Main section
New S/MIME requirements: Important changes to email certificates from July 2025
Why SwissSign-S/MIME certificates will change from June 2025 - and what you should do now.
What is the CA/Browser Forum?
The CA/Browser Forum is an international body that consists of leading browser manufacturers (such as Google, Mozilla, Microsoft and Apple) and certificate authorities (CAs). This forum defines the international regulations for SSL/TLS and S/MIME certificates to ensure digital security on the Internet.
Why is this important?
Without clear standards, certificates could differ in structure and content, which could lead to incompatibilities and security risks. The CA/Browser Forum (CA/B) ensures that certificates are uniform, secure and trustworthy worldwide by setting binding requirements. They are binding because only certificates that meet these requirements are accepted by browsers and email providers.
Recently, the CA/B has tightened the S/MIME Baseline Requirements – a set of rules that defines the requirements for S/MIME certificates on the Internet. These changes must now be implemented by all Certificate Authorities (including SwissSign).
What changes concretely?
Reducing the maximum lifespan of S/MIME certificates
-
The maximum lifespan of an S/MIME certificate is reduced from three to two years.
-
Reason: Shorter lifespans increase security by replacing compromised certificates or those with outdated entries and by allowing modern cryptography algorithms to spread more quickly (keyword: crypto-agility).
Mandatory inclusion of first and last names or pseudonym in email gold certificates
-
Until now, these details could be optional, but now they must be stored as separate attributes:
-
givenName (gn): Given name of the certificate holder
-
surname (sn): surname of the certificate holder
-
Alternatively: Instead of a first and last name, a pseudonym can also be included.
-
-
Why? This change ensures that certificates can be more reliably associated with a person.
Prohibition of additional attributes in the Subject Distinguished Name (SDN)
-
The S/MIME Baseline Requirements define a set of typical (and allowed) attributes in the name field, the "Subject Distinguished Name" (SDN), for each certificate type.
-
Previously, additional attributes were also allowed, provided they were verified. Now, SwissSign must always restrict itself to the specified attributes.
-
This ban particularly affects the "UserID" (UID) attribute, which was previously allowed to be set optionally in SwissSign certificates with client authentication.
-
Background: By limiting the number of name attributes to a given set, interoperability is ensured.

Do you already use S/MIME certificates? Our recommendation
Implement the new requirements early to benefit from the improved security standards and to avoid potential problems with the automated issuance of certificates.
Especially if you obtain S/MIME certificates via your Managed PKI using an automated system (email gateway or certificate lifecycle management system), please make sure that
-
no three-year term is configured and
-
for certificates with a name entry (Pro S/MIME email ID Gold), "givenName" and "surname" must be provided as separate attributes in the request.
For further questions, the SwissSign team is happy to help you on +41 848 77 66 55 or [email protected].