Alert ID : GN230419005812

Last Modified : 01/22/2021

Organization & Email Domain Validation for S/MIME Certs - PKI Manager Changes

Description

What is happening?

The CA/Browser Forum is in the process of implementing a new, industry-wide requirement in relation to the issuance of S/MIME certificates.  

If you have S/MIME certificates, over the last two weeks of April, we will email the contact within your company listed as the Domain Administrator for each S/MIME domain in your account and ask them to take action to prove control over the domain. We refer to this process as the Domain Control Validation (DCV) process. We support various methods of validation - Email Validation, File Auth, or DNS TXT.  

As part of the S/MIME migration, we are creating and loading a new DigiCert Shared CA for S/MIME issuance, and will begin to roll out customer Issuing CAs that chain up to a publicly trusted DigiCert Root CA, which will be loaded into customer accounts once the DCV feature is deployed. 

This article captures the changes carried out to the DigiCert PKI platform (previously MPKI 8), specifically to the PKI Manager administration console, where account administrators can view the status of pre-validated domains, as well as request new domains to be validated in the account. Note that after this new process is implemented, S/MIME certificates chaining up to a publicly trusted DigiCert CA, can NOT be issued from an account unless their email domains have been previously validated by DigiCert.

When will this change take place?

The new Organization and Email Domain validation service will be launched on May 29th, 2019.

How does this affect you?

Customer email domains will be automatically validated and added to an account prior to launching the new Organization and Email Domain Validation service for S/MIME, provided the validation checks succeed.

Once the new validation service is deployed, you will no longer be able to issue S/MIME certificates for email domains that have NOT been previously validated by DigiCert. You can request domains to be validated/added to your account via the PKI Manager portal - see details below.

What is the process to validate an Organization?

DigiCert will attempt to confirm the registration of the organization with the appropriate authority that oversees the legal registration of organizations.

The enrolling organization is validated by the querying of registration records for the organization name listed in the application with a government registration authority. It is also validated by requesting official company documentation, such as business license, Articles of Incorporation, Sales & Use License, or other relevant documents. The Organization requesting a certificate must be an active entity, confirmed by the government authority responsible for registering businesses within the specific jurisdiction (locality, state, country) referenced in the certificate request.

An exact match between the enrolled organization name and organization name in the certificate is required. DigiCert cannot accept any misspellings, unregistered acronyms, or abbreviations in the Organization name.

DigiCert has access to an extensive number of global Qualified Government Independent Sources (QGIS). In most cases, DigiCert can find a Registration Record document on file in one of the many government or private databases that DigiCert has access to.

What is the process to validate an Email Domain?

DigiCert will validate your email domain through a process called Domain Control Validation (DCV). The aim of our domain validation process is to ensure that the individual requesting a certificate does, in fact, have authority to request a certificate for the domain in question. In this procedure, DigiCert sends an authorization email with authentication instructions to the registered owners of the domain(s) listed publicly on a WHOIS record.

We can send the email to five addresses associated with the domain (e.g. admin@, administrator@, webmaster@, hostmaster@, and postmaster@.) In cases where a domain is controlled by a party other than the party requesting a certificate, simple methods are in place to quickly complete the process of getting approval to issue a certificate from the actual domain owner. DigiCert also offers alternative options to create a website via a practical demonstration, or the customer can edit their DNS TXT records to include a DigiCert-provided code.  For more information see: https://www.digicert.com/certcentral-support/pending-order-dcv-methods.htm

If your email domain is showing as PENDING after 30 days in the PKI Manager admin portal, please contact DigiCert Support and/or your DigiCert Client Manager representative.

How long is the approval of an Organization & Email Domain valid for? 

Successful validations do not expire, therefore, no need to re-validate.

What if I have multiple accounts?

For every account you own, you will have to ensure all required email domains have been added/approved to every account.

What if I am issuing S/MIME certificates using email domains I do not own?

DigiCert's Authentication Team will not approve the domain and therefore, you will not be able to issue S/MIME certificates containing such domain. Only domains that have been successfully validated by DigiCert will be approved/white-listed, and can be used to issue S/MIME certificates containing such domain.

What Certificate Templates does this new validation service apply to?

The following four Certificate Templates are impacted by this change:

What Enrollment Flows are impacted by the new validation service?

The following enrollment flows are impacted by the new validation service:

  • OS/Browser
  • PKI Client
  • CSV Bulk Upload
  • Web Services

How do I request an Email Domain to be validated?


On the 29th of May 2019, a new release of the MPKI service (v8.17.10) will include a new feature for Administrators to request, via the PKI Manager portal, new email domains to be validated by DigiCert. However, DigiCert will be automatically sending all customer email domains for pre-validation during April and early May, for which you will receive an email with instructions on how to prove ownership of the email domain.

Note: the below steps to request new email domain validations can only be followed once we go live with the next release of the MPKI service on the 29st of May.

1. Access PKI Manager

2. Click on Tasks icon and select Manage Domains  

3. Click on the Add Domain link on the top menu

4. Enter a domain name that you haven't validated before (duplicate domains will error as appropriate) 

5. Click Save. If successful, a new domain would be added to the list of domains shown on the left pane with a PENDING status 

 

6. Once the DigiCert Validation team complete their validation process, the status of the domain will update to APPROVED status, and S/MIME certificates matching such email domain can be issued against it.

Note: domains in either PENDING or APPROVED status can be deleted by a PKI Administrator by simply clicking on the domain to be deleted, and clicking on the Delete Domain link. You will be asked to confirm deletion of the domain before proceeding with the deletion

Are there any new Audit Trails that can be used to manage domains?

Yes. You can view the audit trails for both "Domain added" and "Domain deleted", by clicking on Tasks icon → View audit trails, and selecting the appropriate action under the Action search filter:

Are there any changes to enrollment process?

Yes. During enrollment/creation of a single user or bulk enrollment by a PKI Administrator, the status of both the organization and the email domain will be checked. An error will be displayed if either organization or domain have not been approved by DigiCert, when enrolling for an individual Seat ID, or in bulk via the CSV upload process.

Single Seat ID enrollment - errors shown when either Organization or Email Domain have not been authenticated:

  1.  Organization checks performed whilst Admin enrolls a User:

 

2.  Email domain checks performed whilst Admin enrolls a User:

 

Bulk enrollment - CSV file showing errors caused by Organization and Email Domain not authenticated:

 

Are there any changes to certificate pick up after enrollment?

Yes , if user is trying to install certificate having email address with unauthenticated domain or if organization used is not authenticated user will get error.

 

New error codes

The following are new error codes added to the system to track errors related to organization and email domain authentication process.

 

 

 

  Failure Code Failure Message
1 A51C Multiple email addresses not allowed in SMIME certificates. Correct the request and retry the operation.
2 A30C Organization not authenticated. Please make sure the organization name matches the account organization and is approved.
3 A30D Domain not authenticated. Please make sure the domain exists in your account and it is approved.

 

 

Who to contact in case of further queries?

If you have any questions or concerns, contact your DigiCert Platinum Client Manager or call 1-800-579-2848.