Knowledge Base

Description

Background

On July 15, 2021, DigiCert will update the public SMIME certificate validation processes to align with the Gmail s/MIME policy that requires Certificate Authorities (CAs) to:

• Verify that an email address used as the common name on the SMIME \certificate request matches exactly the email address used in all other email fields in the Subject Distinguished Name and Subject Alternative Name (SAN).
• Verify that the organization or address information in the Subject Distinguished Name (Subject DN) matches the information for the registered organization.
   

To comply with the above requirements, the following S/MIME public certificate fields will be strictly validated before issuing by any supported enrollment flow (e.g., web-based, API).

How does this affect me?

Email address used for the Common Name must match the email on the certificate

If the certificate request contains an email address in the Common Name field but does not match other email fields, we will block the certificate issuance.

Solutions:

1. Use the same email address as other email fields in the Subject DN (e.g., Email) or SAN (e.g., rfc822Name).
2. Use a non-email formatted value for the Common Name field in the Subject DN.
   
   For requests using web services API, error code A51C will be returned.

Organization and address information validation for S/MIME certificate in the Subject Distinguished Name (Subject DN)

If the certificate request has an organization or address information in the Subject Distinguished Name (Subject DN) but does not match the information registered for your organization, DigiCert will block the certificate issuance.

The affected Subject DN fields, with respective organization information that needs to be validated against, are listed below:
 

Certificate Field - Organization Information:

• O (Organization) - Organization name
• S (StateOrProvince) - State/Province
• L (Locality) - City
• ST (Street) - Address 1 or Address 2
• P (PostalCode) - Zip/Postal code
• C (Country) - Country
   

Solutions:

1. Use validated organization information for each certificate request field in the Subject DN, subject to validation. The validation checks are case-insensitive. For example, both a Country certificate field of “US” or “us” will pass the validation rules, provided the validated organization information contains either “US” or “us” in its respective Country field.
2. Remove any non-validated Subject DN field from the certificate profile (via the PKI Manager administration console).
   
   For requests using web services API, error code A30F will be returned.

Related Articles

See also: Organization & Email Domain Validation for S/MIME Certs | PKI Platform Changes