Knowledge Base

End of Life for the Legacy certificate profile

The S/MIME Baseline Requirements currently support three certificate profiles for Secure Email (S/MIME) certificates: Strict, Multipurpose, and Legacy. The baseline requirements refer to these as generation profiles. However, according to the latest S/MIME Baseline Requirements, the industry will end of life the Legacy Generation profile in July 2025. For more information about this industry change, see section 1.2.1 Revisions in the latest S/MIME Baseline Requirements.

To learn more about what DigiCert® is doing to meet this new industry requirement, see DigiCert’s timeline for sunsetting the Legacy profile below.

Certificate profile comparison

DigiCert’s timeline for sunsetting the Legacy Generation profile

DigiCert's timeline ensures we update our S/MIME certificate issuance process to remove support for the Legacy certificate profile and stop issuing S/MIME certificates using it before the timeline specified in the S/MIME Baseline Requirements.

• July 1, 2025: Stop accepting new S/MIME certificate requests using the Legacy certificate profile
  On July 1, 2025, at 11:00 MDT (17:00 UTC), DigiCert will no longer accept S/MIME certificate requests using the Legacy certificate profile. All new S/MIME certificate requests must use the Strict or Multipurpose certificate profile. This change affects new, renewed, and reissued certificate requests.
  
  
• July 8, 2025: Stop issuing S/MIME certificates using the Legacy certificate profile
  On July 8, 2025, at 11:00 MDT (17:00 UTC), DigiCert will stop issuing S/MIME certificates using the Legacy certificate profile.

How does the new certificate profile requirement affect my public S/MIME certificates?

• Existing S/MIME certificates using the Legacy certificate profile
  Your existing S/MIME certificates issued with the Legacy certificate profile are not affected by the new certificate profile requirement. You can continue to use these certificates until they expire. 
  However, starting July 1, 2025, if you reissue or when you renew S/MIME certificates with the Legacy profile, you must use the Strict or Multipurpose profile instead.
  
  
• New S/MIME certificate requests starting July 1, 2025
  On July 1, 2025, we will change the default certificate profile from Legacy to either Strict or Multipurpose. See the Profile mappings table below.

Profile mappings

What can I do?

• Order S/MIME certificates with the Legacy certificate profile before July 1, 2025.
  To get a sponsor-validate S/MIME certificate with the recipient’s email address as the common name without the subject individual’s first and last name or pseudonym, you must order your S/MIME certificates with the Legacy certificate profile before July 1, 2025. See the Requirements specific to sponsor-validated certificates column in the Certificate profile comparison table above.
  
  
• Prepare your S/MIME certificate process to align with the new certificate profile requirement
  Ultimately, the most important thing you can do is update your S/MIME certificate issuance to make sure it aligns with the new requirement and continues to work the way it did before July 1, 2025. See Platform-specific changes below.

Platform-specific changes

Learn more about the changes coming to your platform and what you need to do to prepare for the new certificate profile requirement for S/MIME certificate issuance coming July 1, 2025, at 11:00 MDT (17:00 UTC):

• CertCentral: Updates to the S/MIME certificate process
• CertCentral Services API: Updates to S/MIME Endpoint Integrations
• Trust Lifecycle Manager: Updates to the S/MIME certificate process

CertCentral: Updates to the S/MIME certificate process

Secure Email Products

Secure Email Certificate products already support Strict, Multipurpose, and Legacy certificate profiles. On July 1, 2025, we will remove the Legacy profile from the Profile options menu on all request forms. You must use the Strict or Multipurpose profile when ordering, reissuing, or renewing Secure Email certificates.

• Secure Email for Individual | Mailbox validated
• Secure Email for Business | Sponsor validated
• Secure Email for Organization | Organization validated

To learn more about DigiCert’s Secure Email Certificate products, see Secure Email Certificates.

Old S/MIME Products

Old S/MIME certificate products use the Legacy certificate profile and currently do not support the Strict or Multipurpose profiles. On July 1, 2025, DigiCert will remove these products from CertCentral. You can no longer order or renew old S/MIME certificates in CertCentral; you must request a Secure Email Certificate instead.

However, you can still order these certificates through service API until we deprecate them in early 2026. Starting July 1, 2025, we will use the Multipurpose certificate profile to issue these certificates. So, do not procrastinate updating your API integrations with the new Secure Email Certificate products.

• Email Security Plus | Sponsor validated
• Digital Signature Plus | Sponsor validated
• Premium | Sponsor validated
• Class 1 S/MIME | Mailbox validated

Product and Certificate Profile Mapping

Pending S/MIME certificate orders using the Legacy profile

On July 1, 2025, DigiCert will stop accepting the S/MIME certificate requests with the Legacy certificate profile. On July 8, 2025, DigiCert will stop issuing pending S/MIME certificates using the Legacy certificate profile. If you still need the S/MIME certificate, cancel the pending order and order a new certificate using the Strict or Multipurpose certificate profile.

Reissuing S/MIME certificates issued with the Legacy certificate profile after July 1, 2025

If the primary certificate’s remaining validity is greater than the 824-day maximum validity allowed by the Strict and Multipurpose profiles, we will truncate your reissue without a refund.

Additional requirements for Sponsor validated products

When you order/reissue/renew the sponsor validated certificates with the email address as the common name, additional information is required based on the certificate profile.

• For the Legacy profile, no other information is required when using the recipient’s email address as the common name. 
• For the Strict and Multipurpose profiles, you must add the recipient’s first and last name or pseudonym when using the recipient’s email address as the common name.

Requirements for CertCentral

CertCentral Services API: Updates to Sponsor validated product Endpoint Integrations

If you are not including the recipient’s first and last name or pseudonym in your request, you must update your Services API endpoint integration before July 1, 2025. Or the Services API will return an error instead of a success message, and your Sponsor validated certificate requests will not work as they did before July 1, 2025.

Requirements for the CertCentral Services API

Trust Lifecycle Manager: Updates to the S/MIME certificate process

The new certificate generation profile requirement affects DigiCert® Trust Lifecycle Manager's S/MIME certificates that are issued using an S/MIME certificate template with the Legacy generation profile. Currently, Trust Lifecycle Manager’s S/MIME base templates only use the Legacy generation profile to issue your S/MIME certificates:

• Public S/MIME Secure Email (via CertCentral)
• Public S/MIME Secure Email using Certificate Management Protocol (CMP) (via CertCentral)
• Public Secure Email Gateway (via CertCentral) 
• Public S/MIME for Intune (via CertCentral)

Changes to S/MIME templates, certificate profiles, and certificate issuance

Starting July 1, 2025, Trust Lifecycle Manager will block S/MIME certificate requests and stop issuing S/MIME certificates using the Legacy generation profile. Trust Lifecycle Manager will also block certificate replacements using the Legacy generation profile. When issuing replacement certificates, such as reissues, duplicates, and renewals, Trust Lifecycle Manager relies on the same certificate profile used to issue the original certificate.

What do I need to do before July 1, 2025?

If your S/MIME certificate profile is already configured with the Multipurpose or Strict certificate type, you do not have to do anything.

If you have a Legacy S/MIME certificate profile, use one of the options below to update your S/MIME certificate issuance process before July 1.

1. Create new S/MIME certificate profiles
   You can create new S/MIME certificate profiles using one of the S/MIME base templates and select the Multipurpose or Strict certificate generation option. Then, use these new S/MIME certificate profiles to issue compliant certificates.
   
   When creating new certificate profiles, we strongly recommend suspending the Legacy profile being replaced to make sure it can no longer be used to issue and renew certificates.
   
   See our Trust Lifecycle Manager guide and the Create certificate profiles instructions.
   
   
2. Update your existing S/MIME certificate profiles
   We will soon release a feature that allows you to edit your Legacy S/MIME profiles and change the certificate generation option from Legacy to Multipurpose or Strict. When this feature is ready, we will include it in the Trust Lifecycle Manager release notes.
   
   Once you’ve updated the profile, new certificates and their subsequent renewals will successfully issue as Multipurpose or Strict. However, certificates issued prior to your profile change will fail to renew starting July 1, as the certificates are linked to a non-compliant Legacy profile.
   
   Affected Base S/MIME templates:
   
   
   • Public S/MIME Secure Email (via CertCentral)
     
   • Public S/MIME Secure Email using Certificate Management Protocol (CMP) (via CertCentral) 
   • Public Secure Email Gateway (via CertCentral)
     
   • Public S/MIME for Intune (via CertCentral)