Secure / Multipurpose Internet Mail Extensions (S/MIME) is a standard for the encryption and signing of emails using a hybrid crypt system. S/MIME is used in many protocols in the application layer such as email or AS2. In practice, S/MIME is used for the encryption of emails. It is important to distinguish that S/MIME differs significantly from SSL / TLS. S/MIME encrypts the message itself, SSL / TLS encrypts the transport level or the location via which the email is sent.

How does S/MIME encryption work?

Using S/MIME encryption technology, the content of an email address is secured using a public and private key, which are always linked to one another. As the sender of the message, you always encrypt your email with the public key (also known as the public key). This can be shared in different ways - the simplest way is to send a signed email back and forth between the two communication participants.

Since the two keys (Private & Public Key) are linked, the email can now be decrypted. As long as the private key is in your possession, the email can be decrypted. We recommend that you only export the private key to secure environments, otherwise the risk of decrypting your encrypted messages increases.

In addition to encryption, the sender proves with every signed or encrypted message that the e-mail comes from the sender and was not changed or damaged during the transmission. This minimizes the risk of phishing, since the identification of the respective sender is made visible directly in Outlook using a signature or encryption symbol.

Why should we use S/MIME email certificates at all?

In view of the latest data scandals in recent years (Cambridge Analytics / Facebook; cyber attack on British Airways; hacker attack on personal data of the Marriot International Hotel), the SAS analysis software conducted an online survey among private individuals to determine their opinion on data protection.

Almost three quarters (73 percent) of respondents said they are more concerned about data protection than they were a few years ago. And 64 percent of people say their data is less secure today than it was a few years ago.

It is questionable when you consider that the USA does not currently have such a sophisticated data protection law as the European Union with the GDPR (General Data Protection Regulation).


Email compliance with EU / GDPR (GDPR) / EDIFACT

In 2016, the European Union passed the General Data Protection Regulation (GDPR), replacing the 1995 data protection directive with stricter and more modern data protection. The requirements of the GDPR are now recognized as a right across the European Union. Article 25 of the GDPR requires all companies to independently secure data protection and processes with personal data. In most cases, encryption is still considered best practice - regardless of this, the data must be protected and secured with confidence. In addition to the GDPR, Denmark requires all companies to encrypt all emails with confidential and personal information.

To what extent the punishment for violations of the provisions of the GDPR are checked by the assigned authorities. Companies that protect their data incompletely and do not send e-mails encrypted bear the risk of data breaches. In the event of a violation, penalties of up to 4% of global annual sales or up to 20 million euros can be issued. This applies in particular to the loss, modification or unauthorized transfer of data should it lead to a violation. However, the penalty can be reduced or even waived if you as a company can show the authorities that you have taken all measures to protect the personal data. This includes the use of the latest technology and the use of SSL as well as S / MIME certificates to secure mail communication with your customers.

EDIFACT (Electronic Data Interchange for Administration, Commerce and Transport)

EDIFACT is a cross-divisional international standard for the format of electronic data in business transactions. EDIFACT is regarded as the standard by various international states and associations. Due to the complexity in the industries, subsets of EDIFACT were developed for certain user groups such as electricity & gas (Edi @ Energy) or for the electronics, software and telecommunications industry (EDIFICE).

Companies that are subject to EDIFACT have different options for signing and encrypting messages. Possible protocols are EDINNT AS1, AS2, S/MIME and others that are not defined. Depending on which subsets your company is affiliated with, expanded requirements must be met in order to comply with the EDIFACT guidelines.

Definition: What is an EDIFACT file?

An EDIFACT file is a simple text file that can be opened using a text editor. The special thing about EDIFACT files is the structure (syntax) of the files - each file has the same structure and the recipient knows in advance where and what content can be found.

Which EDIFACT SUBSETS are there?

  • CEFIC - chemical industry
  • EANCOM - consumer goods industry
  • Edi@Energy - electricity and gas (only valid for Germany)
  • EDIBDB - building materials industry
  • EDIFICE - electronics, software and telecommunications industry
  • EDIFOR - forwarding branch
  • EDIFURN - furniture industry
  • EDIGAS - gas transmission business
  • EDILEKTRO - electrical industry / electrical wholesale
  • EDILIBE - book trade
  • EDIPAP - paper manufacturer / wholesaler / converting industry
  • EDIPAP - paper manufacturer / wholesaler / converting industryEDITEX - textile industry
  • EDITRANS - transport industry
  • EDIWHEEL - tire and wheel manufacturer (incl. AdHoc EDI)
  • ETIS - Telecommunication (only for invoice)
  • ODA / ODIF - General document formats
  • ODETTE - automotive industry
  • RINET - insurance industry


Edi@energy is the information and communication standard for the energy, water and electricity industries. As a subset of EDIFACT, EDI@Energy has a regulation on secure exchange of transmission files written. As part of the electronic data exchange between the market partners of the German energy industry, the transmission channels AS2 and e-mail via SMTP must be observed. The requirements and rules dealt with in this section also count for all market processes defined by the Federal Network Agency, such as GPKE, MPES, GeLi Gas, GaBi Gas, MaBiS, WiM and KoV.

If a file / email is exchanged for the German energy industry, it must be signed and encrypted since June 1, 2017. It is not only required that the certificates be issued by a trustworthy CA, but also that special requirements are placed on the encryption algorithm.

Issuing CA requirements

  • no self-issued certificates
  • the CA has a callback service and a revocation list
  • audited by external audit (e.g. KPMG)

S/MIME certificate requirements

  • Signature algorithm RSASSA-PSS
  • Maximum validity of 3 years
  • advanced electronic signature
  • Identification and assignment to the company for which the certificate was issued

Secorio’s technology partner Sectigo currently offers its S/MIME email certificates without RSASSA-PSS encryption. Due to the demand and the need for certificates with this signature algorithm, these certificates will be available from 2020. Thanks to the collaboration with another trusted CA, Secorio is also able to issue RSASSA-PSS S/MIME certificates. Contact your direct contact person or send us a message at for more information or a specific offer.


EANCOM is one of the subset of the EDI standards. The consumer goods industry uses the term EANCOM to use a worldwide standard of electronic data exchange. EANCOM introduces a global identification standard with the global article number (GTIN) and global location number (GLN). EANCOM wrote one based on the EDI standards GS1 Implementation Guide for digital signatures.

Possible signature / encryption algorithms are EDIINT AS1 & AS2 or S/MIME e-mail certificates. The aim of EANCOM is to ensure the security of EDIFACT documents in the flow of information between the sender and recipient of the message. A distinction is made between two possible signature methods:

  • Document Signing -> the document (e.g. PDF) is digitally signed within the file for authenticity
  • S/MIME Signing -> the email that is sent is signed using the SMIME certificate to confirm the authenticity of the message

What are the S/MIME requirements of EANCOM?

The digital certificates must be issued by a trustworthy third party (e.g. CA Authority Sectigo -> technology partner of Secorio). During the exhibition process, the issuing CA certifies and checks the information and issues a digital certificate to the person / company.

In addition to the extended validation, the certificate must be signed with one of the following algorithms: DSA, RSA, ECC etc. Since almost all trustworthy certification bodies x509v3 offer certificates based on RSA keys, it is recommended to use this algorithm for digitally signing documents.


European Chemical Industry Council is the business association of the European chemical industry. There are currently no specific guidelines that CEFIC participants must adhere to. The usual guidelines according to the EDIFACT standard apply.


The Global Network für B2B Integration in High Tech Industries – ein europäisches Industriekonsortium für die Einhaltung von B2B Standards. Der Verband unterstützt die Entwicklung und Verbreitung von elektronischen Standards und gibt dabei Empfehlungen ab, wie die Richtlinien interpretieren sind. Die Richtlinien und der Standard «EDIFICE» ist in europäischen Unternehmen aus Halbleiter, Elektronik, Software und Telekommunikation Branche. Die Standards sind auf Internationalität ausgerichtet und sind aufgrund der weltweiten Kompatibilität auch mit den Richtlinien aus der USA verknüpft. Zudem kooperiert die EDIFICE mit RosettaNet, einem XML-basierten Standard zur Automatisierung des Supply Chain Management in der Branche.

The exact requirements of EDIFICE can be found via the following link: EDIFICE guidelines


EASEE-Gas was founded in 2002 to simplify processes in the field of gas transfer and trading across Europe. EASEE-GAS offers its members digital S / MIME certificates for the signing and encryption of emails in order to secure communication between the EASEE-GAS participants. As communication takes place via the AS2 and As4 protocol, a special validation and application procedure is required.

Information we need for validation:

  1. Find out about the name and address of your EASEE gas specialist. If you do not know who the EASEE gas representative of your company is, please consult the list of members on the EASEE gas-members site .
  2. Get a copy of the ID card / passport of your company's EASEE gas representative.
  3. Get a copy of the extract from the commercial register for the company registered with EASEE-gas that is not older than 6 months.
  4. Get your company's EIC code. This code is on the Find ETSO website .

Application process

  1. Applicant to fill out and submit the online form
  2. Send all required documents by post / fax / email
  3. The application is checked and approved by the EASEE-Gas General Manager
  4. Internal completeness check of the registration request by Secorio
  5. E-mail invitation from the Secorio Trust / Link Enterprise system to the certificate applicant (subscriber) to confirm the data and to start the certificate issuing process
  6. Certificate applicant receives second email link to download the certificate
  7. Certificate ready for installation and distribution

Please contact us directly via email ( if you need an EASEE-GAS certificate. We will be happy to provide you with further information in this regard.

HIPAA (Healthcare Insurance Portability and Accountability Act)

As in any industry, email is an important communication medium for the exchange of information between healthcare companies and patients / relatives. Personal Health Information (PHI) / Personal data that are sent by email without special protection do not meet the requirements of HIPPA. Therefore, these PHI (personal data), which are sent by email, must be protected with digital certificates in order to successfully protect the privacy of patients. This is the only way to ensure compliance with HIPAA / HITECH.

Research has shown that every seventh hospital employee opens a phishing email. This vulnerability means that more than 14% of all emails that hospital workers deal with can potentially result in cyberattacks or data breaches. A breach of data protection regulations in the healthcare sector in turn often leads to serious complications with regard to violations of the data protection regulations of the Healthcare Insurance Portability and Accountability Act (HIPAA), which results in considerable financial costs and fines for compliance. In addition to the financial damage, we lowered the image and trust of the patients towards the healthcare company. In addition to content encryption using S/MIME, PHI data must be sent via encrypted server connections (protected by SSL or TLS certificates).

Penalties for HIPAA email violations
The penalties apply per violation and year From To
Could not be avoided with reasonable care 100 US-Dollar 50.000 US-Dollar
HIPAA email violation despite reasonable care 1.000 US-Dollar 50.000 US-Dollar
Deliberate Neglect - Corrected in a timely manner 10.000 US-Dollar 50.000 US-Dollar
Deliberate Neglect - Not Corrected 50.000 US-Dollar 1.500.000 US-Dollar

Alternatives to S/MIME

PGP (Pretty Good Privacy)

In addition to S/MIME, there are various different encryption methods. Comparing with S/MIME is OpenPGP (Pretty Good Privacy). PGP is based on the same approach as S/MIME and encrypts the emails using the asymmetrical method. Please note that S/MIME email certificates are not compatible with the PGP system.

PGP is an open source encryption system. This means that no qualified signatures can be sent using PGP. In addition, there is no certification body for PGP that could meet the requirements of CA / B or EDIFACT. The integration into your existing mail / gateway systems, especially with mobile users, requires an extended know-how at PGP.

More encryption algorithms

The S/MIME certificates can easily be integrated into your existing environment within a few minutes. The certificate is requested via Internet Explorer (Windows User) / Safari (Apple User) and the private key is created directly in the browser. A short configuration in the trust center of your Outlook mail program and S/MIME certificates are ready for use.

In addition to S/MIME and PGP, there are other encryption systems such as REDDCRYPT, DE-Mail, WebAkte or DRACOON that promote ease of use and zero knowledge for the facility. Only additional software or add-ons for Outlook are required for this encryption process or your customers must also register with these providers. It takes time to set up and update them, which means unnecessary effort. More than XX% of all Germans already rely on the most widespread S/MIME encryption technology. S/MIME certificates give you the option of integrating email encryption into your existing environment simply and easily. Automated with the Certificate Manager (Enterprise S/MIME).

As a company, you have to decide which encryption algorithm / encryption system you want to use.

Advantages and disadvantages of S/MIME email certificates


  • Compatible with leading software solutions such as Office365, Outlook 2007/2010/2013
  • no additional software required / SMIME technology is automatically preinstalled in your laptop / computer or mobile device.
  • Protection against phishing and SPAM messages



  • the public key must be replaced beforehand. There is no global database through which all S/MIME certificates can be accessed
  • both communication participants must have a valid S/MIME certificate



Which encryption algorithms from S/MIME are there?


SHA is part of the cryptographic SHA hash function developed by the NSA and stands for Secure Hash Alogirthm. The hash function is performed using mathematical operations on digital data. By comparing the calculated hash value with the known hash value, the integrity (integrity) of a message / file can be determined.

The SHA hash function can be divided into SHA 1 / SHA 2 and SHA 3. The most common hash algorithm is SHA-2 with SHA-256 and SHA-512, although we recommend using SHA-256.

  • From a safety perspective, it would be pretty pointless to use SHA 512. In practice, SHA-256 is just as secure as SHA-512. A collision can currently not be generated with any technology or technology currently available or predictable in the coming years (e.g. quantum computer). The security you get with SHA256 is therefore identical.
  • From a non-security point of view, the founders for choosing SHA-256 are clearer than longer hash algorithms: it is smaller and requires less bandwidth for storing and transferring messages / files. So you need less memory, which also requires less computing power. In some cases, however, SHA-512 may still be faster and more efficient - but this is often the rarity.
  • Third, there are likely to be compatibility issues with different hash algorithms. Virtually no one uses a higher algorithm than SHA-256. Higher algorithms can be: SHA-384 or SHA-512. Therefore, there is a high probability that you will encounter systems that do not understand the hash. There are likely to be fewer problems now that the systems are more mature, but even with a higher security algorithm you have no significant use.

At the moment, the choice of SHA’s higher than SHA-256 does not offer any clear advantages - there are obvious disadvantages (increased bandwidth / higher memory / compatibility problems). For this reason, SHA-256 is the universal choice for modern certificates for SMIME and SSL website certificates.


The signature algorithm RSASSA-PSS from SMIME e-mail certificate has not yet reached many users or companies. Many companies that contact us and have questions regarding the RSASSA-PSS often do not know the requirements. RSASSA-PSS certificates must be used by companies subordinate to EDIFACT. You can read whether you fall under this in the COMPLIANCE guidelines for S/MIME certificates.

Die Abkärzung «PSS» steht für «Probablistic Signatur Scheme» – auf Deutsch: probabilistisches Signaturverfahren. RSASSA-PSS bieten ein verbessertes Signaturschema, welche einen zusätzlichen Anhang enthält. Es nutzt den privaten RSA-Schlüssel um Ihre Daten zu signieren. Der Empfänger überprüft Ihre Signatur anhand des bekannten öffentlichen RSA-Schlüssels.

Since the new regulation for sending qualified EDIFACT files / messages has been enforced by the Federal Network Agency within the electricity and gas industry, the extended signature algorithm has been important. The Federal Network Agency requires an RSA key length of at least 2048 bits / the hash function must fulfill SHA-256 or SHA-512.

Which mail systems / clients support SMIME technology?

Clients via which an automatic enrollment via Certificate Manager is possible

all versions of Microsoft Outlook / Outlook Express

MDM with SCEP for AirWatch, Blackberry, Mobile Iron, IBM, Citrix

Apple Mail including mobile devices

Samsung Mail including mobile devices

Nine Mail (in progress)

Ciphermail (in progress)


Systems that work with S / MIME but are not yet linked to the Certificate Manager

Office 365

Mozilla Thunderbird

Spark Mail

Claws Mail

Windows Mail / Live Mail


-> The list is continuously updated / You are a provider of mail software and use S / MIME technology - inform us at and we will add you to our database.

Which gateway systems support SMIME technology?

CITRIX Secure Gateway


-> The list is continuously updated / You are a provider of mail software and use S / MIME technology - inform us at and we will add you to our database.

Which mail providers support SMIME technology?

-> The list is continuously updated / You are a mail provider and use S / MIME technology - inform us at to discuss possibilities for a partnership.

Which CRM / ERP software systems support SMIME technology?

Zoho CRM (Zoho Mail)

Salesforce Marketing Cloud


Azure Information Protection Client

-> The list is continuously updated / You are a software provider for ERP / CRM systems and supporting S/MIME technology - inform us at and we will add you to our database.



Are there free Let’s Encrpyt S/MIME certificates? Are there any free S/MIME certificates?

Let’s Encrypt is the free provider for SSL certificates. We and our technology partner Sectigo support Let’s Encrypt by activating your certificate transparency protocol. Secorio supports the plan to secure all websites and to encrypt the transport route using an SSL certificate.

However, Let’s Encrypt does not offer free S/MIME email certificates and does not plan to introduce them in the short or medium term. S/MIME and SSL differ significantly and the technology is also not easy to copy.

However, with its extensive certificate portfolio and free SSL certificates, Secorio also offers 30-day test certificates for those interested in S/MIME. You can test the S/MIME technology and let yourself be convinced by the encryption solution that is used worldwide.

Why should I buy a paid S/MIME certificate?

Free certificates offer only limited benefits. We also offer free S/MIME certificates for test purposes and personal use. These certificates are issued with a validity of 30 days. These certificates must be reissued after 30 days and completely configured on your computer. In addition, the respective key has to be published and exchanged for the public key. Test certificates are therefore not a sustainable solution for email encryption. We recommend our free S/MIME e-mail certificates to anyone who would like to get to know S/MIME or test the functionality within your existing environment. Paid certificates can be issued with a term of one, two or three years.

In addition to the tedious administration and the complex exchange of your keys, there are no entries of your company and / or personal name for free certificates. Paid S/MIME certificates can be restored / replacement (Personal & Personal PRO) and you, as a Secorio customer, receive free support.

Which validation levels / classes are there?

Did you know that there are different validation levels or classes for S / MIME certificates too? However, there are still no industry standards that are adopted by all issuing Certificate Authorities (CA). Unlike with SSL certificates, the CA / Browser Forum does not yet provide guidelines for validation.

However, individual sectors such as the energy sector in Germany require qualified signatures, which are made possible by the expanded organizational validation. Depending on your email security requirements within your company / group, choose the appropriate validation level.

Class 1: Email confirmation

For this validation level you only need to have a valid email address and have access to it. Your certificate will be issued quickly and without further validation processes with your email address.

Class 2: Individual validation

At this level of validation, you are individually checked as a person. This type of certificate is used by small or sole traders who do not meet the requirements for organizational validation / class 3. During this process, your information will be checked using a legally valid ID (identity card / driver's license). Your certificate will then be issued with your first and last name.

Class 3: Organization validation

This validation process checks whether your organization exists and whether your data is entered in certified databases (e.g., gelbeseiten, or company knowledge). In addition, an additional domain validation is carried out using a domain check (via admin / administrator / postmaster / hostmaster or As soon as all information has been successfully validated and confirmed, you can apply for certificates as an administrator using managed solutions (EPKI or SCM). Please note that as the administrator you are responsible for ensuring that the employees for whom the email addresses are issued also work effectively in your company.

Are there also wildcard / department S/MIME certificates?

Due to the guidelines of our CA, there is no way to secure all your email addresses with a single certificate. We offer interesting graduated prices for companies with extended needs in order to keep the certificate costs for you as low as possible. Our Certificate Manager can automatically manage and issue from a few dozen certificates up to thousands of S/MIME certificates. This eliminates the need for a wildcard / departmental solution for S/MIME certificates.

How do I get my S/MIME email certificate?

You only need individual S/MIME certificates? Then order your certificate immediately in our online shop. Let us convince you of our offer and choose a certificate with extended validation to show your customers and suppliers that you value your data.

Would you like a personal offer or do you have any questions before placing your order? No problem - our knowledge base for S/MIME certificates is open 24 hours a day. Otherwise, you can reach us by phone or email during the usual working hours from 8:00 a.m. to 4:30 p.m (Switzerland Time).

Who has access to my private key?

The private key is created directly in your browser during the application process (Internet Explorer à Windows ||| Safari à Apple). As the issuing CA, we never have access to your private key. Thanks to sophisticated algorithms and processes, the public and private key are generated and created together in your browser. You can export the certificate in the appropriate format directly from your browser and integrate it into any mail system.

Why is a certificate backup so important?

Imagine that your laptop on which your S / MIME certificate is used has a hardware or technical defect and can no longer be saved. Of course you have saved your documents and emails in the cloud using OneDrive / Office 365. But what about your S / MIME certificate? Did you also secure this including the private key? If not, you will no longer be able to work with this certificate. Your emails now remain encrypted and can no longer be recognized. Depending on this, this damage can increase immeasurably. Why? All emails can no longer be read - offers, agreements or confidential data are no longer accessible to you and must be reorganized. An organizational effort that can quickly damage you and your company and cause considerable additional effort (configuration & key exchange with communication partners, etc.).

Therefore, always create a backup of your certificates so that in the worst case of loss / failure of your devices, you have a replacement ready. The backup file is quickly implemented again and you can continue to decrypt your old messages.

In which file formats can S/MIME certificates be exported?

.pfx or PKCS # 12 / .p12

The pfx file contains the private key and your public key. If you have a file with the extension .pfx, we recommend that you only save this file to a secure environment or an external USB backup storage device. If your laptop / PC or your mobile device is damaged, you can restore your certificate with the pfx file. It is therefore important that this file does not get into the hands of third parties. During the application process, the private key is created in your browser - as the issuing CA, we never have access to your private key and cannot provide you with a .pfx file. If you receive an offer from other CAs or service providers that the certificate will be sent to you via .pfx file, we recommend that you refrain from doing so. Even before using S/MIME technology, your personal key has already been checked by third parties and can be falsified.


The PEM format is the format commonly used by the issuing CA. PEM stands for Privacy Enhanced Mail and comes from the method for secure emails, which is defined in RFCs 1421 to 1424. However, this method is hardly used anymore. Like the .pfx and .p12 file, the PEM format also includes the private key. Only a certificate with the PEM format still contains the following file extensions: .cer, .crt., .Key. However, a PEM file is practically only used for Apache servers for SSL certificates.


A file in .cer format is an Internet Security Certificate file. This file only contains the public key and does not need to be protected separately. For example, if you have to deposit your certificate with the Federal Employment Agency, you can do so in .cer format. You can also upload the .cer file to your website or in a database - without the private key it is not possible to read encrypted messages.

How do I set up my certificate?

The installation of S/MIME email certificates is child's play thanks to our step-by-step instructions. Whether you are an IT expert or a non-IT expert, you can use our instructions to install your S/MIME certificates in common mail systems such as Mozilla Thunderbird, Outlook 2016 Apple Mail or directly on your Apple Mobile device.

Configure S/MIME on Mozilla Thunderbird

Configure S/MIME in Outlook 2016

Configure S/MIME with iOS / iPhone / iPad

Configure S/MIME on Mac OS X Mail / Apple Mail


How do I send signed emails now?

Signed emails show your communication partner directly that you are committed to protecting your digital identity. With e-mail certificates you have the possibility to prove your digital identity and thus assure the recipient that the message originated from you. Every email can be signed - regardless of whether the recipient has an S / MIME certificate or not.

How can I send encrypted emails?

S/MIME encryption is only possible if both communication participants have a valid S/MIME certificate. Previously, the public key is exchanged using signed e-mail - as soon as this process is complete, encrypted messages can be sent.

What happened to my S/MIME certificate after the validity period?

After your certificate has expired, there is no longer any possibility to send new signed or encrypted messages. There is currently no way to automatically renew the old license without having to create a new certificate. Therefore, you have to repeat the ordering and application process after the certificate duration of your SMIME Mail certificate has expired. This means that a new private and public key must be generated via your browser and your certificate is reconfigured in Outlook.

It is important that your old certificate is not deleted from your computer either. Otherwise it is no longer possible to read the emails encrypted with the expired certificate.