Frequently Asked Questions - Email Certificates

Q) What are the recommended browsers for requesting an email Certificate ?
A) Internet Explorer and Firefox ESR (version 68.x or earlier) are the recommended browsers for initiating an email Certificate Request.

Q) Why can't I use Chrome or Edge browsers ?
A) In order to request an email Certificate, the browser must support a key generation mechanism which is supported by the server. Currently, Chrome and Edge browsers do not support this function, and therefore, unable to initiate an email Certificate request.

Q) How do I collect and install my email Certificate ?
A) Email Certificates are Personal Certificates, which can only be collected using a link sent through a Certificate Collection email. The certificate must be collected using the same system and with the same browser which was used to initiate the Certificate Request. Refer to article "How to Collect a Personal Authentication Certificate " for step by step instructions.

Q) How do I backup my email Certificate ?
A) After successfully collecting your email certificate, it will then be available in a keystore used by the browser. Users can then export the certificate from the browser into a PKCS#12 ( PFX/P12 ) format, which is going to contain the Certificate and its corresponding Private Key. Refer to article "Email and Authentication Certificate Support" for a step by step guide using recommended browsers,

Q) How do I create a backup of my Private Key ?
A) A Private Key for email Certificates is generated on the client browser at the time the Certificate is requested and remains within the users' system. Users can create a backup of the Private Key along with the Certificate into a PKCS#12 format after collecting the email Certificate. Refer to article "Email and Authentication Certificate Support" for a step by step guide using recommended browsers,

Q) How do I export my Public Key ?
A) The Public Key of an email Certificate can be exported from the browser used to collect the certificate. Exporting a certificate without the Private Key will only allow you to export the Public Key.
Refer to article "How to export the Public Key from an email Certificate" for step by step instructions.

Q) What is the advantage of signing an email ?
A) A digital signature attached to an email message offers another layer of security and provides additional assurance to the recipient, that you—not an impostor—signed the contents of the email message. Your digital signature, which includes your certificate and public key, originates from your digital ID. That digital ID serves as your unique digital mark and signals the recipient that the content hasn't been altered in transit.

Q) How does an email get encrypted ?
A) An email is encrypted by using the "Public Key" of the sender, so only the recipient who owns the corresponding "Private Key" can read the encrypted email.

Q) Does the recipient of an encrypted email require an email Certificate?
A) Yes, an email can only be encrypted using the 'Public Key' of the recipient.

Q) How do I share my public key with potential email recipients ?
A) As the sender requires the 'Public Key' of the recipient for sending encrypted emails, the sender must share their 'Public key' to their recipient. You can accomplish this by sending them a 'Signed' email. In an Exchange Server environment, users can publish their 'Public Key' into GAL [ Publish to GAL ], so that users from the same organization can fetch the Public Key of their recipient from GAL.

Q) Can I use my email certificate on mobile devices ?
A) Yes, an email Certificate can be ported to your personal mobile devices, such as; mobile phones, laptops, tablets, etc. You will have to export your Certificate into a PKCS#12 format and then import the PKCS#12 file to the personal device. You will then be able to configure S/MIME on your mobile devices.

Q) How do I revoke a Free email Certificate ?
A) A Free email Certificate can be revoked using the link below. You must use the revocation password set while applying for the certificate.
https://secure.sectigo.com/products/!SecureEmailCertificate_Revoke
If you have forgotten the revocation password, please create a support ticket at https://sectigo.com/support-ticket to request revocation of the Certificate.

Q) Can I reset the Revocation Password of a Free email Certificate ?
A) No, users are required to set a revocation password at the time they applied for the Free email Certificate. The password can then be used to revoke an email Certificate. It is impossible to reset the revocation password. However, you can create a revocation request by logging a support ticket here https://sectigo.com/support-ticket.

Q) How do I renew my email Certificate ?
A) Renewal is nothing more than ordering / requesting a new email Certificate for the same email address. You will receive a new email certificate upon request.

Q) Can I remove expired email Certificates from my system ?
A) Yes. however, removing an email Certificate will delete the certificate and its Private Key. If you remove the expired Certificate from your system, you will not be able to read any old emails encrypted using the expired certificate. Therefore, it is not recommended that you remove any expired certificates. If you really want to remove the expired certificate, please make sure you have them backed up in PKCS12 format before removing them from your system.

Q) Should I re-send my Public Key to a recipient after I renew my certificate ?
A) Yes, you will receive new Key Pair when your certificate is renewed. It is mandatory to distribute your new Public Key to your recipients, so they can continue to send encrypted emails to you.

Q) Can I recover/reset the password given to a P12/PFX file ?
A) No, Passwords for PFX/P12 files were assigned by the user at the time of exporting it from the browser. It is impossible to reset / recover a lost password of a PFX file. However, if you have the access to the original system and browser used to collect the certificate, you can re-export the certificate into a PKCS#12 format, so that you will get a new PFX file.

Q) What should I do if I have lost my email Certificate ?
A) We always recommend that our customers perform a backup of their email Certificate in PKCS#12 format. If you have a backup in place, then you can recover the certificate from the backup. You will need to import the PKCS#12 file on to your system, so that you can recover the certificate. If you don't have a backup of the certificate in PKCS#12 format, then you need to revoke the existing certificate and order a new one.

Q) What should I do if I have lost my Corporate email Certificate ?
A) If you have a backup of the certificate in PKCS#12 format, you can recover it from the backup. If you don't have a backup of the certificate, then you need to revoke the certificate and purchase a new one.