New SwissSign CA
A data security specialist by Swiss Post

SwissSign – the leading certificate authority (CA) in Switzerland.

Learn more about the new functionalities

Main section

The new SwissSign CA is live.

The new CA stands for first-class comfort with the same excellent quality. In order to make the migration to the new environment as smooth as possible for both existing and new customers, we have summarised the most important information for you on this page. 

You can look forward to these benefits

  • Modern, well-presented web portal, making it much easier for you to manage your certificates.

  • Always in the loop – thanks to the new graphical user interface, you can view the validity periods of issued certificates and you will also be notified automatically of any pending expiry dates to prevent expired certificates from slipping under the radar.

  • Convenient reporting: Create your reports according to your own specific requirements in the MPKI in CSV or Excel format.

  • Want to automate the process of issuing certificates? With the new REST API based on OpenAPI V3 and the ACME protocol, new interfaces for automating the process of issuing certificates are now available alongside the current CMC interface. ACME can be used with the Certbot client (ACME client based on Red Hat Enterprise Linux) or the Microsoft ACMESharp client, for example.

  • Customers that require a separate testing environment can now set up an independent test MPKI upon request.

  • If your need for different certificate types changes over time, you can now simply sign and scan the relevant order documents and send them to us by email. Product modifications can now be implemented faster than before.

What do you need to do as a customer?

SwissSign will email the login details directly to all MPKI users as soon as the new MPKI becomes available.

Please note that domains must be revalidated on the new platform if the validation was more than one year ago.

Webinar | Live demo of the new CA

Listen in to the webinar and learn more about the key functionalities of the new CA.

To the webinar (Youtube)


How do I import the new intermediate or CA certificates?

If you manually issue individual certificates via the WebGUI, you can select ‘Download certificate chain (PKCS#7)’ during the certificate download process. This chain contains the CA certificates belonging to your certificate. If you are running a certificate lifecycle management system or an email gateway, you should import the following CA certificates into your system:


For email/SMIME:

The SwissSign Gold G2 Root CA remains the root of trust for all of these certificates. These can be downloaded here upon request.

The CA certificates or chains of trust listed above can also be downloaded in a file:

RSA SMIME + TLS (2022 - 1)

RSA SMIME (2022 - 1)

RSA TLS (2022 - 1)

How can we find out which operators previously had access to the existing MPKI?

The operators with access to your MPKI are specified in the order documents that you sent to SwissSign. If you are unable to find this information, please contact [email protected].

What is SwissID?

SwissID is a secure login service from SwissSign. More information on SwissID is available on our webpage

Why do I now need a SwissID to log in to MPKI?

According to regulatory requirements, SwissSign must be able to uniquely verify the identity of the operators issuing certificates in an MPKI. The SwissID allows you to meet these requirements in a simpler and more user-friendly manner. Step-by-step instructions for checking your identity are available at this link.

How long can I still use the old MPKI for?

Your previous MPKI will remain active after the start of the migration until the date we have notified you of by e-mail. The registered RA operators will receive a notification approximately 15 days before the deactivation of the previous MPKI.

We currently use the automated process of issuing certificates via the CMC interface. Will this also be possible in the future?

Yes. The CMC interface will also be available in the new MPKI. Alternatively, however, you can use the new interfaces for the automated process of issuing certificates. In addition to CMC, the new MPKI also provides the following interfaces and protocols:

  • REST API based on OpenAPI V3
  • ACME protocol based on the Certbot clients (ACME client based on Red Hat Enterprise Linux) or based on the ACMESharp clients, for example

For more information, please visit our website.

I’ve noticed that I have fewer certificate products available to issue in the new MPKI compared to the old platform. Why is that the case?

The active certificate with highest validity in your existing MPKI is used as a reference for the migration; this is based on the following logic:

Previous: SSL Silver (DV) oder S/MIME Silver resp. S/MIME Silver extended
New: MPKI DV, ausschliesslich Domain-validierte Zertifikate

Previous: SSL Gold (OV) oder S/MIME Gold

Previous: SSL Gold EV (EV)

The migration will mean more transparency in the MPKI and less administrative effort for you.