Knowledge Base

On June 26, 2024, at 10:00 MDT (16:00 UTC), DigiCert will move the default issuance of public Secure Email (S/MIME) certificates to new industry-compliant public intermediate CA (ICA) certificates.

Public S/MIME certificates include any certificate used to sign, verify, encrypt, or decrypt emails containing the emailProtection extendedKeyUsage and at least one email address (see Affected DigiCert Secure Email (S/MIME) Products below).

• Why must DigiCert start issuing public Secure Email (S/MIME) certificates from new intermediate CA certificates?
• How does switching ICA certificates affect me?
• PKI Platform 8: Items to note
• What if I need more time before switching ICA certificates?
• Affected DigiCert Secure Email (S/MIME) Products
• Secure Email (S/MIME) ICA Certificate Replacements - 2024

Why must DigiCert move to new intermediate CA certificates to issue public Secure Email (S/MIME) certificates?

As of August 2023, Certificate Authorities (CAs), such as DigiCert, were required to update their public Secure Email (S/MIME) certificate issuance process to comply with the new baseline requirements for publicly trusted S/MIME certificates.

These baseline requirements include new rules governing the intermediate CA (ICA) certificates that CAs use to issue S/MIME certificates. To remain compliant, Certificate Authorities, such as DigiCert, must move to new industry-compliant Secure Email (S/MIME) intermediate CA (ICA) certificates before September 15, 2024. 

How does switching ICA certificates affect me?

If you install the DigiCert-provided ICA certificate included with your issued Secure Email (S/MIME) certificate, this change will not affect you, and no action will be required. Starting June 26, 2024, the new default ICA certificate will automatically come with your issued Secure Email (S/MIME) certificate (new, renewal, or reissued).

How does switching ICA certificates affect my existing certificates?

Rolling out new ICA certificates does not affect existing certificates. Active Secure Email (S/MIME) certificates issued from a replaced ICA certificate continue to be trusted until they expire.

Starting June 26, 2024, DigiCert will issue new, renewed, and reissued Secure Email (S/MIME) certificates from new ICA certificates. When installing your S/MIME certificates, always include the DigiCert-provided ICA certificate.

Best practice

We recommend always including the DigiCert-provided ICA certificate with every certificate you install. This recommendation has always been the best practice to ensure that ICA certificate replacements do not disrupt your certificate-related processes and that your certificates are trusted.

PKI Platform 8: Items to note

Starting June 26, 2024, DigiCert will start migrating your PKI Platform 8 public S/MIME issuance to the new, industry-compliant, shared CA. See Secure Email (S/MIME) ICA Certificate Replacements - 2024 below.

DigiCert Support has a tool to perform the migration quickly and seamlessly once the new ICA certificate is available.

Creating new S/MIME profiles

When creating new S/MIME profiles from any of the S/MIME-related templates, you should select the new ICA certificate. See the Secure Email (S/MIME) ICA Certificate Replacements - 2024 section in this article below.

Are you using Intune-specific profiles

After DigiCert has migrated your profiles to a new complaint Public S/MIME Issuing CA, you must create new trusted profiles on the Microsoft Intune portal. Follow the steps under the Intune Trusted Certificate profile section in the Intune integration guide to create the trusted profiles for the new Issuing CA chain.

Are you using Microsoft Autoenrollment profiles

After DigiCert migrates your Microsoft Autoenrollment-enabled profiles to a new compliant Public S/MIME Issuing CA, the "Autoenrollment configuration file" gets updated, and you need to follow the steps below:

1. In the PKI manager portal, download the updated "Autoenrollment configuration file". Then, import the configuration file into Autoenrollment Configuration Utility onto the AE Server. 
   
   For more details, see the "DigiCert® PKI Enterprise Gateway - Autoenrollment Server Deployment Guide.pdf" knowledge base article—DigiCert PKI Platform Autoenrollment Server deployment guide.
   
   
2. After all the profiles associated with the old ICA certificate are migrated, delete the old ICA certificate from "Enrollment Services" using the "ADSI Edit" tool. 
   1. In the PKI manager portal, go to Enrolment Services.
   2. Select the ICA certificate you must delete, then select Action > Delete.

Are you using Local Key Management Storage (LKMS) for your private key?

Those using LKMS to store their private keys must add the new ICA certificate to their local LKMS once available. Otherwise, you cannot continue to store your private keys locally.

What if I need more time before switching ICA certificates?

Contact your account manager or DigiCert Support. We will set up your account so you can continue to use the ICA certificates you are using now.

However, on September 3, 2024, DigiCert must move you to the new ICA certificates. The current ICA certificates are no longer industry-compliant and cannot be used to issue Secure Email (S/MIME) certificates after that date.

Affected DigiCert Secure Email (S/MIME) Products

Secure Email (S/MIME) ICA Certificate Replacements - 2024

Visit the DigiCert Trusted Root Authority Certificates page to download copies of DigiCert ICA and root certificates.