Reissue your Secure Email for Individual Mailbox, Employee, or Organization certificate

Learn how to reissue your Secure Email for Individual Mailbox, Employee, or Organization certificate.

Warning

Before reissuing a Secure Email certificate that uses the deprecated Legacy profile

The Legacy profile’s maximum validity is 1184 days, whereas the Multipurpose and Strict profiles' maximum validity is 824 days. If reissuing a certificate with a remaining validity greater than 824 days, we truncate the validity on your reissue to 824 days without a refund.

End of life for the Legacy certificate profile

On July 10, 2025, DigiCert stopped accepting Secure Email certificate requests using the Legacy certificate profile. All new certificate requests must use the Strict or Multipurpose certificate profile. This change affects new, renewed, and reissued certificate requests.

To learn more about this change:

Before you begin reissuing your certificate

This section outlines some things you may want to consider or tasks to finish before you reissue your Secure Email Certificate. For example, you may need additional information about Certificate profiles or want to finish tasks, such as ensuring your email domain's validation is current.

Certificate profile

When filling out the certificate reissue form, you can change the certificate profile for your Secure Email certificate. DigiCert supports two profiles: Multipurpose and Strict.

Table 1. The certificate profile affects the supported certificate usages you may include in your certificate

Certificate profile	Supported certificate usages
Strict	Non-repudiation
Multipurpose	Non-repudiation, data encipherment, and client authentication
Non-repudiation: Allows you to assert who signed the email/document to those verifying the signature, indicating that the private key has sufficient protections that the person named in the certificate cannot later repudiate. Data encipherment: Allows you to use the certificate to sign documents. Client authentication: Allows you to use the certificate as your Digital ID to authenticate to a server or remote computer.

CSR requirements

You must provide a certificate signing request (CSR) before DigiCert can reissue your Secure Email certificate. You can include a CSR with your reissue request. Or, once you've submitted your order, you can generate it in the browser.

If planning to include a CSR with your request, generate the CSR before you start the reissue process. Learn how to Create a CSR (Certificate Signing Request). We only use the public key embedded in the CSR to create your certificate. All other fields in the CSR are ignored.
Note: You can only add a CSR when you place your reissue request. After submitting your order, you cannot add or update a CSR.
If you plan to generate the CSR in the browser, we will send instructions to the email recipient for generating the CSR and certificate in their browser. See below: Getting your Secure Email for Individual Mailbox, Employee, or Organization certificate.

Table 2. Supported algorithms and key lengths for Secure Email certificates

Algorithm	Key lengths
RSA (Rivest-Shamir-Adleman)	2048, 3072, and 4096
ECC (elliptical curve cryptography)	p-256 and p-384

Email Address domain requirements

Are you reissuing a Secure Email for Employee or Secure Email for Organization certificate?

Make sure the domain validation for the email domains included in your certificate are still valid. Note that domain validation is valid for 398 days. If your domain validation has expired, use one of the following domain validation options to demonstrate control over the email address domain:

Validate the domain before ordering certificates
CertCentral features a domain validation process that allows you to validate your domains before ordering certificates. Completing the domain validation ahead of time allows for quicker certificate issuance. See Domain prevalidation: Domain control validation (DCV) methods.
Validate the domain as part of the order process
If you add an email address with a new domain or a domain with expired validation, you can complete the domain validation as part of the order process. See Supported DCV methods for validating the domains on certificate orders.

Organization validation

Are you reissuing a Secure Email for Employee or Secure Email for Organization certificate?

Make sure the organization validation for the organization included in your certificate is still valid. Note that organization validation is valid for 825 days. Learn how we validate your organization.

Validate the organization before ordering certificates
CertCentral features an organization validation process that allows you to validate your organization before ordering certificates. Completing the organization validation ahead of time allows for quicker certificate issuance. See Submit an organization for prevalidation.
Validate the organization as part of the order process
If you the organization’s S/MIME validation has expired, DigiCert will complete the S/MIME organization validation as part of the order process.

Organization attestation requirement

Are you reissuing a Secure Email for Employee certificate?

By adding a recipient's name or pseudonym to the certificate, your organization attests the individual is a valid employee or company representative and is included in official company registries. You must collect and retain evidence of the individual's name or pseudonym.

In other words, your organization is the registration authority for the individuals on these certificates. DigiCert only validates your organization, not the individual included on the certificate.

Reissue your Secure Email certificate

When reissuing a Secure Email certificate, DigiCert uses the information in your primary certificate to populate the reissue form. The instructions below focus more on items you may need to update during reissue. For example, if company policies or industry standards have changed since the last time you ordered or issued your certificate, you may be required to use a different signing algorithm.

Reissue your certificate

In CertCentral, go to the certificate’s Order # details page. In CertCentral, in the left menu, go to Certificates > Orders.
1. In CertCentral, in the left menu, go to Certificates > Orders.
2. On the Orders page, select the Order # of the Secure Email certificate you want to reissue.
3. For CertCentral Subscription accounts, the steps to access the Order # detail page are different.
  1. In the left menu, go to My Digital Trust Products > Certificates.
  2. On the Certificates page, select the Order # of the Secure Email certificate you want to reissue.
On the certificate's Order details page, on the Details tab, in the Certificate actions menu, select Reissue certificate.
On the Reissue certificate page, update the form as needed, including selecting a different certificate profile, certificate key size, certificate uses, or signature hash.
Add your CSR
You can add your CSR now or generate it in your browser after DigiCert processes your order and is ready to issue it.
1. Generate CSR in the browser
  For this option, we send instructions to the email recipient for using the DigiCert KeyGen tool to generate the CSR and certificate in their browser.
  1. To generate the CSR and your certificate via the browser, select Generate CSR in the browser.
  2. Key size
    When generating the certificate via your browser, you can select your certificate's algorithm and key size. DigiCert recommends using RSA 2048 unless you have specific reasons for using a different key size (company policy requires a 3072-bit key size).
    In the Key size menu, select the algorithm and key size for generating your CSR: RSA 2048, 3072, or 4096 or ECC p-256 or p-384.
2. I have my CSR
  You can only add a CSR when placing your request. After submitting your order, you cannot add or update a CSR.
  Use your CSR to specify the algorithm (RSA or ECC) and key size (2048 (RSA) or p-256 (ECC)) for your certificate.
  1. To include a CSR with your request, select I have my CSR.
  2. Upload or paste your CSR in the box.
    Your CSR must include the -----BEGIN NEW CERTIFICATE REQUEST----- and -----END NEW CERTIFICATE REQUEST----- tags.

Additional certificate options

By default, DigiCert Secure Email certificates are dual-use and can be used to sign and encrypt emails. However, you can update the certificate usage to meet your needs.

Profile option

You can select a different profile for your certificate if needed. Changing a reissued certificate's profile may affect your certificate's additional certificate usages. If you are reissuing a certificate that uses the Legacy profile, we will replace it with the Strict profile by default.

Strict: Use the profile if you only need a certificate to secure your email. This profile only supports Non-repudiation certificate usage.
Multipurpose: Use this profile if you need the additional certificate usage it supports. This profile supports the Non-repudiation, Data encipherment, and Client authentication certificate usages.
Legacy: This profile was deprecated on July 10, 2025 and can no longer be used.

Certificate use

RSA options

To view and use the RSA options, add an RSA CSR to the request form or generate the CSR via the browser and select an RSA key size.

Table 3. RSA certificate usages for Secure Email certificates

Certificate use	Additional certificate usages
Dual use - email signing and encryption	Non-repudiation Data encipherment – Multipurpose profile only Client authentication – Multipurpose profile only
Email signing only	Non-repudiation Client authentication – Multipurpose profile only
Email encryption only	Data encipherment – Multipurpose profile only Client authentication – Multipurpose profile only

ECC options

To view and use the ECC options, add an ECC CSR to the request form or generate the CSR via the browser and select an ECC key size.

Table 4. ECC certificate usages for Secure Email certificates

Certificate use	Additional certificate usages
Dual use - email signing and encryption	Non-repudiation Client authentication – Multipurpose profile only Restrict key agreement Encipher only Decipher only
Email signing only	Non-repudiation Client authentication – Multipurpose profile only
Email encryption only	Client authentication – Multipurpose profile only ·Restrict key agreement Encipher only Decipher only

Signature hash
DigiCert issues RSA certificates with a SHA-256 signature hash and RSA signing algorithm by default. DigiCert recommends using the default RSA settings unless you have specific reasons for using a different key size or signing algorithm (company policy requires a 3072-bit key size or an RSASSA-PSS signature).
In the Signature hash menu, select the signature hash (SHA-256, -384, or -512) and signing algorithm (RSA or RSASSA-PSS) combination you want DigiCert to use for your certificate.
Signature hash + RSA
Signature hash + RSASSA-PSS
SHA-256 with RSA
SHA-256 with RSASSA-PSS
SHA-384 with RSA
SHA-384 with RSASSA-PSS
SHA-512 with RSA
SHA-512 with RSASSA-PSS

When ready, select Submit request.

Signature hash + RSA	Signature hash + RSASSA-PSS
SHA-256 with RSA	SHA-256 with RSASSA-PSS
SHA-384 with RSA	SHA-384 with RSASSA-PSS
SHA-512 with RSA	SHA-512 with RSASSA-PSS

What's next

CertCentral takes you to the Secure Email certificate's Order # details page, where you can see the status of your order, what you need to do, and what DigiCert needs to do before we can reissue your certificate.

Secure Email for Individual Mailbox certificate

DigiCert sends an email containing a link to each email address listed in the certificate request so the recipient can validate that they own that email address. If the certificate recipient loses a validation email, you can resend it. See How to resend an email validation for DigiCert "client certificate" email.

Secure Email for Employee and Organization certificates

Before we can reissue these certificates, these tasks must be completed:

Demonstrate control over the domains on your order
Complete the domain validation for the email address domains on the order (demonstrate control over the domain). See Supported DCV methods for validating the domains on certificate orders.
Complete organization validation
DigiCert must validate and authenticate your authority to order a certificate for the organization on your certificate order. To do this, we will call a verified phone number to speak with someone who represents you, the certificate requestor, such as the organization or technical contact.
To get organization consent for your certificate order:
- Answer the organization/validation phone call (preferred method)*.
  This phone call usually takes place within 24 hours of placing the order.
  *After submitting your certificate order, ensure that the organization contact, technical contact, and company receptionist know you've ordered a Secure Email for Employee or Secure Email for Organization certificate. Let them know DigiCert will call a verified phone number to speak with one of them to complete organization validation/authentication.
- Respond to the organization consent message.
  If the DigiCert validation agent can't reach someone who represents you at the verified phone number, they will leave a message with a call-back phone number and a verification code. Make sure that the organization or technical contact responds to the message and provides the verification code.

Getting your Secure Email for Individual Mailbox, Employee, or Organization certificate

Opted to generate the CSR in the browser
After all email addresses are validated, CertCentral sends an email with a link to the first email address on the list so the recipient can generate the CSR and Secure Email certificate via the browser. Learn how to generate your client certificate using DigiCert's KeyGen tool.
Included a CSR with your certificate reissue
After all email addresses are validated, CertCentral sends the "client certificate issued" email with the certificate attached. You can also download a copy from CertCentral.

In this section: