New security requirements for publicly trusted email security certificates are now in effect. Here’s an overview of TheSSLstore.com’s new S/MIME products that are compliant with the industry’s latest requirements.
Starting Sept. 1, 2023, industry changes officially rolled out regarding how publicly trusted email security certificates would be issued and managed. The goal? To improve email security and authenticity while not breaking existing deployments.
Historically, the industry lacked standardized requirements regarding certificate subject validation. The new S/MIME standards, released on Jan. 1 and covered previously in another article, aim to set specific parameters that certificate issuers must adhere to regarding the issuance of publicly trusted email security certificates. The CA/B Forum, the industry’s standards body, has since released an updated version of its S/MIME Baseline Requirements (version 1.0.1).
Now, here we are nine months later after these new requirements have kicked into effect. So, what do these changes look like in terms of our new S/MIME certificate product offerings and their validation requirements?
Let’s hash it out.
TL;DR: An Overview of the New S/MIME Products
The new email security certificates are a mix when it comes to their validations and capabilities. Some allow you to digitally sign and protect the confidentiality of your messages (using encryption and decryption) while others provide additional functionalities.
Different certificate authorities (CAs) are approaching the rollout of the new standards in different ways. For example:
- Sectigo offers three types of S/MIME certificates (called Personal Authentication Certificates),
- DigiCert offers two types of S/MIME certificates.
Here’s a quick overview of the three types of S/MIME certificates we offer — all of which are valid for a maximum of two years (825 days):
|Strict Mailbox-Validated S/MIME Certificate||Multipurpose Mailbox-Validated S/MIME Certificate||Multipurpose Organization-Validated S/MIME Certificate|
|What It Does||Digitally signs and secures emails (encrypt and decrypt) for an individual employee’s account.||Gives individual employees the ability to do more than “just” digitally sign, encrypt, and decrypt emails. (Also provides document signing and client authentication capabilities.)||Displays your company name and does more than “just” sign, encrypt, and decrypt emails. (Also provides document signing and client authentication capabilities.)|
|Validation Type||Email Verification||Email Verification||Email + Organization Verification|
|Issued To/Displays||Email Address (email@example.com)||Email Address (firstname.lastname@example.org)||Email Address & Organization (email@example.com and Company Name)|
|Works for Shared Email Providers (@gmail.com, yahoo.com, etc.)?||Yes||Yes||No|
|S/MIME Certificate Providers We Partner With||Sectigo |
Strict, multipurpose, mailbox validated, organization validated — what do these terms mean? In a nutshell, our three types of certificate offerings fall within two overarching categories. Let’s break it all down.
Mailbox-Validated S/MIME Certificates
Mailbox validation refers to the use of an individual’s email address (e.g., firstname.lastname@example.org) for validating that the certificate Subject is in control of that mailbox. This type of S/MIME certificate can be used for:
- Individuals who aren’t associated with a company, or
- Individuals who work for an organization.
But this approach isn’t one size fits all; there are two categories of certificates that fall within this classification, which vary based on the certificates’ functionalities:
Option #1: A Strict Mailbox Validated S/MIME Certificate
The Strict Mailbox Validated S/MIME Certificate is the most basic type of email validation and is used to secure an individual mailbox. To complete validation for this type of certificate, the certificate issuer must verify that the email address is controlled by the certificate Subject (i.e., the person it’s issued to).
It’s useful for digitally signing, encrypting, and decrypting messages. (NOTE: To exchange encrypted messages, both the sender and receiver must use S/MIME certificates.) Currently, we offer two types of strict mailbox-validated email security certificates:
Here’s an example of what it looks like when I digitally signed an email using DigiCert’s Class 1 S/MIME Certificate:
Option #2: A Multipurpose Mailbox-Validated S/MIME Certificate
As the name implies, multipurpose S/MIME certificates aren’t just good for email signing and encryption/decryption. They’ve “leveled up” and provide greater flexibility, being capable of performing additional functionalities:
- Email encryption and decryption,
- Email digital signing,
- Document signing*, and
- Client authentication.
NOTE: To digitally sign Adobe PDFs, you’ll need a separate document signing certificate*
At this time, we offer Sectigo’s Pro S/MIME certificate.
Organization-Validated S/MIME Certificates
The use of this type of S/MIME certificate extends beyond the uses of any individual mailbox. Rather, its intended uses are broader in terms of representing your company or organization.
Tired of sending unsigned emails from your company? Are your customers unsure about whether your messages are legitimate or phish? Install an organization-validated S/MIME certificate and remove any doubt. Digitally signing your messages in your organization’s name allows recipients to check the veracity of your messages to know whether your organization really sent them.
Option #3: A Multipurpose Organization-Validated S/MIME Certificate
This type of certificate offers the best of both worlds — organization validation + the multipurpose functionalities that extend beyond digital signing and encryption/decryption. It’s a tool for large organizations or enterprises that want to send emails from a validated company name and email address.
Here’s another example of how this information displays when you’re using an individual employee’s email address for an organization-validated certificate:
Much like the mailbox-validated multipurpose certificates we mentioned earlier, these organization-validated multipurpose S/MIME certificates enable you to digitally sign documents* and perform client authentication in addition to their traditional email signing and encryption/decryption capabilities.
NOTE: To sign PDFs using Adobe Acrobat, you’ll need a separate document signing certificate*
We offer two options for Multipurpose Organization-Validated S/MIME Certificates:
Want to learn more about our certificate offerings, or need help placing an order? Contact our support team to get help right away.