Knowledge Base

End of issuance of public S/MIME (Secure Email) certificates from DigiCert® PKI Platform 8 is scheduled for March 14, 2025, by 23:59 GMT/UTC. This includes certificates issued from profiles created from any of the following PKI Platform 8 public S/MIME certificate templates:

• Secure Email
• S/MIME (Digital Signature only)
• S/MIME (Digital Signature only) for Intune
•  S/MIME (Encryption only)
• Secure Email Gateway

To continue issuing DigiCert public S/MIME certificates without interruption, you must transition your certificate issuance to DigiCert® Trust Lifecycle Manager in DigiCert ONE as soon as possible.

Steps for transitioning public S/MIME certificate issuance from PKI Platform 8 to Trust Lifecycle Manager in DigiCert ONE:

1. Ensure that your PKI Platform 8 contact information (Organizational Contact, Technical Contact, etc.) is up-to-date. If you need to update it, start here. 

2. Gather the required information about your PKI Platform 8 issuing CA(s):

• Full name
• Expiration date
• Serial number

3. Gather required information about all active PKI Platform 8 public S/MIME certificate profiles:

• Name of each profile
• Name of CA connected to each profile
• Name of template from which each profile was created:
  • Secure Email
  • S/MIME (Digital Signature only)
  • S/MIME (Digital Signature only) for Intune
  • S/MIME (Encryption only)
  • Secure Email Gateway
• Number of valid certificates currently issued from each profile

4. Set up a test account (if needed), in the region that you specify, in a separate DigiCert ONE transition environment.

5. Set up a DigiCert CertCentral account. (If you already have a CertCentral account, no action is required.)

6. Add the DigiCert CertCentral connector to link your Trust Lifecycle Manager and DigiCert ONE accounts.

7. Submit your Organization Name for public SMIME validation (required to issue a certificate).

8. Create new public S/MIME certificate profiles in DigiCert ONE.

• Intune-specific profiles -
  Are you using public S/MIME certificate profiles configured from the S/MIME (Digital Signature only) for Intune template? 
  
  After DigiCert has migrated your profiles to a new compliant Public S/MIME Issuing CA, you must create new trusted profiles on the Microsoft Intune portal. Follow the steps under the Intune Trusted Certificate profile section in the Intune integration guide to create the trusted profiles for the new Issuing CA chain.
  
  
• Microsoft Autoenrollment profiles -
  Are you using public S/MIME certificate profiles configured with the Microsoft Autoenrollment enrollment method? 
  
  After DigiCert migrates your Microsoft Autoenrollment-enabled profiles to a new compliant Public S/MIME Issuing CA, the “Autoenrollment configuration file” gets updated, and you need to follow the steps below:
  
  
  1. In the PKI manager portal, download the updated "Autoenrollment configuration file". Then, import the configuration file into Autoenrollment Configuration Utility onto the AE Server. 
     
     For more details, see the "DigiCert® PKI Enterprise Gateway - Autoenrollment Server Deployment Guide" knowledge base article - DigiCert PKI Platform Autoenrollment Server deployment guide.
     
     
  2. After all the profiles associated with the old ICA certificate are migrated, delete the old ICA certificate from "Enrollment Services" using the "ADSI Edit" tool. See the screenshot below.
     1. In the PKI manager portal, go to Enrollment Services.
     2. Select the ICA certificate you must delete, then select Action > Delete.