Renew your Secure Email individual, business, or organization certificate
Learn how to renew your Secure Email for Individual, for Business, or for Organization certificate.
Before you begin renewing your certificate
This section outlines some things you may want to consider or tasks to complete before you renew your Secure Email Certificate. For example, you may need additional information about Certificate profiles or want to complete specific tasks, such as generating a certificate signing request (CSR) or ensuring your email domain's validation is current.
Certificate profile
Importante
End of life for the Legacy certificate profile
On July 1, 2025, DigiCert will no longer accept Secure Email certificate requests using the Legacy certificate profile. All new certificate requests must use the Strict or Multipurpose certificate profile. This change affects new, renewed, and reissued certificate requests.
To learn more about this change:
Before filling out the certificate renewal form, you must select a certificate profile for your Secure Email certificate. DigiCert currently supports three profiles: Multipurpose, Strict, and Legacy.
Certificate profile | Supported certificate validities | Support additional certificate usages |
|---|---|---|
Strict | 1 and 2-year certificates | Non-repudiation |
Multipurpose | 1 and 2-year certificates | Non-repudiation, data encipherment, and client authentication |
Legacy | 1, 2, and 3-year certificates | Non-repudiation, data encipherment, and client authentication |
| ||
CSR requirements
You must provide a certificate signing request (CSR) before DigiCert can issue your Secure Email certificate. You can include a CSR with your request. Or, after submitting your order, you can generate it in the browser.
If you plan to include a CSR with your request, generate the CSR before you start the renewal process. Learn how to Create a CSR (Certificate Signing Request). We only use the public key embedded in the CSR to create your certificate. All other fields in the CSR are ignored.
Note: You can only add a CSR when you place your renewal request. After submitting your order, you cannot add or update a CSR.
If you plan to generate the CSR in the browser, we will send instructions to the email recipient for generating the CSR and certificate in their browser. See Getting your Secure Email for Individual, Business, or Organization certificate below.
Algorithm | Key lengths |
|---|---|
RSA (Rivest-Shamir-Adleman) | 2048, 3072, and 4096 |
ECC (elliptical curve cryptography) | p-256 and p-384 |
Email Address domain requirements
Are you renewing a Secure Email for Business or Secure Email for Organization certificate?
Make sure the domain validation for the email domains included in your certificate are still valid. Note that domain validation is valid for 398 days. If your domain validation has expired, use one of the following domain validation options to demonstrate control over the email address domain:
Validate the domain before ordering certificates
CertCentral features a domain validation process that allows you to validate your domains before ordering certificates. Completing the domain validation ahead of time allows for quicker certificate issuance. See Domain prevalidation: Domain control validation (DCV) methods.
Validate the domain as part of the order process
If you add an email address with a new domain or a domain with expired validation, you can complete the domain validation as part of the order process. See Supported DCV methods for validating the domains on certificate orders.
Organization validation
Are you renewing a Secure Email for Business or Secure Email for Organization certificate?
Make sure the organization validation for the organization included in your certificate is still valid. Note that organization validation is valid for 825 days. Learn how we validate your organization.
If the organization validation has expired, use one of the following options to validate your organization:
Validate the organization before ordering certificates
CertCentral features an organization validation process that allows you to validate your organization before ordering certificates. Completing the organization validation ahead of time allows for quicker certificate issuance. See Submit an organization for prevalidation.
Validate the organization as part of the order process
If you add a new organization or an organization with expired S/MIME validation, DigiCert will complete the S/MIME organization validation as part of the order process.
Organization attestation requirement
Are you renewing a Secure Email for Business certificate?
By adding a recipient's name or pseudonym to the certificate, your organization attests the individual is a valid employee or company representative and is included in official company registries. You must collect and retain evidence of the individual's name or pseudonym.
In other words, your organization is the registration authority for the individuals on these certificates. DigiCert only validates your organization, not the individual included on the certificate.
Renew your Secure Email certificate
When renewing a Secure Email certificate, DigiCert uses the information in your expiring certificate to populate the renewal form, making it easier to renew your certificate. The instructions below focus more on items you may need to update in the renewal form. For example, if company policies or industry standards have changed since the last time you ordered or renewed your certificate, you may be required to use a different signing algorithm or certificate profile.
Renew your certificate
In CertCentral, go to the certificate’s Order # details page.
In the left menu, go to Certificates > Orders.
On the Orders page, select the Order # of the Secure Email certificate you want to renew.
For CertCentral Subscription accounts, the steps to access the Order # detail page are different.
In the left menu, go to My Digital Trust Products > Certificates.
On the Certificates page, select the Order # of the Secure Email certificate you want to renew.
On the Orders page, select the Order # of the Secure Email certificate you want to renew.
On the certificate's Order details page, in the Certificate actions menu, select Renew.
On the certificate's Renew page, update the form as needed, including selecting a different certificate profile, certificate key size, certificate uses, or signature hash.
Profile option
You can select a different profile for your certificate if needed:
Strict
Use the profile if you only need a certificate to secure your email or are unsure which profile to select. This profile supports 1 and 2-year certificate validity and Non-repudiation certificate usage.
Multipurpose
Use this profile if you use the additional certificate usage it supports. This profile supports 1 and 2-year certificate validity and Non-repudiation, Data encipherment, and Client authentication certificate usage.
Legacy
Only use this profile if you have a specific reason for using it. Otherwise, use Multipurpose, which supports the same certificate usages. This profile supports 1, 2, and 3-year certificate validity and Non-repudiation, Data encipherment, and Client authentication certificate usage.
Add your CSR
You can add your CSR now or generate it in your browser after DigiCert processes your order and is ready to issue it.
Generate CSR in the browser
To generate the CSR and your certificate via the browser, select Generate CSR in the browser. For this option, we send instructions to the email recipient for using the DigiCert KeyGen tool to generate the CSR and certificate in their browser.
I have my CSR
You can only add a CSR when placing your request. After submitting your order, you cannot add or update a CSR.
Use your CSR to specify the algorithm (RSA or ECC) and key size (2048 (RSA) or p-256 (ECC)) for your certificate.
iTo include a CSR with your request, select I have my CSR.
Upload or paste your CSR in the box.
Your CSR must include the
-----BEGIN NEW CERTIFICATE REQUEST-----and-----END NEW CERTIFICATE REQUEST-----tags.
Additional certificate options
Certificate key size
When generating the certificate via your browser, you can select your certificate's algorithm and key size. DigiCert recommends using RSA 2048 unless you have specific reasons for using a different key size (company policy requires a 3072-bit key size).
In the Certificate key size menu, select the algorithm and key size for generating your CSR: RSA 2048, 3072, or 4096 or ECC p-256 or p-384.
Certificate use
By default, DigiCert Secure Email certificates are dual-use and can be used to sign and encrypt emails. However, you can update the certificate usage to meet your needs.
RSA options
To view and use the RSA options, add an RSA CSR to the request form or generate the CSR via the browser.
Tabella 3. Support RSA certificate usages for Secure Email certificatesCertificate use
Additional certificate usages
Dual use - email signing and encryption
Non-repudiation
Data encipherment – only available with the Multipurpose and Legacy profiles
Client authentication – only available with the Multipurpose and Legacy profiles
Email signing only
Non-repudiation
Client authentication – only available with the Multipurpose and Legacy profiles
Email encryption only
Data encipherment – only available with the Multipurpose and Legacy profiles
Client authentication – only available with the Multipurpose and Legacy profiles
ECC options
To view and use the ECC options, add an ECC CSR to the request form or generate the CSR via the browser.
Tabella 4. Supported ECC certificate usages for Secure Email certificatesCertificate use
Additional certificate usages
Dual use - email signing and encryption
Non-repudiation
Client authentication – only available with the Multipurpose and Legacy profiles
Restrict key agreement
Encipher only
Decipher only
Email signing only
Non-repudiation
Client authentication – only available with the Multipurpose and Legacy profiles
Email encryption only
Client authentication – only available with the Multipurpose and Legacy profiles
Restrict key agreement
Encipher only
Decipher only
Signature Hash
DigiCert issues RSA certificates with a SHA-256 signature hash and RSA signing algorithm by default. DigiCert recommends using the default RSA settings unless you have specific reasons for using a different key size or signing algorithm (company policy requires a 3072-bit key size or an RSASSA-PSS signature).
In the Signature Hash menu, select the signature hash (SHA-256, -384, or -512) and signing algorithm (RSA or RSASSA-PSS) combination you want DigiCert to use for your certificate.
Signature hash + RSA
Signature hash + RSASSA-PSS
SHA-256 with RSA
SHA-256 with RSASSA-PSS
SHA-384 with RSA
SHA-384 with RSASSA-PSS
SHA-512 with RSA
SHA-512 with RSASSA-PSS
For ECC certificates, there is a one-to-one correlation between the signature hash and the signing algorithm:
With the ECC p-256 key size, your certificate includes a SHA-256 signature hash with an ECDSA signing algorithm.
With the ECC p-384 key size, your certificate includes a SHA-384 signature hash with an ECDSA signing algorithm.
Importante
The industry does not support issuing ECC certificates with an RSASSA-PSS signing algorithm. If you need an RSASSA-PSS signature, get an RSA certificate instead.
When ready, select Submit request.
What's next
CertCentral takes you to the Secure Email certificate's Order # details page, where you can see the status of your order, what you need to do, and what DigiCert needs to do before we can issue your certificate.
Secure Email for Individual certificate
DigiCert sends an email containing a link to each email address listed in the certificate request so the recipient can validate that they own that email address. If the certificate recipient loses a validation email, you can resend it. See How to resend an email validation for DigiCert "client certificate" email.
Secure Email for Business and Organization certificates
Before we can issue these certificates, these tasks must be completed:
Demonstrate control over the domains on your order
Complete the domain validation for the email address domains on the order (demonstrate control over the domain). See Supported DCV methods for validating the domains on certificate orders.
Complete organization validation
DigiCert must validate and authenticate your authority to order a certificate for the organization on your certificate order. To do this, we will call a verified phone number to speak with someone who represents you, the certificate requestor, such as the organization or technical contact.
To get organization consent for your certificate order:
Answer the organization/validation phone call (preferred method)*.
This phone call usually takes place within 24 hours of placing the order.
*After submitting your certificate order, ensure that the organization contact, technical contact, and company receptionist know you've ordered a Secure Email for Business or Secure Email for Organization certificate. Let them know DigiCert will call a verified phone number to speak with one of them to complete organization validation/authentication.
Respond to the organization consent message.
If the DigiCert validation agent can't reach someone who represents you at the verified phone number, they will leave a message with a call-back phone number and a verification code. Make sure that the organization or technical contact responds to the message and provides the verification code.
Getting your Secure Email for Individual, Business, or Organization certificate
Opted to generate the CSR in the browser
After all email addresses are validated, CertCentral sends an email with a link to the first email address on the list so the recipient can generate the CSR and Secure Email certificate via the browser. Learn how to generate your client certificate using DigiCert's KeyGen tool.
Included a CSR with your certificate renewal
After all email addresses are validated, CertCentral sends the "client certificate issued" email with the certificate attached. You can also download a copy from CertCentral.