Sep 5, 2023
The article goes through the S/MIME BRs changes, Impacts, and Solutions/Alternatives to the queries related to EPKI S/MIME Certificate types:
EPKI users must have a compliant profile to issue Certificates. To do that, you should have the Organization Identifier in your EPKI profile, and the control over the email domain must be verified. Thus, we strongly advise you to make a new profile. Please check out this support article: How to Create a New Profile in EPKI and issue any Certificates from that new profile. Client authentication and AATL are the only use cases fo which you don't need a new profile and can continue to use your existing EPKI Profile.
The new profiles for SMIME must not contain any OU and must have domain control. Please take a look at the second part of this article: How to Create a New Profile in EPKI. Once the email domain is added, our vetting team will contact you to get it validated. All rofiles without Organization Identifier won’t be compliant after September 1, 2023.
Please note again: Only S/MIME users are affected; if your Certificate is only used for client authentication or for document signing (AATL), you don’t need a new Profile and you are not impacted.
Please take a look at the table below for a detailed understanding of EPKI S/MIME BR changes for your respective EPKI product:
Description | Enterprise Lite Personal Digital ID | Enterprise Lite Department Digital ID | Enterprise Lite S/MIME |
---|---|---|---|
Product Availability after BRs changes | Yes | Yes | Yes |
Reissuance of certificates after 28th of August 2023, from Profiles created before 28th of August | No | No | No |
Renewal of certificates after 28th of August, 2023 from Profles created before 28th of August. | Yes (only for Client Authentication and not S/MIME) | Yes (only for Client Authentication and not S/MIME) | No |
Organization Unit Field on new orders | Not supported | Not supported | Not supported |
Organization Identifier required on new profile certs | Yes [Just like Organization details, Organization Identifier will be fetched from Profiles] | Yes [Just like Organization details, Organization Identifier will be fetched from Profiles] | Yes [Just like Organization details, Organization Identifier will be fetched from Profiles] |
Common Name(CN) Field on new Profile certs | Yes [CN should be personal name, Or Email address] | Yes [CN should be email or Organization Name only – System will not allow any other values] | Yes [Sponsor Validated Object Identifier] |
SMIME BRs Policy Object Identitifier in End Entity certificates | Yes [Sponsor validated Object Identifier | Yes [Organization Validated Object Identifier] | Yes [Sponsor Validated Object Identifier] |
New S/MIME ICA, R6 with new Profile certs(except for custom CA customers) | Yes | Yes | Yes |
Addition of Organization Identifier in API Request | Yes | Yes | Yes |
Removal of support for Organization Unit in API request in new Profile certificates | Yes | Yes [if provided, value will be ignored] | Yes |
Addition of SANRFC822, Email Address & Email Field in API request in new Profile certificates | Yes | Yes | Yes |
Increase length of PKCS12 Password to 17 digits and generating the same via auto generation via APIs and User Interface in new Profile certificates | Yes | Yes | Yes |
Validation of mailbox control via email using random value challenge needs to be obtained in 24 hours in new Profile certs | N/A | N/A | N/A |
Functionality to allow existing approved email domains to cover under SMIME BR rules if No OU and Organization Identifier in new Profile. | Yes | Yes | Yes |
We apologize for the inconvenience caused to our customers and thank you for your continued cooperation and understanding.
For more information on changes to the EPKI Profile, please refer to:
For any further queries, kindly contact GlobalSign Support.
Check your certificate installation for SSL issues and vulnerabilities.