Request client certificate
End of life for old S/MIME products in CertCentral
On July 10, 2025, DigiCert deprecated the old S/MIME products: Premium, Email Security Plus, Digital Signature Plus, and Class 1 S/MIME. These are replaced by Secure Email Certificates. See Secure Email products. If you have existing orders for these products, see Reissue your client certificate for deprecation impact on reissues.
Use these steps to request a client certificate in CertCentral . Client certificates authenticate users and devices to systems, applications, and networks.
This procedure applies to Enterprise, Partner, and Legacy accounts.
Notice
For Subscription accounts, request client certificates through your active subscription. In the CertCentral menu, go to My digital trust products > My subscription. Find the relevant subscription and select Actions > Request a certificate.
Before you begin
If your organization policy requires a CSR, generate the CSR before ordering. See Generate a certificate signing request (CSR).
Alternatively, the recipient can generate the CSR via browser after receiving the issuance email.
The organization must be validated in your CertCentral account before a client certificate can be issued.
The recipient email address must be on a domain that your organization owns or controls. Public email domains (such as gmail.com, yahoo.com) require a separate certificate type.
Collect and retain evidence of the recipient's identity. The recipient's name must be the current name of an individual associated with your organization.
Notice
Client certificate products are account-specific and may not all be visible in your account. Products marked as available for DCJ customers only or TLM only are not available in standard CertCentral accounts. Contact your account manager to confirm which products are enabled.
Start a certificate request
For Enterprise and Partner accounts:
In the CertCentral main menu, go to Certificates > Request > Request a certificate.
Under Client certificates, select a client certificate product. The available products are:
Authentication Plus
Test Authentication Only
Private Premium
Authentication Only
Authentication Only - Non-Repudiation
Test Private Client Authentication
Under Certificate settings, in the Organization menu, select the organization to associate with the certificate.
In the Signature hash menu, select a signature hash.
Under Validity period, select the certificate validity: 1 year, 2 years, 3 years, Custom expiration date, or Custom length.
Under Order options, in the Automatic renewal menu, select a renewal preference.
Under Certificate(s) to request, select the common name type
To use the recipient's email address as the common name: select Email and enter the Recipient email.
To use the recipient's name as the common name: select Name, enter the Recipient name (Common name), and enter the Recipient email.
Add the CSR:
To generate the CSR in the browser: select Generate CSR in the browser.
To use an existing CSR: select I have my CSR and upload or paste the CSR.
Under Additional emails (optional), enter any additional email addresses to receive order-related notifications. Separate multiple addresses with commas.
Select the payment method:
Pay with credit card
Pay with contract terms
Pay with account balance
Review and accept the Master Services Agreement.
Select Submit Request.
After submission, DigiCert validates the recipient's email address and sends the issuance email. If no CSR was provided, the recipient uses the email link to generate the CSR and client certificate in the browser.
Notice
To cancel a pending order, see Cancel a pending certificate order. To remove a certificate after issuance, see the revocation instructions.
What's next
Generate your client certificate to generate the certificate after DigiCert processes your order and sends the issuance email