DigiCert KnowledgeBase - Technical Support-hero

Knowledge Base

New Secure Email (S/MIME) Intermediate CA certificates 2024

Solution ID : ALERT18
Last Modified : 04/12/2024


On June 25, 2024, at 10:00 MDT (16:00 UTC), DigiCert will move the default issuance of public Secure Email (S/MIME) certificates to new industry-compliant public intermediate CA (ICA) certificates.

Public S/MIME certificates include any certificate used to sign, verify, encrypt, or decrypt emails containing the emailProtection extendedKeyUsage and at least one email address (see Affected DigiCert Secure Email (S/MIME) Products below).

Important: DigiCert will update this article if new information becomes available. Make sure to save this page and periodically check back for new information.

 

 

Why must DigiCert move to new intermediate CA certificates to issue public Secure Email (S/MIME) certificates?

As of August 2023, Certificate Authorities (CAs), such as DigiCert, were required to update their public Secure Email (S/MIME) certificate issuance process to comply with the new baseline requirements for publicly trusted S/MIME certificates.

These baseline requirements include new rules governing the intermediate CA (ICA) certificates that CAs use to issue S/MIME certificates. To remain compliant, Certificate Authorities, such as DigiCert, must move to new industry-compliant Secure Email (S/MIME) intermediate CA (ICA) certificates before September 15, 2024


How does switching ICA certificates affect me?

If you install the DigiCert-provided ICA certificate included with your issued Secure Email (S/MIME) certificate, this change will not affect you, and no action will be required. Starting June 25, 2024, the new default ICA certificate will automatically come with your issued Secure Email (S/MIME) certificate (new, renewal, or reissued).


How does switching ICA certificates affect my existing certificates?

Rolling out new ICA certificates does not affect existing certificates. Active Secure Email (S/MIME) certificates issued from a replaced ICA certificate continue to be trusted until they expire.

Starting June 25, 2024, DigiCert will issue new, renewed, and reissued Secure Email (S/MIME) certificates from new ICA certificates. When installing your S/MIME certificates, always include the DigiCert-provided ICA certificate.

Best practice

We recommend always including the DigiCert-provided ICA certificate with every certificate you install. This recommendation has always been the best practice to ensure that ICA certificate replacements do not disrupt your certificate-related processes and that your certificates are trusted.


PKI Platform 8: Items to note

Starting June 25, 2024, DigiCert will start migrating your PKI Platform 8 public S/MIME issuance to the new, industry-compliant, shared CA. See Secure Email (S/MIME) ICA Certificate Replacements - 2024 below.

DigiCert Support has a tool to perform the migration quickly and seamlessly once the new ICA certificate is available.

Are you using Local Key Management Storage (LKMS) for your private key?

Those using LKMS to store their private keys must add the new ICA certificate to their local LKMS once available. Otherwise, you cannot continue to store your private keys locally.

Creating new S/MIME profiles

When creating new S/MIME profiles from any of the S/MIME-related templates, you should select the new ICA certificate. See Secure Email (S/MIME) ICA Certificate Replacements - 2024 below.


What if I need more time before switching ICA certificates?

Contact your account manager or DigiCert Support. We will set up your account so you can continue to use the ICA certificates you are using now.

However, on September 3, 2024, DigiCert must move you to the new ICA certificates. The current ICA certificates are no longer industry-compliant and cannot be used to issue Secure Email (S/MIME) certificates after that date.


Affected DigiCert Secure Email (S/MIME) Products

Platforms Products
DigiCert CertCentral Global
  • Mailbox validated certificates:
    • Secure Email for Individual
    • Class 1 S/MIME
  • Organization validated certificates:
    • Secure Email for Organization
  • Sponsor validated certificates:
    • Secure Email for Business
    • Premium
    • Email Security Plus
    • Digital Signature Plus
DigiCert PKI Platform 8
  • Mailbox-validated S/MIME templates:
    • S/MIME Secure Email
    • S/MIME (Digital Signature Only)
    • S/MIME (Encryption Only)
  • Sponsor-validated S/MIME templates:
    • S/MIME Secure Email
    • S/MIME (Digital Signature Only)
    • S/MIME (Encryption Only)
    • S/MIME (Digital Signature Only) for Intune
  • Organization-validated S/MIME templates:
    • Secure Email Gateway
DigiCert Trust Lifecycle
CertCentral certificates
  • Sponsor-validated S/MIME certificates:
    • Client Authentication
    • S/MIME Secure Email
    • S/MIME Secure Email using CMP
  • Organization-validated S/MIME templates:
    • Secure Email Gateway

PKI Platform 8 certificates

  • Sponsor-validated S/MIME certificates:
    • S/MIME Secure Email

 

Secure Email (S/MIME) ICA Certificate Replacements - 2024

Visit the DigiCert Trusted Root Authority Certificates page to download copies of DigiCert ICA and root certificates.

Platform Current ICA certificate New default ICA certificate
CertCentral Global
  • DigiCert Assured ID Client CA G2 (current default)
  • DigiCert Assured ID CA G2
  • DigiCert Assured ID CA G3
  • DigiCert SHA2 Assured ID CA
  • DigiCert Baltimore CA-1 G2
  • DigiCert Assured ID SMIME RSA2048 SHA256 2021 CA1
  • DigiCert Assured G2 SMIME RSA4096 SHA384 2024 CA1
PKI Platform 8
  • DigiCert PKI Platform C2 Shared SMIME Individual Subscriber CA
  • DigiCert PKI Platform Class 3 Shared SMIME Organization CA
  • DigiCert Assured G2 mPKI SMIME RSA4096 SHA384 2023 CA1 
Trust Lifecycle Manager

CertCentral

  • DigiCert Assured ID Client CA G2
  • DigiCert Assured ID SMIME RSA2048 SHA256 2021 CA1
  • DigiCert QuoVadis G3 SMIME RSA4096 SHA384 2023 CA1
  • DigiCert Assured G2 EUR SMIME RSA4096 SHA384 2023 CA1
  • DigiCert Assured ID G2 SMIME Europe RSA4096 SHA256 2023 CA2

CertCentral

  • DigiCert Assured G2 SMIME RSA4096 SHA384 2024 CA1

PKI Platform 8

  • DigiCert PKI Platform C2 Shared SMIME Individual Subscriber CA

PKI Platform 8

  • DigiCert Assured G2 mPKI SMIME RSA4096 SHA384 2023 CA1
*Note: The new industry-compliant ICA certificates only include emailProtection and clientAuthentication extended key usages (EKUs). Per Apple policy, S/MIME ICA certificates must not contain any other EKUs. Additionally, the certificate policy for these ICA certificates is set to anyPolicy.

  • DigiCert Logo

    The most-trusted global provider of high-assurance TLS/SSL, PKI, IoT and signing solutions.