Sep 12, 2023

How to create a new Profile in EPKI

Introduction

This support article will walk you through the step-by-step process of creating a Profile in EPKI.
If this is not the solution you are looking for, please search for your solution in the search bar above.

 

IMPORTANT: To continue issuing SMIME Certificates via EPKI after September 1, 2023, it is required to add a new profile to your account.
Without a new profile in place after September 1, 2023, you will not be able to issue SMIME Certificates.
You can add a new profile to your account and continue to issue SMIME Certificates by performing the following steps:

Step-by-step Guidelines

How to Validate the Email Domain

How to check if your EPKI Profile is S/MIME Capable 

Step-by-step Guidelines

1. Log into your GlobalSign Certificate Center (GCC) account.
2. Go to the Enterprise PKI tab, as shown below.
   
   
3. Under My Profiles, click the Order Additional Profiles option.
   
   
4. Provide your Organization, Locality, State or Province, Country, and Organization Identifier. Then, click Next to continue.
   
   A brief explanation of the required fields follows:
    
   • Organization: name of your organization as registered with your registration authority
   • Locality, State or Province, Country: The address where your organization is registered
   • Organization Identifier: Your company/organization's registration number. You can select one of the following options:
      
     1. VAT: (Value Added Tax) is the number issued by your federal tax authority that is unique for your organization. Example: GB812441268. A VAT number is a registered tax identification number for tax systems that use Value-Added Tax. When you register for VAT in a single country, you receive a VAT number for their tax system. A VAT number is not the same as a local number or tax ID; it is exclusively for the Value-Added Tax scheme. A VAT number has between 4 and 15 digits, starting with the two-digit country code
     2. NTR: An NTR number is a National Trade Registry number. This is a unique number assigned to a Private Organization by the Incorporating Agency (or National Trade Registry) in the organization's jurisdiction. The format is NTR followed by the ISO country code and then the number. Example: NTRBE-0459.134.256 (Belgium); NTRUS+NH-578611 (US+New Hampshire).
     3. LEI: An LEI number (A Legal Entity Identifier that is unique on a global level) is a 20-character code format: LEIXG-xxxxxxxxxxxxxxxxxxxxxx (20 digits). The code will start with your country code, or XG for global companies. Check here if your company already has an LEI or how to apply for an LEI https://search.gleif.org/#/search/simpleSearch= Example: LEIXG353800KCIOO2YWF3VP62
     4. GOV: if you are a government entity and do not have a VAT, NTR, or LEI. GlobalSign uses the Registration Scheme identifier ‘GOV’ followed by the 2-character ISO 3166 country code for the nation in which the Government Entity is located. Example: GOVUS or entities verified at a subdivision, GOVUS+CA
     5. INT: available for international organizations founded by a constituent document, GlobalSign uses the Registration Scheme identifier ‘INT’ followed by the ISO 3166 code “XG”. E.g. INTXG. (Additional checks and approval from GlobalSign are required).
        
        
        
        Note: In consideration of the restricted usage of OrganizationalUnit to only a legal organization name, after July 31st 2023, Profiles for SMIME cannot provide Organizational Unit, and we recommend not using this field while creating new profiles for the purpose of SMIME Certificates.
5. Select the option "BR Compliant S/MIME Profile" on the S/MIME check.
   Now, you will notice that the Organization Unit field will be disabled for use, and the Organization Identifier will be mandatory.
   Provide your Organization Identifier Information accordingly and click Next to proceed.
   
   Note: If you fail to select this option, the email domain won't be validated for SMIME use; it will have to be re-validated through "email domain list" using the settings button on the wanted domain.
6. On the Add Email Domain box, enter your email domain, and then click Next.
   
   
7. Choose your preferred Email Domain Verification method by ticking the corresponding option as listed below. Then, click Next to continue.
    
   • Constructed Domain Email Addresses: Choose the email address listed below that you feel your email domain authorized person has access to. Or, if any of the listed options do not match and you want to provide your own WHOIS address, then please enter it under the WHOIS address box.
   • HTTP Verification: We will provide the Domain Verification Code, and you will have to place that DVC in a specific location on your website.
   • DNS Verification: We will provide a Domain Verification Code, and you will create a DNS record containing the DVC.
     
     
8. Tick the I Agree to the EPKI Service Agreement box and click Next to proceed. 
   
   
9. You have now completed the ordering process for your Additional Profile.
   Note: The Vetting Team will process your Additional Profile request; you will be notified once your profile has been activated.
   
   

You can also visit this page to understand other important EPKI API updates:
https://support.globalsign.com/enterprise-pki/important-epki-api-updates-2023

For the complete list of Frequently Asked Questions about the S/MIME Baseline Requirements, kindly check: 
https://support.globalsign.com/enterprise-pki/smime-baseline-requirements-epki-faqs 

How to Validate the Email Domain (Only for Profiles Created Before July 31, 2023, where there is no Email Domain provided via the user for vetting while creating profiles)

Note: If you are creating profiles after July 31, 2023, then you do not need to perform these listed steps.

We recommend that you perform the following steps after July 31, 2023, for email domain validation to complete the process of making your profile ready for SMIME Certificates:

1. On your GCC Account, under the Enterprise PKI tab, go to My Profile, then click the Profile Configuration option.
   
   
2. Select your profile and click Next to continue.
   
   
3. On the Profile Configuration window, select BR Compliant S/MIME Profile on the S/MIME box, and then click on Configure on the Email Domains box.
   Note: You will only be able to select BR Compliant S/MIME Profile if your profile does not have an Organization Unit, and there is an Organization Identifier associated with your profile. ​
   
   
4. As soon as you click on the Email Domain Configure button, you will see this screen below. Enter your domain, then tick the “We use S/MIME: The mail domain will have an expiration date of 397 days” option and click Next to proceed.
   
   Note: If you fail to select this option, the email domain won't be validated for SMIME use; it will have to be re-validated through "email domain list" using the settings button on the wanted domain.
   
   
5. Choose your preferred Email Domain Verification method by ticking the corresponding option as listed below. Then, click Next to continue.
    
   • Constructed Domain Email Addresses: Choose the email address listed below that you feel your email domain authorized person has access to. Or, if any of the listed options do not match and you want to provide your own WHOIS address, then please enter it under the WHOIS address box.
   • HTTP Verification: We will provide the Domain Verification Code, and you will have to place that DVC in a specific location on your website.
   • DNS Verification: We will provide a Domain Verification Code, and you will create a DNS record containing the DVC.
     
     
6. On the Confirm Email Domains window, verify if the information is correct, and then click Next.
   
   
7. You have now completed your request to validate your Email Domain.
   
    

How to check if your EPKI Profile is S/MIME Capable

1. To know if your profile is now S/MIME-capable or not, you can go to the Enterprise PKI tab and click Profile Configuration under My Profiles.
   
   
2. Under Profile Configuration, select the profile you want to issue an S/MIME Certificate from:
   
   
3. If you see that IntermediateCA is checked as BR Compliant S/MIME Profile, you are good to use this profile. But if you see that Non-S/MIME Use Cases option is selected, then that means this profile cannot issue an S/MIME Certificate. Furthermore, if you can click on BR Compliant S/MIME Profile, then you can also make it active for SMIME use, but only if:
    
   1. There is no Organization Unit, the Organization Identifier is populated, and the Email Domain is vetted against your profile. 
      
      

 

Please visit this page to understand other important EPKI API updates:
https://support.globalsign.com/enterprise-pki/important-epki-api-updates-2023

For the complete list of Frequently Asked Questions about the S/MIME Baseline Requirements, kindly check: 
https://support.globalsign.com/enterprise-pki/smime-baseline-requirements-epki-faqs