S/MIME changes | SwissSign

Navigate on SwissID

A data security specialist by Swiss Post
Adrian Müller • 02.04.2025

New S/MIME requirements: Important changes to email certificates from July 2025

Why SwissSign-S/MIME certificates will change from June 2025 - and what you should do now.

Starting in July 2025, more stringent international regulations for the issuance of S/MIME certificates will come into effect. These changes aim to increase the security and interoperability of email certificates. SwissSign will therefore adjust certain features of its email certificates starting in June 2025.

What is the CA/Browser Forum?

The CA/Browser Forum is an international body that consists of leading browser manufacturers (such as Google, Mozilla, Microsoft and Apple) and certificate authorities (CAs). This forum defines the international regulations for SSL/TLS and S/MIME certificates to ensure digital security on the Internet.

Why is this important?

Without clear standards, certificates could differ in structure and content, which could lead to incompatibilities and security risks. The CA/Browser Forum (CA/B) ensures that certificates are uniform, secure and trustworthy worldwide by setting binding requirements. They are binding because only certificates that meet these requirements are accepted by browsers and email providers.

Recently, the CA/B has tightened the S/MIME Baseline Requirements – a set of rules that defines the requirements for S/MIME certificates on the Internet. These changes must now be implemented by all Certificate Authorities (including SwissSign).

What changes concretely?

Reducing the maximum lifespan of S/MIME certificates

  • The maximum lifespan of an S/MIME certificate is reduced from three to two years.

  • Reason: Shorter lifespans increase security by replacing compromised certificates or those with outdated entries and by allowing modern cryptography algorithms to spread more quickly (keyword: crypto-agility).

 

Mandatory inclusion of first and last names or pseudonym in email gold certificates

  • Until now, these details could be optional, but now they must be stored as separate attributes: 

    • givenName (gn): Given name of the certificate holder 

    • surname (sn): surname of the certificate holder 

    • Alternatively: Instead of a first and last name, a pseudonym can also be included.

  • Why? This change ensures that certificates can be more reliably associated with a person.

 

Prohibition of additional attributes in the Subject Distinguished Name (SDN)

  • The S/MIME Baseline Requirements define a set of typical (and allowed) attributes in the name field, the "Subject Distinguished Name" (SDN), for each certificate type.

  • Previously, additional attributes were also allowed, provided they were verified. Now, SwissSign must always restrict itself to the specified attributes.

  • This ban particularly affects the "UserID" (UID) attribute, which was previously allowed to be set optionally in SwissSign certificates with client authentication.

  • Background: By limiting the number of name attributes to a given set, interoperability is ensured.

Do you already use S/MIME certificates? Our recommendation

Implement the new requirements early to benefit from the improved security standards and to avoid potential problems with the automated issuance of certificates.

Especially if you obtain S/MIME certificates via your Managed PKI using an automated system (email gateway or certificate lifecycle management system), please make sure that

  • no three-year term is configured and

  • for certificates with a name entry (Pro S/MIME email ID Gold), "givenName" and "surname" must be provided as separate attributes in the request.

For further questions, the SwissSign team is happy to help you on +41 848 77 66 55 or [email protected].

You are not yet using S/MIME certificates? What you should do now

 

1. Choose your certificate and secure your online or email communication right away: Buy the certificate now in our webshop. A simple installation guide is included.

Order certificates now

2. Simplify your certificate management for TLS/SSL and email: With our Managed PKI (MPKI), you can manage certificates for your employees and webservers independently and individually according to your needs and save compared to buying individual certificates.

Order MPKI now

3. Let us advise you on how to optimise your PKI set up - would a multi-PKI be cheaper? How could you further automate the display and management of certificates?

Request a consultation now

4. If you have learned something from our article, please feel free to share it with others in your organisation. You can also save the link for later or share it on LinkedIn 👇

To the overview

This might also interest you

Adrian Mueller • 21.11.2024

PKI – what is public key infrastructure?

What is a public key infrastructure (PKI)? The basis of SSL certificates, digital signatures and more – for digital security and efficiency within companies
Cyber Security Certificates
Mark Vincent • 11.03.2025

Implementing digital signatures in financial institutions: Overcoming five key challenges

Financial institutions face significant hurdles when implementing a digital signature solution. From cybersecurity risks to regulatory compliance and operational efficiency, these challenges can delay or even prevent adoption. This article explores five key obstacles and explains how banks can overcome them.
Signature Cyber Security
SwissSign • 10.03.2025

SwissSign selected for EU's Large-Scale Pilot Project to drive adoption of European Digital Identity Wallet (EUDI Wallet)

SwissSign is participating in the "We Build" Consortium, which has recently been selected by the European Commission for its Large-Scale Pilot, one of the EU’s key initiatives driving the adoption of the European Digital Identity Wallet (EUDI Wallet).
Cyber Security Identity

SwissSign

Ressources

Knowledge

Support

A data security specialist
by Swiss Post

The ‘Die Post’ logo takes you to the ‘Die Post’ website.