How to create a new Profile in EPKI
Feb 20, 2024
How to create a new Profile in EPKI
Introduction
This support article will walk you through the step-by-step process of creating a Profile in EPKI.
If this is not the solution you are looking for, please search for your solution in the search bar above.
IMPORTANT: To continue issuing SMIME Certificates via EPKI after September 1, 2023, it is required to add a new profile to your account.
Without a new profile in place after September 1, 2023, you will not be able to issue SMIME Certificates.
You can add a new profile to your account and continue to issue SMIME Certificates by performing the following steps:
Step-by-step Guidelines
How to Validate the Email Domain
How to check if your EPKI Profile is S/MIME Capable
Step-by-step Guidelines
- Log into your GlobalSign Certificate Center (GCC) account.
- Go to the Enterprise PKI tab, as shown below.
- Under My Profiles, click the Order Additional Profiles option.
- Provide your Organization, Locality, State or Province, Country, and Organization Identifier. Then, click Next to continue.
A brief explanation of the required fields follows:
- Organization: name of your organization as registered with your registration authority
- Locality, State or Province, Country: The address where your organization is registered
-
Organizational Identifier: An Organization Identifier is a unique identifier assigned to an organization. Usually the identifier is a number given to your organization by the registration authority or tax office when you created your organization, but the Organizational Identifier differs from country to country.
To help you find the Organizational Identifier for your organization, GlobalSign identified 5 potential registration schemes that can be used. For your order of an S/MIME Certificate, please select one of the following options:
(Important: Not all options will be available in all countries)
-
VAT scheme:
VAT number or Value Added Tax number, is the number given to your organization by the Federal Tax Authority of the country where you register. This number needs to be unique for your organization.
Example: GB812441268.
A VAT number is a registered tax identification number for tax systems that use Value-Added Tax.
A VAT number is not the same as a local number or tax ID; it is exclusively for the Value-Added Tax scheme. A VAT number has between 4 and 15 digits, starting with the two-digit country code.
-
NTR scheme:
A National Trade Registration number (NTR number) is a unique number assigned to a Private Organization by the Incorporating Agency (or National Trade Registry) in the organization's jurisdiction.
This number needs to be unique for your organization at the State or Province level.
The format is NTR, followed by the ISO country code and then the number.
Example: NTRBE-0459.134.256 (Belgium) or NTR followed by the ISO country code followed by a + and the ISO State/Province code, and then the number. Example: NTRUS+NH-578611 (US+New Hampshire).
-
LEI: An LEI number (A Legal Entity Identifier that is unique on a global level) is a 20-character code format: LEIXG-xxxxxxxxxxxxxxxxxxxxxx (20 digits).
Check here if your company already has an LEI or how to apply for an LEI: https://search.gleif.org/#/search/simpleSearch=
Example: LEIXG353800KCIOO2YWF3VP62
-
GOV: if you are a government entity and do not have a VAT, NTR, or LEI. GlobalSign uses the Registration Scheme identifier ‘GOV’ followed by the 2-character ISO 3166 country code for the nation in which the Government Entity is located.
Example: GOVUS or entities verified at a subdivision, GOVUS+CA
-
INT: This scheme is available for international organizations founded by a constituent document. GlobalSign uses the Registration Scheme identifier ‘INT’ followed by the ISO 3166 code “XG”. E.g. INTXG. (Additional checks and approval from GlobalSign are required.).
Note: In consideration of the restricted usage of OrganizationalUnit to only a legal organization name, after July 31st 2023, Profiles for SMIME cannot provide Organizational Unit, and we recommend not using this field while creating new profiles for the purpose of SMIME Certificates.
- Select the option "BR Compliant S/MIME Profile" on the S/MIME check.
Now, you will notice that the Organization Unit field will be disabled for use, and the Organization Identifier will be mandatory.
Provide your Organization Identifier Information accordingly and click Next to proceed.
Note: If you fail to select this option, the email domain won't be validated for SMIME use; it will have to be re-validated through "email domain list" using the settings button on the wanted domain.
- On the Add Email Domain box, enter your email domain, and then click Next.
- Choose your preferred Email Domain Verification method by ticking the corresponding option as listed below. Then, click Next to continue.
- Constructed Domain Email Addresses: Choose the email address listed below that you feel your email domain authorized person has access to. Or, if any of the listed options do not match and you want to provide your own WHOIS address, then please enter it under the WHOIS address box.
- HTTP Verification: We will provide the Domain Verification Code, and you will have to place that DVC in a specific location on your website.
- DNS Verification: We will provide a Domain Verification Code, and you will create a DNS record containing the DVC.
- Tick the I Agree to the EPKI Service Agreement box and click Next to proceed.
- You have now completed the ordering process for your Additional Profile.
Note: The Vetting Team will process your Additional Profile request; you will be notified once your profile has been activated.
You can also visit this page to understand other important EPKI API updates:
https://support.globalsign.com/enterprise-pki/important-epki-api-updates-2023
For the complete list of Frequently Asked Questions about the S/MIME Baseline Requirements, kindly check:
https://support.globalsign.com/enterprise-pki/smime-baseline-requirements-epki-faqs
How to Add and Validate an Email Domain
- On your GCC Account, under the Enterprise PKI tab, go to My Profile, then click the Profile Configuration option.
- Select your profile and click Next to continue.
- On the Profile Configuration window, select BR Compliant S/MIME Profile on the S/MIME box, and then click on Configure on the Email Domains box.
Note: You will only be able to select BR Compliant S/MIME Profile if your profile does not have an Organization Unit, and there is an Organization Identifier associated with your profile.
- As soon as you click on the Email Domain Configure button, you will see this screen below. Enter your domain, then tick the “We use S/MIME: The mail domain will have an expiration date of 397 days” option and click Next to proceed.
Note: If you fail to select this option, the email domain won't be validated for SMIME use; it will have to be re-validated through "email domain list" using the settings button on the wanted domain.
- Choose your preferred Email Domain Verification method by ticking the corresponding option as listed below. Then, click Next to continue.
- Constructed Domain Email Addresses: Choose the email address listed below that you feel your email domain authorized person has access to. Or, if any of the listed options do not match and you want to provide your own WHOIS address, then please enter it under the WHOIS address box.
- HTTP Verification: We will provide the Domain Verification Code, and you will have to place that DVC in a specific location on your website.
- DNS Verification: We will provide a Domain Verification Code, and you will create a DNS record containing the DVC.
- On the Confirm Email Domains window, verify if the information is correct, and then click Next.
- You have now completed your request to validate your Email Domain.
How to check if your EPKI Profile is S/MIME Capable
- To know if your profile is now S/MIME-capable or not, you can go to the Enterprise PKI tab and click Profile Configuration under My Profiles.
- Under Profile Configuration, select the profile you want to issue an S/MIME Certificate from:
- If you see that IntermediateCA is checked as BR Compliant S/MIME Profile, you are good to use this profile. But if you see that Non-S/MIME Use Cases option is selected, then that means this profile cannot issue an S/MIME Certificate. Furthermore, if you can click on BR Compliant S/MIME Profile, then you can also make it active for SMIME use, but only if:
- There is no Organization Unit, the Organization Identifier is populated, and the Email Domain is vetted against your profile.
Please visit this page to understand other important EPKI API updates:
https://support.globalsign.com/enterprise-pki/important-epki-api-updates-2023
For the complete list of Frequently Asked Questions about the S/MIME Baseline Requirements, kindly check:
https://support.globalsign.com/enterprise-pki/smime-baseline-requirements-epki-faqs