Upcoming SMIME Baseline Requirements – Update What You Need to Know

A significant update to the S/MIME Baseline Requirements will take effect on July 16, 2025. This update, mandated by the CA/Browser Forum, impacts all organizations that use public Certification Authorities (CAs) to issue S/MIME certificates for secure email.  

The changes impact all Unified Endpoint Management (UEM) and Mobile Device Management (MDM) platforms that automate certificate issuance through public CAs.  

 

** Extra info for KeyTalk customers ** 

KeyTalk CKMS is built with full support for S/MIME automation and complies with all S/MIME Baseline Requirements. For new customers, issuing these updated S/MIME certificates is straightforward and fully automated. 

If you’re using an on-premises version of KeyTalk CKMS, a few certificate settings may need to be adjusted to meet the new standards. Our support team is available 24/7 to assist you with any configuration or implementation questions. 

 

Summary of the Update 

• Enforcement Date: July 16, 2025 

• Scope: All public CAs issuing S/MIME certificates 

• Key Requirement: All Sponsor-validated S/MIME certificates must include the “Given Name” and “Surname” attributes in the certificate Subject Name. Certificates missing these will be rejected by public CAs. 

This change ensures that every S/MIME certificate clearly identifies the individual receiving it, making secure email communications more trustworthy and consistent across different organizations. 

 

Detailed Explanation 

What Is Changing? 

The CA/Browser Forum’s S/MIME Baseline Requirements now specify that Sponsor-validated S/MIME certificates must clearly identify individuals by including their first and last names (Given Name and Surname) in the certificate’s Subject Name. This is to ensure greater identity assurance and uniformity across all public S/MIME certificates. 

Sponsor-validated certificates indicate that the validation process for the certificate is based on the sponsorship of an organization or a trusted entity, rather than verifying the identity of the individual requesting the certificate. This can be particularly useful in scenarios where an organization wants to issue S/MIME certificates to its employees or members without undergoing the full verification process that might be required for personal or individually issued certificates. 

 

Who Is Impacted by This Update? 

• Any organization using public CAs for S/MIME certificates. 

• This includes those using platforms like Microsoft Intune, ManageEngine Endpoint Central, Workspace ONE, Ivanti, Jamf, Cisco Meraki, Scalefusion, BlackBerry UEM, and others. 

• IT administrators and teams who manage certificate profiles or templates for automated S/MIME certificate issuance. 

• Not impacted: Organizations using only private/internal CAs for S/MIME, or those not using S/MIME certificates for email. 

 

** Extra info for KeyTalk customers ** 

KeyTalk CKMS is built with full support for S/MIME automation and complies with all S/MIME Baseline Requirements. For new customers, issuing these updated S/MIME certificates is straightforward and fully automated. 

If you’re using an on-premises version of KeyTalk CKMS, a few certificate settings may need to be adjusted to meet the new standards. Our support team is available 24/7 to assist you with any configuration or implementation questions. 

 

 

What Needs to Change? 

If your organization uses public CAs for S/MIME certificates, you need to take the following steps: 

• Review Certificate Profiles or Templates 
  • Check all SCEP or similar certificate profiles/templates used for S/MIME. 
• Update the Subject Name Format 
  • Make sure the Subject Name field includes: 
  • G={{GivenName}} 
  • SN={{SurName}} 
  • Without these, certificate requests will be rejected by public CAs after July 16, 2025. 
• Test Before Rolling Out Changes 
  • Create or update a profile with the new attributes. 
  • Assign it to a small group first to verify successful certificate issuance and email functionality. 
• Plan for Certificate Reissuance 
  • Editing existing profiles triggers reissuance for all users. This could lead to extra costs, depending on your agreement with your CA. 
• Coordinate with Your CA Provider 
  • Confirm your CA is ready for the new requirements and ask about any process or cost changes. 
• Monitor for Further Updates 
  • Stay informed through your platform provider and CA for any new guidance or support resources. 

 

Quick Reference Table 

Action	Who Needs to Do It	Deadline	Notes
Add Given Name and Surname to Subject	All using public CA S/MIME	July 16, 2025	Use G={{GivenName}} and SN={{SurName}}
Test updated profiles before full rollout	All affected organizations	Before July 16	Assign to a small group first
Plan for certificate reissuance	Anyone editing existing profiles	Upon profile edit	May incur extra costs; coordinate with CA provider
No action needed for private CA/no S/MIME	Not using public S/MIME CA	N/A	No changes required

 

Why Is the S/MIME Baseline Requirements Update Needed? 

The update to the S/MIME Baseline Requirements is necessary to address several longstanding issues in the way S/MIME certificates are issued and managed: 

• Lack of Consistency: Previously, there were no universal standards for how public Certification Authorities (CAs) issued S/MIME certificates. Each CA could have its own process, leading to inconsistencies and potential security gaps. 

• Varying Levels of Identity Assurance: Without clear rules, the information included in certificates (such as names or email addresses) could differ, making it harder to trust the identity behind a secure email. 

• Security Risks: Inconsistent practices increased the risk of certificates being misused or issued to the wrong person, which could compromise the security of email communications. 

The new Baseline Requirements, set by the CA/Browser Forum, create a uniform framework so that all public S/MIME certificates meet the same high standards for identity verification, security, and compatibility 

 

What Are the Benefits for Users? 

The update brings several important benefits to end users and organizations: 

1. Stronger Identity Verification 

• Clear Identification: By requiring that each Sponsor-validated S/MIME certificate includes the “Given Name” and “Surname” attributes, the certificate now clearly identifies the individual recipient. This reduces the risk of impersonation and ensures that secure emails are sent to the right person. 

• Greater Trust: Recipients can be more confident that a digitally signed or encrypted email truly comes from the person named in the certificate. 

2. Enhanced Security 

• Reduced Fraud: Standardizing the information in certificates makes it harder for attackers to obtain fraudulent certificates or misuse them for phishing or other attacks. 

• Better Protection of Sensitive Data: With stricter rules, the certificates used to encrypt and sign emails are more reliable, helping to keep sensitive communications private and tamper-proof. 

3. Improved Compatibility and Interoperability 

• Uniform Standards: All public CAs now follow the same rules, so S/MIME certificates will work more reliably across different email clients and services. 

• Easier Troubleshooting: IT teams will have a clearer understanding of what to expect from certificates, making it easier to manage and resolve issues. 

4. Increased User Privacy 

• Controlled Information: The update limits what information can be included in the certificate, protecting users from unnecessary data exposure while still ensuring strong identity validation. 

 

Summary Table: Benefits of the Update 

Benefit	Description
Stronger Identity Verification	Certificates must include full names, reducing impersonation risk
Enhanced Security	Standardized practices reduce fraud and misuse
Improved Compatibility	Uniform standards ensure certificates work across platforms and clients
Increased User Privacy	Only necessary identity information is included, protecting user data

 

 

Key Takeaways 

• The update is universal: All public CA S/MIME certificate issuance must comply, regardless of platform. 

• Manual action is required: No platform will update your profiles automatically. 

• Testing is important: Always verify changes with a small group before rolling out to everyone. 

• Private CA users or those not using S/MIME for email are not affected. 

 

Final Tips 

• Start reviewing and updating your certificate profiles now to avoid last-minute issues. 

• Communicate with your CA and platform provider for the latest support and guidance. 

• Make sure your users are prepared for any changes in certificate issuance or email security workflows. 

By acting early, organizations can ensure compliance, maintain secure email operations, and avoid service interruptions when the new requirements go live. 

 

Conclusion 

The upcoming S/MIME Baseline Requirements update is a critical compliance change for organizations issuing S/MIME certificates through public CAs. By updating your certificate profiles to include the required attributes and testing changes before the enforcement date, you can ensure continued secure email functionality and avoid service disruptions. 

This update is designed to make secure email communications more trustworthy, reliable, and user-friendly for everyone. By establishing clear, uniform standards, it ensures that S/MIME certificates provide the highest level of security and confidence for all users. 

 

KeyTalk CKMS Support for S/MIME Automation

KeyTalk CKMS is built with full support for S/MIME automation and complies with all S/MIME Baseline Requirements. For new customers, issuing these updated S/MIME certificates is straightforward and fully automated. 

If you’re using an on-premises version of KeyTalk CKMS, a few certificate settings may need to be adjusted to meet the new standards. Our support team is available 24/7 to assist you with any configuration or implementation questions. 

 

The KeyTalk Team