Order your Secure Email for Employee certificate

With Secure Email for Employee certificates, secure emails for individuals in your organization on your email domains. Your organization attests that the individual on the certificate is a valid employee or company representative.

Use your Secure Email certificate to sign and encrypt your emails. Signing authenticates your employees and company representatives as the sender, adding extra assurance for email recipients, while encryption protects sensitive email data.

Importante

End of life for the Legacy certificate profile

On July 10, 2025, DigiCert stopped accepting Secure Email certificate requests using the Legacy certificate profile. All new certificate requests must use the Strict or Multipurpose certificate profile. This change affects new, renewed, and reissued certificate requests.

To learn more about this change:

Before you begin

This section outlines some things you may want to consider or do before ordering your Secure Email for Employee certificate. For example, you may need additional information about certificate profiles. You may want to finish specific tasks, such as generating a certificate signing request (CSR). Or, you may want to ensure your email domain's validation is current.

CSR requirements

Before DigiCert can issue your Secure Email for Employee certificate, you must provide a CSR. You can include a CSR with your request. Or, after submitting your request, you can generate it in the browser.

Include a CSR with your request
To include a CSR with your request, generate the CSR before you start the order process. We use the public key embedded in the CSR to create your certificate. All other fields in the CSR are ignored. Learn how to create a CSR (certificate signing request).
Generate the CSR after submitting the request
To generate the CSR after submitting the request, wait for CertCentral to email instructions about generating the CSR and certificate in the browser. See the Getting your Secure Email for Employee certificate section in this article.

Tabela 1. Supported algorithms and key lengths for Secure Email certificates

Algorithm	Key lengths
RSA (Rivest-Shamir-Adleman)	2048, 3072, and 4096
ECC (elliptical curve cryptography)	p-256 and p-384

Email address domain requirements

Before DigiCert can issue your Secure Email for Employee certificate, you must demonstrate control over the email address domains on the certificate order. In other words, if you add my-organization@example.com, you must validate the email address domain example.com.

Use one of the following domain validation options to demonstrate control over the email address domain:

Validate the domain before ordering certificates
CertCentral features a domain validation process that allows you to validate your domains before ordering certificates. Validating the domain before ordering the certificate allows for quicker certificate issuance. See Domain prevalidation: Domain control validation (DCV) methods.
Validate the domain as part of the order process
If adding an email address with a new domain or a domain with expired validation, you can validate the domain while the order is pending. Domain validation is valid for 398 days. See Supported DCV methods for validating the domains on certificate orders.

Organization validation

Before DigiCert can issue your Secure Email for Employee certificate, we must validate the organization for SMIME-SMIME Organization Validation. Organization validation is valid for 825 days. Learn how we validate your organization.

Use one of the following options to validate your organization:

Validate the organization before ordering certificates
CertCentral features an organization validation process that allows you to validate your organization before ordering certificates. Validating the organization before ordering certificates allows for quicker certificate issuance. See Submit an organization for prevalidation.
Validate the organization as part of the order process.
If adding a new organization or an organization with expired S/MIME validation, DigiCert validates the organization for S/MIME organization validation while the order is pending.

Organization attestation requirement

When adding recipient’s name or pseudonym to the certificate, your organization attests the individual is a valid employee or company representative and included in official company registries. Make sure to collect and retain evidence of the individual’s name or pseudonym.

In other words, your organization is the registration authority for the individuals include on these certificates. DigiCert validates your organization, not the individuals.

Certificate profile

When filling out the order form, you can change the certificate profile for your Secure Email for Employee certificate. By default, Secure Email certificates use the Strict profile.

Tabela 2. Certificate profile’s supported certificate usages

Profile	Additional usages
Strict	Non-repudiation
Multipurpose	Non-repudiation, data encipherment, and client authentication
Non-repudiation: Allows you to assert who signed the email/document to those verifying the signature, indicating that the private key has sufficient protections that the person named in the certificate can’t later repudiate. Data encipherment: Allows you to use the certificate to sign documents. Client authentication: Allows you to use the certificate as your Digital ID to authenticate to a server or remote computer.

Order a Secure Email for Employee certificate

These are detailed instructions for ordering a Secure Email for Employee certificate.

In the left main menu, go to Request a Certificate > Secure Email Certificates > Secure Email for Employee.
On the Request Secure Email for Employee Certificate page, in the For menu, select the division to manage the certificate.
The For menu appears if your account uses Divisions.
Certificate validity
Under Certificate validity, do the following:
1. Validity period
  Select a validity period for the certificate:
  - 1 year
  - 2 years
  - Custom expiration date
    Your expiration date must be within 824 days of the date you request the certificate.
  - Custom length
    Maximum length is 824 days.
2. Auto-renew
  To set up automatic renewal for this certificate, check Auto-renew order 30 days before expiration.
  With auto-renew enabled, DigiCert automatically submits a request to renew the order thirty days before it expires. This option isn’t available if you pay with a credit card.
  To use the automatic renewal option, you must charge the order to the account balance. To configure your account's finance settings, in the left main menu, go to Finances > Settings.
Organization
You can add an existing organization from your account or a new organization. When adding a new organization, it’s added to your account.
Under Organization, select Add an organization. In the Add organization window, do the following task as needed:
- Add an existing organization.
  1. Select An existing organization.
  2. In the menu, select the organization and then select Add.
    If selecting an organization not validated for S/MIME certificates or one with expired validation, DigiCert must validate the organization for S/MIME validation before issuing your certificate.
  3. Organization and technical contacts.
    DigiCert automatically adds the contacts assigned to the organization to the request form. To view the organization and technical contacts, you can select Show organization contacts.
- Add a new organization.
  1. Select A new organization and select Next.
  2. Under Organization address details, enter your organization's legal name, assumed name (optional), address, and phone number.
    DigiCert must validate the new organization for S/MIME validation before we can issue your certificate.
  3. When ready, select Add.
  4. Add an organization contact.
    The organization contact is the person we contact when validating the organization and to verify your authority to order a DigiCert certificate for the organization. They may also receive updates about an organization-related order, and updates about domains assigned to the organization.
    In the Add organization window, add yourself or someone else from your account or create a new organization contact.
    Add yourself as the organization contact.
    Select Add me as the organization contact and then select Add or Next.
    If we have all your information, you must select Add.
    If we need more information, you must select Next, enter the missing data, and then select Add.
    Add someone else as the organization contact.
    Select Add someone else as the organization contact. Then, in the Add contact menu, select the contact or user and then select Add or Next.
    If we have the needed user information, you must select Add.
    If we need more user information, you must select Next, enter the missing data, and then select Add.
    Create a new contact.
    Select Add someone else as the organization contact.
    In the Add contact menu, select Create new contact, and then select Next.
    Enter the needed user information and then select Add.
- Add a technical contact for the organization (optional).
  We may contact a technical contact for inquiries regarding certificate orders for the organization. They may receive the certificate lifecycle-related emails: certificate issued, reissued, and expiring.
  1. Select Show organization contacts.
  2. Select Add technical contact (Optional) and do one of the following:
    Add yourself as the technical contact.
    Select Add me as the technical contact for the organization and then select Add or Next.
    If we have all your information, you must select Add.
    If we need more information, you must select Next, enter the missing data, and then select Add.
    Add someone else as the technical contact.
    Select Add someone else as the technical contact for the organization. Then, in the Add contact menu, select the contact or user and then select Add or Next.
    If we have the needed user information, you must select Add.
    If we need more user information, you must select Next, enter the missing data, and then select Add.
    Create a new contact.
    Select Add someone else as the technical contact for the organization.
    In the Add contact menu, select Create new contact, and then select Next.
    Enter the needed user information and then select Add.
Add your CSR
You can add your CSR now or generate it in your browser after DigiCert processes your order and is ready to issue it.
- Generate CSR in the browser
  To generate the CSR and your certificate via the browser, select Generate CSR in the browser.
  For this option, we send instructions to the email recipient for using the DigiCert KeyGen tool to generate the CSR and certificate in their browser.
- I have my CSR
  You can add a CSR when placing your request. After submitting your order, you can’t add or update a CSR.
  Use your CSR to specify the algorithm (RSA or ECC) and key size (for example, 2048 (RSA) or p-256 (ECC)) for your certificate.
  1. To include a CSR with your request, select I have my CSR.
  2. Upload or enter your CSR in the box.
    Your CSR must include the -----BEGIN NEW CERTIFICATE REQUEST----- and -----END NEW CERTIFICATE REQUEST----- tags.
Certificate details
In your certificate details, you can include an email address or the recipient's name as the common name on the certificate.
1. Email address as the common name
  1. Select Email.
    Email addresses must include domains owned or controlled by your organization.
  2. Under Recipient email address, enter the address you want to secure and use for the common name on the certificate and select Add.
  3. Under Additional email address (optional), enter other email addresses you want the certificate to secure and select Add.
    Note: You can leave this box empty. You don't need to add any additional emails.
  4. Under Subject name, enter the recipient’s first and last name or their pseudonym.
    The recipient's name or pseudonym must be the current name or pseudonym for an individual associated with your organization. Make sure to collect and retain evidence of the individual's name or pseudonym.
    Include the recipient’s name
    Under First name and Last name, enter the recipient’s name.
    Use supported characters in first and last names: letters from all languages, accents, spaces, period (.), comma (,). apostrophe ('), dash (-), and parentheses ( ).
    Include the recipient’s pseudonym
    Select I want to use a pseudonym and under Pseudonym, enter the recipient’s pseudonym.
    Note: A pseudonym is a value selected by your organization to uniquely identify the subject of the certificate.
2. Recipient's name as the common name
  The recipient's name must be the current name of an individual associated with your organization. Make sure to collect and retain evidence of the individual's name
  1. Select Name.
  2. Under Recipient name, enter your First and Last names.
  3. Under Recipient email address, enter the address you want the certificate to secure and select Add.
    Email addresses must include domains owned or controlled by your organization.
  4. Under Additional email address (optional), enter other email addresses you want the certificate to secure and select Add.
    Note: You can leave this box empty. You don't need to add any additional emails.

Additional certificate options

Certificate key size

When generating the certificate via your browser, you can select your certificate's algorithm and key size. DigiCert recommends using RSA 2048 unless you have specific reasons for using a different key size (company policy requires a 3072-bit key size).

In the Certificate key size menu, select the algorithm and key size for generating your CSR:

RSA 2048, 3072, or 4096
ECC p-256 or p-384

DigiCert recommends using RSA 2048 unless you have specific reasons for using a different key size (for example, company policy requires a 3072-bit key size).

Profile option

In the menu, select the profile you want to use for your certificate:

Strict: Use this profile if you need a certificate to secure your email or are unsure which profile to select. This profile supports the Non-repudiation certificate usage.
Multipurpose: Use this profile if you need the additional certificate usage it supports. This profile supports the Non-repudiation, Data encipherment, and Client authentication certificate usages.

Certificate use

By default, Secure Email for Employee certificates are dual-use and can be used to sign and encrypt emails. However, you can update the certificate usage to meet your needs.

RSA options

To view and use the RSA options, you can add an RSA CSR. Or, you can select generate the CSR via the browser and select an RSA key size.

Tabela 3. RSA certificate usages for Secure Email for Employee certificates

Certificate use	Additional certificate usages
Dual use - email signing and encryption	Non-repudiation: Strict and Multipurpose profiles Data encipherment; Multipurpose profile Client authentication: Multipurpose profile
Email signing only	Non-repudiation: Strict and Multipurpose profiles Client authentication: Multipurpose profile
Email encryption only	Data encipherment: Multipurpose profile Client authentication: Multipurpose profile

ECC options

To view and use the ECC options, you can add an ECC CSR. Or, you can select generate the CSR via the browser and select an ECC key size.

Tabela 4. ECC certificate usages for Secure Email for Employee certificates

Certificate use	Additional certificate usages
Dual use - email signing and encryption	Non-repudiation: Strict and Multipurpose profiles Client authentication: Multipurpose profile Restrict key agreement Encipher only Decipher only
Email signing only	Non-repudiation: Strict and Multipurpose profiles Client authentication: Multipurpose profile
Email encryption only	Client authentication: Multipurpose profile Restrict key agreement Encipher only Decipher only

Signature Hash
DigiCert issues RSA certificates with a SHA-256 signature hash and RSA signing algorithm by default. DigiCert recommends using the default RSA settings. Unless, you have specific reasons for using a different key size or signing algorithm (company policy requires a 3072-bit key size or an RSASSA-PSS signature).
In the Signature Hash menu, select the signature hash (SHA-256, –384, or –512) and signing algorithm (RSA or RSASSA-PSS) you want DigiCert to use for your certificate.
Signature hash + RSA
Signature hash + RSASSA-PSS
SHA-256 with RSA
SHA-256 with RSASSA-PSS
SHA-384 with RSA
SHA-384 with RSASSA-PSS
SHA-512 with RSA
SHA-512 with RSASSA-PSS
For ECC certificates, there’s a one-to-one correlation between the signature hash and the signing algorithm:
- With the ECC p-256 key size, your certificate includes a SHA-256 signature hash with an ECDSA signing algorithm.
- With the ECC p-384 key size, your certificate includes a SHA-384 signature hash with an ECDSA signing algorithm.
  Importante
  The industry doesn’t support issuing ECC certificates with an RSASSA-PSS signing algorithm. If you require an RSASSA-PSS signature, get an RSA certificate instead.

Additional order options
Expand Additional order options and add information as needed.
The information in this section isn’t required to issue your certificate. Adding comments and messaging are optional.
- Additional Renewal Message (optional)
  To create a renewal message for this certificate, enter a renewal message with information that might be relevant to the certificate’s renewal. Comments and renewal messages aren’t included in the certificate.
- Additional emails (optional)
  Enter the email addresses (comma separated) for individuals you want receiving the certificate notification emails for certificate issuance and certificate renewals.
  These recipients don't manage the order. They receive the certificate-related emails.
Payment information
Under Payment information, select a payment method to pay for the certificate:
- Pay with credit card
  We authorize the credit card when you make the request. However, we don't finish the transaction until we issue your certificate.
- Pay with contract terms
  When you have a contract, it is the default payment method.
- Pay with account balance
  Bill the cost to your account balance. To deposit funds, select the Deposit link. Selecting this link takes you to another page inside your CertCentral account. Any information entered in the request form isn't saved.
Master Services Agreement
Read through the Master Services Agreement.
Select Submit Request.
By selecting Submit Request, you agree to the Master Service Agreement.

Signature hash + RSA	Signature hash + RSASSA-PSS
SHA-256 with RSA	SHA-256 with RSASSA-PSS
SHA-384 with RSA	SHA-384 with RSASSA-PSS
SHA-512 with RSA	SHA-512 with RSASSA-PSS

What's next

CertCentral takes you to the Secure Email for Employee certificate's Order # details page. On this page, you can see the status of your order, what you need to do, and what DigiCert needs to do before we can issue your certificate.

Before we can issue your certificate, these tasks must be finished:

Demonstrate control over the domains on your order
Do the domain validation for the email address domains on the order (demonstrate control over the domain). See Supported DCV methods for validating the domains on certificate orders.
Complete organization validation
DigiCert must validate and authenticate your authority to order a certificate for the organization on your certificate order. To do this, we call a verified phone number to speak with someone who represents the certificate requester, such as the organization or technical contact.
To get organization consent for your certificate order:
- Answer the organization/validation phone call (preferred method).
  After submitting your certificate order, ensure that the organization contact, technical contact, and company receptionist know you've ordered a Secure Email for Employee certificate. Tell them DigiCert calls a verified phone number to speak with one of them to ensure you have permission to order this certificate. This call usually occurs within 24 hours of the certificate order being placed.
- Respond to the organization consent message.
  If the DigiCert validation agent can't reach someone representing you at the verified phone number, they leave a message. The message includes a callback phone number and a verification code. Make sure that organization or technical contact responds to the message and provides the verification code..

Getting your Secure Email for Employee certificate

Opted to generate the CSR in the browser
After all email addresses are validated, CertCentral sends an email with a link to the first email address on the list. The email instructs the recipient how to generate the CSR and Secure Email for Individual certificate via the browser. Learn how to generate your client certificate using DigiCert's KeyGen tool.
Included a CSR with your certificate order
After all email addresses are validated, CertCentral sends the "client certificate issued" email with the certificate attached. You can also download a copy from CertCentral.

Nesta secção: