Sep 5, 2023

EPKI S/MIME Products BR changes, and Impacts

Overview

The article goes through the S/MIME BRs changes, Impacts, and Solutions/Alternatives to the queries related to EPKI S/MIME Certificate types:

EPKI users must have a compliant profile to issue Certificates. To do that, you should have the Organization Identifier in your EPKI profile, and the control over the email domain must be verified. Thus, we strongly advise you to make a new profile. Please check out this support article: How to Create a New Profile in EPKI and issue any Certificates from that new profile. Client authentication and AATL are the only use cases fo which you don't need a new profile and can continue to use your existing EPKI Profile.

The new profiles for SMIME must not contain any OU and must have domain control. Please take a look at the second part of this article: How to Create a New Profile in EPKI. Once the email domain is added, our vetting team will contact you to get it validated. All rofiles without Organization Identifier won’t be compliant after September 1, 2023.

Please note again: Only S/MIME users are affected; if your Certificate is only used for client authentication or for document signing (AATL), you don’t need a new Profile and you are not impacted.

Please take a look at the table below for a detailed understanding of EPKI S/MIME BR changes for your respective EPKI product:

BRs Impacts on EPKI products

Description	Enterprise Lite Personal Digital ID	Enterprise Lite Department Digital ID	Enterprise Lite S/MIME
Product Availability after BRs changes	Yes	Yes	Yes
Reissuance of certificates after 28th of August 2023, from Profiles created before 28th of August	No	No	No
Renewal of certificates after 28th of August, 2023 from Profles created before 28th of August.	Yes (only for Client Authentication and not S/MIME)	Yes (only for Client Authentication and not S/MIME)	No
Organization Unit Field on new orders	Not supported	Not supported	Not supported
Organization Identifier required on new profile certs	Yes [Just like Organization details, Organization Identifier will be fetched from Profiles]	Yes [Just like Organization details, Organization Identifier will be fetched from Profiles]	Yes [Just like Organization details, Organization Identifier will be fetched from Profiles]
Common Name(CN) Field on new Profile certs	Yes [CN should be personal name, Or Email address]	Yes [CN should be email or Organization Name only – System will not allow any other values]	Yes [Sponsor Validated Object Identifier]
SMIME BRs Policy Object Identitifier in End Entity certificates	Yes [Sponsor validated Object Identifier	Yes [Organization Validated Object Identifier]	Yes [Sponsor Validated Object Identifier]
New S/MIME ICA, R6 with new Profile certs(except for custom CA customers)	Yes	Yes	Yes
Addition of Organization Identifier in API Request	Yes	Yes	Yes
Removal of support for Organization Unit in API request in new Profile certificates	Yes	Yes [if provided, value will be ignored]	Yes
Addition of SANRFC822, Email Address & Email Field in API request in new Profile certificates	Yes	Yes	Yes
Increase length of PKCS12 Password to 17 digits and generating the same via auto generation via APIs and User Interface in new Profile certificates	Yes	Yes	Yes
Validation of mailbox control via email using random value challenge needs to be obtained in 24 hours in new Profile certs	N/A	N/A	N/A
Functionality to allow existing approved email domains to cover under SMIME BR rules if No OU and Organization Identifier in new Profile.	Yes	Yes	Yes

 

We apologize for the inconvenience caused to our customers and thank you for your continued cooperation and understanding.

For more information on changes to the EPKI Profile, please refer to:

• https://support.globalsign.com/enterprise-pki/smime-baseline-requirements-epki-faqs
• https://support.globalsign.com/enterprise-pki/important-epki-api-updates-2023

For any further queries, kindly contact GlobalSign Support.