Skip to main content

Order your Secure Email for Individual certificate

Use your Secure Email for Individual certificate to sign and encrypt your emails. Signing authenticates your emails as coming from you, adding an extra level of assurance for recipients, while encryption protects sensitive email data.

With this certificate, you can secure emails on your own domains and from public email service providers such as Gmail, Outlook, Yahoo, Hotmail, and MSN.

Before you begin

You must provide a certificate signing request (CSR) before DigiCert can issue your Secure Email for Individual certificate. You can include a CSR with your request. Or, after submitting your request, you can generate it in the browser.

  • Provide a CSR now.

    You can only add a CSR when you place your request. After submitting your order, you cannot add or update a CSR.

    Secure Email certificates support the following algorithms and key lengths:

    • RSA 2048, 3072, and 4096

    • ECC p-256 and p-384

    We only use the public key embedded in the CSR to create your certificate. All other fields in the CSR are ignored. Learn how to Create a CSR (Certificate Signing Request).

  • Provide a CSR later.

    After DigiCert processes your order and you complete the necessary email address validation, we send instructions to the email recipient for generating the CSR and certificate in their browser.

    For browser-generated certificates, we use an RSA algorithm, SHA256 signature hash, and a 2048-bit key length CSR.

    Learn how to Generate your client certificate using DigiCert's KeyGen tool.

Order a Secure Email for Individual certificate

  1. In the left main menu, go to Request a Certificate > Secure Email Certificates > Secure Email for Individual.

  2. Certificate validity

    On the Request Secure Email for Individual Certificate page, under Certificate validity, do the following:

    1. Validity period

      Select a validity period for the certificate: 1 year, 2 years, 3 years, custom expiration date, or custom length.

    2. Auto-renew

      To set up automatic renewal for this certificate, check Auto-renew order 30 days before expiration.

      With auto-renew enabled, DigiCert automatically submits a request to renew the order thirty days before it expires. This option is not available if you pay with a credit card.

      You must charge the order to the account balance to use the automatic renewal option. To configure your account's finance settings, in the left main menu, go to Finances > Settings.

  3. Add your CSR

    You can add your CSR now or generate it in your browser after DigiCert processes your order, and we are ready to issue it.

    1. Generate CSR in the browser

      To generate the CSR and your certificate via the browser, select Generate CSR in the browser. For this option, we send instructions to the email recipient for using the DigiCert KeyGen tool to generate the CSR and certificate in their browser.

    2. I have my CSR

      To include a CSR with your request, select I have my CSR. Then, upload or paste your CSR in the box.

      Your CSR must include the -----BEGIN NEW CERTIFICATE REQUEST----- and -----END NEW CERTIFICATE REQUEST----- tags.

  4.  Certificate email

    1. Common name (email)

      In the box, enter the recipient email address you want to secure, and appear as the common name on the certificate.

    2. Additional recipient email address(es)

      In the box, enter any additional email addresses you want to secure with the certificate. You can leave this box empty.

  5. Additional certificate options

    By default, all DigiCert Secure Email certificates are dual use for signing and encryption. However, you can update the certificate usage to meet your needs.

    • To view and use the RSA options, add an RSA CSR to the request form or generate the CSR via the browser.

    • To view and use the ECC options, add an ECC CSR to the request form.

  6. Additional order options

    Expand Additional order options and add information as needed.

    The information in this section is not required to issue your certificate. Adding comments and messaging are optional.

    • Additional Renewal Message (optional)

      To create a renewal message for this certificate, type a renewal message with information that might be relevant to the certificate’s renewal.

      Comments and renewal messages are not included in the certificate.

    • Additional emails (optional)

      Enter the email addresses (comma separated) for the people you want to receive the certificate notification emails with information such as certificate issuance and certificate renewals. These recipients don't manage the order. They only receive all the certificate-related emails.

    • Signature Hash

      DigiCert issues RSA and ECC certificates with the SHA-256 signature hash by default. Unless you require a different signature hash, we recommend using the default.

      In the dropdown, select the signature hash you want DigiCert to use for your certificate.

      Supported signature hashes:

      • RSA: 256, 384, and 512

      • ECC: 256 and 384

    • Signature algorithm

      To get an RSA or ECC certificate with an RSASSA-PSA signature algorithm, check Sign with the RSASSA-PSS signature algorithm.


      By default, your Secure Email certificate's signature algorithm matches the algorithm in the CSR (RSA CSR – RSA signature algorithm, ECC CSR – ECC signature algorithm).

  7. Select payment method

    Under Payment information, select a payment method to pay for the certificate:

    1. Pay with credit card

      Don’t have a contract or don’t want to use the contract to pay for this certificate? Use a credit card to pay for the certificate.


      We authorize the card when the request is made. However, we only complete the transaction once we issue your certificate.

    2. Pay with contract terms

      Do you have a contract and want to use it to pay for the certificate? Use the contract to pay. Note that when you have a contract, it is the default payment method.

    3. Pay with account balance

      Don’t have a contract or don’t want to use the contract to pay for this certificate? Bill the cost to your account balance.

      To deposit funds, select the Deposit link. Selecting the Deposit link takes you to another page inside your CertCentral account. Any information entered in the request form will not be saved.

  8. Master Services Agreement

    Read through the Master Services Agreement.

  9. Select Submit Request.

    By selecting Submit Request, you agree to the Master Service Agreement.

What's next

CertCentral takes you to the certificate’s Order # details page, where you can see the status of the email address verifications.

DigiCert sends an email containing a link to each email address listed in the certificate request so the recipient can validate that they own that email address. If the certificate recipient loses a validation email, you can resend it; see How to resend an email validation for DigiCert "client certificate" email.

Getting your Secure Email for Individual certificate

  • Generate CSR in the browser

    After all email addresses are validated, a link will be sent to the first email address on the list so the recipient can generate the CSR and Secure Email certificate via the browser. See Generate your client certificate.

  • Included a CSR with your request

    If you submitted a CSR with your request, the client certificate will be attached to the "client certificate issued" email. You can also download a copy from your account.