Want to Do More Than Secure Emails? You Can With Our New S/MIME Certificates
2 votes, average: 5.00 out of 52 votes, average: 5.00 out of 52 votes, average: 5.00 out of 52 votes, average: 5.00 out of 52 votes, average: 5.00 out of 5 (2 votes, average: 5.00 out of 5, rated)

Want to Do More Than Secure Emails? You Can With Our New S/MIME Certificates

New security requirements for publicly trusted email security certificates are now in effect. Here’s an overview of TheSSLstore.com’s new S/MIME products that are compliant with the industry’s latest requirements.

Starting Sept. 1, 2023, industry changes officially rolled out regarding how publicly trusted email security certificates would be issued and managed. The goal? To improve email security and authenticity while not breaking existing deployments.

Historically, the industry lacked standardized requirements regarding certificate subject validation. The new S/MIME standards, released on Jan. 1 and covered previously in another article, aim to set specific parameters that certificate issuers must adhere to regarding the issuance of publicly trusted email security certificates. The CA/B Forum, the industry’s standards body, has since released an updated version of its S/MIME Baseline Requirements (version 1.0.1).

Now, here we are nine months later after these new requirements have kicked into effect. So, what do these changes look like in terms of our new S/MIME certificate product offerings and their validation requirements?

Let’s hash it out.

Important: Changes Impact Certificates Issued After Aug. 29, 2023

It’s important to note that these changes don’t affect S/MIME certificates issued before Aug. 29, 2023. Any certificates issued after that date are subject to the new industry requirements.

TL;DR: An Overview of the New S/MIME Products

The new email security certificates are a mix when it comes to their validations and capabilities. Some allow you to digitally sign and protect the confidentiality of your messages (using encryption and decryption) while others provide additional functionalities. 

A basicl illustration that demonstrates how email encryption and decryption work using an S/MIME certificate.
Image caption: A basic illustration that shows how email encryption and decryption work by having the sender use the recipient’s public key to encrypt the message, and the recipient uses their private key to decrypt it.

Different certificate authorities (CAs) are approaching the rollout of the new standards in different ways. For example:

  • Sectigo offers three types of S/MIME certificates (called Personal Authentication Certificates),
  • DigiCert offers two types of S/MIME certificates.

Here’s a quick overview of the three types of S/MIME certificates we offer — all of which are valid for a maximum of two years (825 days):

 Strict Mailbox-Validated S/MIME CertificateMultipurpose Mailbox-Validated S/MIME CertificateMultipurpose Organization-Validated S/MIME Certificate
What It DoesDigitally signs and secures emails (encrypt and decrypt) for an individual employee’s account.Gives individual employees the ability to do more than “just” digitally sign, encrypt, and decrypt emails. (Also provides document signing and client authentication capabilities.)  Displays your company name and does more than “just” sign, encrypt, and decrypt emails. (Also provides document signing and client authentication capabilities.)  
Validation TypeEmail VerificationEmail VerificationEmail + Organization Verification
Issued To/DisplaysEmail Address (name@company.com)Email Address (name@company.com)Email Address & Organization (name@company.com and Company Name)
Works for Shared Email Providers (@gmail.com, yahoo.com, etc.)?YesYesNo
S/MIME Certificate Providers We Partner WithSectigo
Sectigo  Sectigo

Strict, multipurpose, mailbox validated, organization validated — what do these terms mean? In a nutshell, our three types of certificate offerings fall within two overarching categories. Let’s break it all down.

Mailbox-Validated S/MIME Certificates

Mailbox validation refers to the use of an individual’s email address (e.g., example@randomemaildomain.com) for validating that the certificate Subject is in control of that mailbox. This type of S/MIME certificate can be used for:

  • Individuals who aren’t associated with a company, or
  • Individuals who work for an organization.

But this approach isn’t one size fits all; there are two categories of certificates that fall within this classification, which vary based on the certificates’ functionalities:

Option #1: A Strict Mailbox Validated S/MIME Certificate

The Strict Mailbox Validated S/MIME Certificate is the most basic type of email validation and is used to secure an individual mailbox. To complete validation for this type of certificate, the certificate issuer must verify that the email address is controlled by the certificate Subject (i.e., the person it’s issued to).

It’s useful for digitally signing, encrypting, and decrypting messages. (NOTE: To exchange encrypted messages, both the sender and receiver must use S/MIME certificates.) Currently, we offer two types of strict mailbox-validated email security certificates:

Here’s an example of what it looks like when I digitally signed an email using DigiCert’s Class 1 S/MIME Certificate:

An example of an S/MIME email security certificate that's compliant with the CA/B Forum's new S/MIME Certificate Baseline Requirements.
Image caption: An example screenshot I captured using a new DigiCert Class 1 S/MIME Certificate.

Option #2: A Multipurpose Mailbox-Validated S/MIME Certificate

As the name implies, multipurpose S/MIME certificates aren’t just good for email signing and encryption/decryption. They’ve “leveled up” and provide greater flexibility, being capable of performing additional functionalities:

  • Email encryption and decryption,
  • Email digital signing,
  • Document signing*, and
  • Client authentication.

NOTE: To digitally sign Adobe PDFs, you’ll need a separate document signing certificate*

At this time, we offer Sectigo’s Pro S/MIME certificate.

Organization-Validated S/MIME Certificates

The use of this type of S/MIME certificate extends beyond the uses of any individual mailbox. Rather, its intended uses are broader in terms of representing your company or organization.

Tired of sending unsigned emails from your company? Are your customers unsure about whether your messages are legitimate or phish? Install an organization-validated S/MIME certificate and remove any doubt. Digitally signing your messages in your organization’s name allows recipients to check the veracity of your messages to know whether your organization really sent them. 

Option #3: A Multipurpose Organization-Validated S/MIME Certificate

This type of certificate offers the best of both worlds — organization validation + the multipurpose functionalities that extend beyond digital signing and encryption/decryption. It’s a tool for large organizations or enterprises that want to send emails from a validated company name and email address.

A screenshot example of the information displayed for a DigiCert Orgaization-Validated S/MIME Certificate.
Image caption: An example of a DigiCert Organization-Validated S/MIME certificate. Image provided by Wade Hill and Flavio Martins at DigiCert.

Here’s another example of how this information displays when you’re using an individual employee’s email address for an organization-validated certificate:

A side-by-side set of screenshots that display info regarding a DigiCert Orgaization-Validated S/MIME Certificate.
Image caption: A look at the certificate information that displays when users digitally sign an email using a DigiCert organization-validated S/MIME certificate. Image provided by Mandy Barotti at DigiCert.

Much like the mailbox-validated multipurpose certificates we mentioned earlier, these organization-validated multipurpose S/MIME certificates enable you to digitally sign documents* and perform client authentication in addition to their traditional email signing and encryption/decryption capabilities.

NOTE: To sign PDFs using Adobe Acrobat, you’ll need a separate document signing certificate*

We offer two options for Multipurpose Organization-Validated S/MIME Certificates:

Want to learn more about our certificate offerings, or need help placing an order? Contact our support team to get help right away.


Casey Crane

Casey Crane is a regular contributor to and managing editor of Hashed Out. She has more than 15 years of experience in journalism and writing, including crime analysis and IT security. Casey also serves as the Content Manager at The SSL Store.