DigiCert KnowledgeBase - Technical Support-hero

Knowledge Base

Organization & Email Domain Validation for S/MIME Certs | PKI Platform Changes

Solution ID : GN230419005812
Last Modified : 10/21/2023

Description

What happened?

The CA/Browser Forum implemented a new, industry-wide requirement in relation to the issuance of S/MIME certificates.  

As a result, DigiCert will email the contact within your company listed as the Domain Administrator for each S/MIME domain in your account and ask them to take action to prove control over the domain. We refer to this process as the Domain Control Validation (DCV) process. We support various domain approval methods - Email Validation, File Auth, or DNS TXT.  

As part of the S/MIME migration, we created and loaded a new DigiCert Shared CA for S/MIME issuance, and began to roll out customer Issuing CAs that chain up to a publicly trusted DigiCert Root CA, which will be loaded into customer accounts once the DCV feature is deployed. 

This article captures the changes carried out to the DigiCert PKI platform (previously MPKI 8), specifically to the PKI Manager administration console, where account administrators can view the status of pre-validated domains, as well as request new domains to be validated in the account. 

Note: After this new process is implemented, S/MIME certificates chaining up to a publicly trusted DigiCert CA, can NOT be issued from an account unless their email domains have been previously validated by DigiCert.

When did this change take place?

The new Organization and Email Domain validation service was launched on May 29th, 2019.

How does this affect you?

Customer email domains will be automatically validated and added to an account provided the validation checks succeed.

Once the new validation service is deployed, you will no longer be able to issue S/MIME certificates for email domains that have NOT been previously validated by DigiCert. 

You can request domains to be validated/added to your account via the PKI Manager portal - see details below.

What is the process to validate an Organization?

DigiCert will attempt to confirm the registration of the organization with the appropriate authority that oversees the legal registration of organizations.

The enrolling organization is validated by the querying of registration records for the organization name listed in the application with a government registration authority. It is also validated by requesting official company documentation, such as business license, Articles of Incorporation, Sales & Use License, or other relevant documents. The Organization requesting a certificate must be an active entity, confirmed by the government authority responsible for registering businesses within the specific jurisdiction (locality, state, country) referenced in the certificate request.

An exact match between the registered organization name and organization name in the certificate is required. DigiCert cannot accept any misspellings, unregistered acronyms, or abbreviations in the Organization name field.

DigiCert has access to an extensive number of global Qualified Government Information Sources (QGIS). In most cases, DigiCert can find a Registration Record document on file in one of the many government or private databases that DigiCert has access to.

What is the process to validate an Email Domain?

DigiCert will validate your email domain through a process called Domain Control Validation (DCV). 

The aim of our domain validation process is to ensure that the individual requesting a certificate does, in fact, have authority to request a certificate for the domain in question. 

In this procedure, DigiCert sends an authorization email with authentication instructions to the registered owners of the domain(s) listed publicly on a WHOIS record.

We can send the email to five addresses associated with the domain (e.g. admin@, administrator@, webmaster@, hostmaster@, and postmaster@.) 

In cases where a domain is controlled by a party other than the party requesting a certificate, simple methods are in place to quickly complete the process of getting approval to issue a certificate from the actual domain owner. 

DigiCert also offers alternative options to create a website via a practical demonstration, or the customer can edit their DNS TXT records to include a DigiCert-provided code.  

For more information see article: Demonstrate control over domains on a pending certificate order

If your email domain is showing as PENDING after 30 days in the PKI Manager admin portal, please contact DigiCert PKI Support and/or your DigiCert Client Manager representative.

How long is the approval of an Organization & Email Domain valid for? 

When the Domains were approved an expiration date was assigned to them. You must look in the “Manage Domains” tab in the PKI 8 admin portal to verify your expiration date and re-validate the domain before it expires.

  1. Access PKI Manager
  2. Click on Tasks icon and select Manage Domains
  3. Verify the date under the “approved”, this is when the domain will expire.

What if I have multiple accounts?

For every account you own, you will have to ensure that all required email domains have been added and approved. 

Each account is validated INDEPENDENTLY in order to comply with industry standards.

What if I am issuing S/MIME certificates using email domains I do not own?

DigiCert's Authentication Team will not approve the domain and therefore, you will not be able to issue S/MIME certificates containing this domain. Only domains that have been successfully validated by DigiCert will be approved/white-listed, and can be used to issue S/MIME certificates containing such domain.

What Certificate Templates does this new validation service apply to?

The following four Certificate Templates are impacted by this change:

What Enrollment Flows are impacted by the new validation service?

  • OS/Browser
  • PKI Client
  • CSV Bulk Upload
  • Web Services

How do I request an Email Domain to be validated?

Administrators can request for new email domains to be validated, via the PKI Manager portal.

DigiCert will automatically send all customer email domains for pre-validation, meaning you will receive an email with instructions on how to prove ownership of the email domain.

Steps to Request New Email Domain Validation

  1. Access PKI Manager
  2. Click on Tasks icon and select Manage Domains 
  3. Click on the Add Domain link on the top menu
  4. Enter a domain name that you haven't validated before (duplicate domains will error as appropriate) 
  5. Click SaveIf successful, a new domain would be added to the list of domains shown on the left pane with a PENDING status.
  6. Once the DigiCert Validation team complete their validation process, the status of the domain will update to APPROVED status, and S/MIME certificates matching such email domain can be issued against it.
Note: domains in either PENDING or APPROVED status can be deleted by a PKI Administrator by simply clicking on the domain to be deleted, and clicking on the Delete Domain link. You will be asked to confirm deletion of the domain before proceeding with the deletion

Are there any new Audit Trails that can be used to manage domains?

Yes. You can view the audit trails for both "Domain added" and "Domain deleted", by clicking on Tasks icon → View audit trails, and selecting the appropriate action under the Action search filter:

Are there any changes to enrollment process?

Yes. During enrollment/creation of a single user or bulk enrollment by a PKI Administrator, the status of both the organization and the email domain will be checked.

When enrolling for an individual Seat ID, or in bulk via the CSV upload process, An error will be displayed if either organization or domain have not been approved by DigiCert.

 

Single Seat ID enrollment | Errors shown when either Organization or Email Domain have not been authenticated:

  1. Organization checks performed whilst Admin enrolls a User:
  2. Email domain checks performed whilst Admin enrolls a User:

Are there any changes to certificate pick up after enrollment?

Yes , if user is trying to install certificate having email address with unauthenticated domain or if organization used is not authenticated user will get error.

New error codes

The following are new error codes added to the system to track errors related to organization and email domain authentication process.

  Failure Code Failure Message
1 A51C Multiple email addresses not allowed in SMIME certificates. Correct the request and retry the operation.
2 A30C Organization not authenticated. Please make sure the organization name matches the account organization and is approved.
3 A30D Domain not authenticated. Please make sure the domain exists in your account and it is approved.

Who to contact in case of further queries?

If you have any questions or concerns, contact your DigiCert Platinum Client Manager or PKI Support.