A significant update to the S/MIME Baseline Requirements will take effect on July 16, 2025. This update, mandated by the CA/Browser Forum, impacts all organizations that use public Certification Authorities (CAs) to issue S/MIME certificates for secure email.
The changes impact all Unified Endpoint Management (UEM) and Mobile Device Management (MDM) platforms that automate certificate issuance through public CAs.
** Extra info for KeyTalk customers **
KeyTalk CKMS is built with full support for S/MIME automation and complies with all S/MIME Baseline Requirements. For new customers, issuing these updated S/MIME certificates is straightforward and fully automated.
If you’re using an on-premises version of KeyTalk CKMS, a few certificate settings may need to be adjusted to meet the new standards. Our support team is available 24/7 to assist you with any configuration or implementation questions.
This change ensures that every S/MIME certificate clearly identifies the individual receiving it, making secure email communications more trustworthy and consistent across different organizations.
Detailed Explanation
The CA/Browser Forum’s S/MIME Baseline Requirements now specify that Sponsor-validated S/MIME certificates must clearly identify individuals by including their first and last names (Given Name and Surname) in the certificate’s Subject Name. This is to ensure greater identity assurance and uniformity across all public S/MIME certificates.
Sponsor-validated certificates indicate that the validation process for the certificate is based on the sponsorship of an organization or a trusted entity, rather than verifying the identity of the individual requesting the certificate. This can be particularly useful in scenarios where an organization wants to issue S/MIME certificates to its employees or members without undergoing the full verification process that might be required for personal or individually issued certificates.
** Extra info for KeyTalk customers **
KeyTalk CKMS is built with full support for S/MIME automation and complies with all S/MIME Baseline Requirements. For new customers, issuing these updated S/MIME certificates is straightforward and fully automated.
If you’re using an on-premises version of KeyTalk CKMS, a few certificate settings may need to be adjusted to meet the new standards. Our support team is available 24/7 to assist you with any configuration or implementation questions.
If your organization uses public CAs for S/MIME certificates, you need to take the following steps:
Quick Reference Table
Action | Who Needs to Do It | Deadline | Notes |
Add Given Name and Surname to Subject | All using public CA S/MIME | July 16, 2025 | Use G={{GivenName}} and SN={{SurName}} |
Test updated profiles before full rollout | All affected organizations | Before July 16 | Assign to a small group first |
Plan for certificate reissuance | Anyone editing existing profiles | Upon profile edit | May incur extra costs; coordinate with CA provider |
No action needed for private CA/no S/MIME | Not using public S/MIME CA | N/A | No changes required |
The update to the S/MIME Baseline Requirements is necessary to address several longstanding issues in the way S/MIME certificates are issued and managed:
The new Baseline Requirements, set by the CA/Browser Forum, create a uniform framework so that all public S/MIME certificates meet the same high standards for identity verification, security, and compatibility
The update brings several important benefits to end users and organizations:
1. Stronger Identity Verification
2. Enhanced Security
3. Improved Compatibility and Interoperability
4. Increased User Privacy
Summary Table: Benefits of the Update
Benefit | Description |
Stronger Identity Verification | Certificates must include full names, reducing impersonation risk |
Enhanced Security | Standardized practices reduce fraud and misuse |
Improved Compatibility | Uniform standards ensure certificates work across platforms and clients |
Increased User Privacy | Only necessary identity information is included, protecting user data |
Key Takeaways
Final Tips
By acting early, organizations can ensure compliance, maintain secure email operations, and avoid service interruptions when the new requirements go live.
The upcoming S/MIME Baseline Requirements update is a critical compliance change for organizations issuing S/MIME certificates through public CAs. By updating your certificate profiles to include the required attributes and testing changes before the enforcement date, you can ensure continued secure email functionality and avoid service disruptions.
This update is designed to make secure email communications more trustworthy, reliable, and user-friendly for everyone. By establishing clear, uniform standards, it ensures that S/MIME certificates provide the highest level of security and confidence for all users.
KeyTalk CKMS Support for S/MIME Automation
KeyTalk CKMS is built with full support for S/MIME automation and complies with all S/MIME Baseline Requirements. For new customers, issuing these updated S/MIME certificates is straightforward and fully automated.
If you’re using an on-premises version of KeyTalk CKMS, a few certificate settings may need to be adjusted to meet the new standards. Our support team is available 24/7 to assist you with any configuration or implementation questions.
The KeyTalk Team