Changing validity period of email certificates
Please take notice of the following information:
Apple has published an updated Rootstore Policy or “Root Certificate Program”. This policy defines the requirements that providers of certificate services like SwissSign need to fulfil in order to be considered trustworthy by Apple.
What changes can you expect?
Stricter requirements for email certificates will be introduced on 1 April 2022. In particular, the technical validity period of such certificates will now be restricted to two years.
This means that from March 2022, SwissSign will not be issuing any further email certificates with a three-year validity period; only email certificates with a validity period of one or two years will be available from this date. However, email certificates with a validity of three years that are issued before 1 April 2022 will remain valid even after this date and will not be revoked.
Please note that this adjustment affects the technical validity period only. The technical validity period might differ from the commercial duration of your Managed PKI contract or webshop purchase.
What do you need to do as a customer?
- Automated method (Managed PKI only):
If you obtain the email certificates automatically, your ‘email gateway’ appliance must be configured correctly (‘Certificate Management over CMS’ - CMC). In this case, the certificate validity period can be adjusted via the ‘validity’ parameter. In the past, certificates with a validity period of three years could be obtained by setting ‘validity=3y’. This value will no longer be permitted in the future. We therefore ask that you remove the ‘validity’ parameter from your requests entirely.
- Manual method:
No immediate action is required on your part for email certificates obtained via our WebGUI. However, the reduced validity periods must be taken into account when planning certificate renewals; going forward, this action must be taken at least every two years.
We recommend, where possible, that you use ‘email gateways’ to simplify the process of obtaining and applying email certificates. A list of providers who are also partners of SwissSign can be found on our website.
Thank you for your attention and please do not hesitate to send any further questions to firstname.lastname@example.org.
The SwissSign team