old S/MIME certificate enrollment workflow in CertCentral. |
If you are not including the recipient’s first and last name or pseudonym in your request, you must update your Services API endpoint integration before July 1, 2025. Or the Services API will return an error instead of a success message, and your Sponsor validated certificate requests will not work as they did before July 1, 2025.
Product | Certificate profile | Additional requirements |
Secure Email for Business | Legacy | When using the common_name_indicator = email_address, the recipient’s first and last name or pseudonym are optional. |
|
When using the common_name_indicator = email_address, you must send either the recipient’s first and last name or pseudonym in the individual array. | |
|
Legacy9 | When using the email address or the recipient’s name for the common_name value, you don’t need to include the recipient’s first and last name or pseudonym. |
Multipurpose9 | You must send either the recipient’s first and last name or pseudonym in the individual array10. | |
8 We will deprecate the Old S/MIME certificate enrollment workflow through the Services API in early 2026. 9 On July 1, 2025, we will change the certificate profile for old S/MIME products to Multipurpose from Legacy. 10 In May 2025, the Individual array for old S/MIME products will be available for these endpoints in the Services API. |
The new certificate generation profile requirement affects DigiCert® Trust Lifecycle's S/MIME certificates that are issued using an S/MIME certificate template with the Legacy generation profile. Currently, Trust Lifecycle’s S/MIME base templates only use the Legacy generation profile to issue your S/MIME certificates:
If your S/MIME certificate profile is already configured with the Multipurpose or Strict certificate type, you do not have to do anything.
If you have a Legacy S/MIME certificate profile, use one the options below to update your S/MIME certificate issuance process before July 1.
WARNING: Starting July 1, Legacy generation S/MIME certificate renewals will fail from profiles still configured with the Legacy generation option. We strongly recommend that you Suspend these profiles to prevent any certificate renewal failures. To avoid disruptions to your S/MIME certificate issuance process, use one of the options above before July 1. |