Knowledge Base
New CA/Browser Forum Compliant Public S/MIME Certificates in SCM
How to Issue the New CA/Browser Forum Compliant Public S/MIME Certificates in SCM After Aug 19, 2023
1 Introduction
SCM 23.8, to be released on Aug 19, 2023, delivers new features and enhancements to existing
functionality, including two new S/MIME certificate templates, in accordance with CA/B forum S/MIME requirements.
Existing client certificate profiles used to issue publicly trusted S/MIME certificates will no longer be
available after August 28th, 2023, at 9:00 UTC. Renewal of any existing S/MIME certificate with old
profiles are allowed only up until that time.
To continue issuing publicly trusted S/MIME certificates, customers must create new certificate profiles
based on two new certificate templates (described below) that will be available after SCM 23.8 is deployed.
NOTE: Once the new S/MIME profiles are created in the certificate profile section of SCM, you must
replace the profiles in the enrollment endpoints.
2 SCM New S/MIME Certificate Templates
Public Organization-Validated Multipurpose S/MIME certificate
1 Introduction
SCM 23.8, to be released on Aug 19, 2023, delivers new features and enhancements to existing
functionality, including two new S/MIME certificate templates, in accordance with CA/B forum S/MIME requirements.
Existing client certificate profiles used to issue publicly trusted S/MIME certificates will no longer be
available after August 28th, 2023, at 9:00 UTC. Renewal of any existing S/MIME certificate with old
profiles are allowed only up until that time.
To continue issuing publicly trusted S/MIME certificates, customers must create new certificate profiles
based on two new certificate templates (described below) that will be available after SCM 23.8 is deployed.
NOTE: Once the new S/MIME profiles are created in the certificate profile section of SCM, you must
replace the profiles in the enrollment endpoints.
2 SCM New S/MIME Certificate Templates
Public Organization-Validated Multipurpose S/MIME certificate
- This template requires the organization to be revalidated as described below.
- It also requires all domains included in email addresses to be domain validated (DCV).
- You will be able to configure in the profile whether the certificate's subject contains a commonName
- (CN) or emailAddress (E) attribute
-The CN if included will be identical to the organizationname (O) attribute.
-The emailAddress (E) if included will be the primary email address of the person.
- All email addresses will be included in the subject alternative name (SAN).
- The key usage will allow signing and encryption.
- The extended key usage will allow client authentication and email protection.
Public Sponsor-Validated Multipurpose S/MIME certificate
- This template requires the organization to be revalidated as described below.
- It also requires all domains included in email addresses to be domain validated (DCV).
- It requires that persons being issued certificates are identity validated; do this by setting the
- person's validation type as High.
- You will be able to configure in the profile whether the certificate's subject contains a commonName
(CN) or emailAddress (E) attribute.
-The CN if included will be the concatenation of the person's First Name and Last Name fields. The person's Common Name field will not be used.
-The emailAddress (E) if included will be the primary email address of the person.
- All email addresses will be included in the subject alternative name (SAN).
- The key usage will allow signing and encryption.
- The extended key usage will allow client authentication and email protection.
NOTE: No replacement operation for these new client certificates.
3 Organization Validation
With the new S/MIME Requirements, the existing organization validations are not sufficient for the new
validation rules. After deployment of SCM 23.8, organizations must be revalidated manually before the new
client certificate profiles can be used.
SCM will enforce validation to be completed prior to the new S/MIME requests.
The badge on organization validation cards will now be showing “ID” if the current validation is also
compliant with the S/MIME Requirements. Otherwise, the badge shows “Anchor” which implies that the
organization has not been re-validated yet and is only appropriate for public OV SSL issuance.
Existing validations will continue to work for OV SSL certificates until they would normally expire.
Background Re-validation
The background re-validations of organizations, which are not completed at the time of SCM 23.8 release,
will be terminated and will need to be initiated manually.
The following will be added in 23.8:
- ability for MRAO Administrators to reset organization validation, which allows canceling pending validation or revoke a valid one.
- badge on organization validation card that shows renewal details (status and order number) when background validation is started.
4 New Certificate Profile Creation
- Login to SCM
- Go to Dashboard >> Enrollment >> Certificate Profile
- Click “+” to add a new profile based on the S/MIME Global Templates
- Enter value for
-Name
-Certificate type >> Client Certificate
-CA backend >> Sectigo Public CA
-Client Profile Certificate Template
- Click >> Next to configure details for the certificate.
- Click >> Save to exit.
- Now a new profile for the S/MIME certificate template is created which can used with the enrollment form for certificate issuance.
5 Replacing Certificate Profiles in Enrollment Endpoint
No change in current steps.
6 Issuing a new S/MIME Certificate
No change in current steps.
No change in current steps.
6 Issuing a new S/MIME Certificate
No change in current steps.
Need help?
Need help making a purchase? Contact us today to get your certificate issued right away.
Live chat
Click the button below or click "Chat with an Expert" to start chatting with us now!
