Initial situation:

In February 2023, all SwissSign MPKI partners received an information email from SwissSign with the following content:

 

Dear partners. 

 

We informed you some time ago about the new SwissSign CA and also already provided you with information on the new Pre-Prod platform. This letter is to inform you of the updated schedule for the upcoming migrations of your customer MPKIs. 

Due to additional regulatory requirements regarding S/MIME certificates, the migration of your existing customer-MPKIs to the new CA platform must take place until end of March 2023.

 

How does the migration work? 

•In the coming days, we will start migrating all customer MPKIs to the new CA platform. The aim is for this process to be completed by the end of March 2023. The access managers (operators) of the customer MPKIs are informed in advance by email that their MPKI will soon be migrated. In this letter we will also refer to a Landingpage (to be published shortly) with instructions of the third party applications. 

•New orders for MPKIs are thus to be processed only via the new CA platform from 01.04.2023. 

•Your existing customers have the option of issuing new certificates both via the new platform and on the existing MPKI until the end of May 2023 at the latest (temporary parallel operation). 

•Certificates already issued remain valid until their expiry date and do not have to be revoked and reissued. 

 

We look forward to a successful future together and are happy to answer any questions you may have at partners@swisssign.com. 

 

Kind regards 

Sales & Partner Management 

 

 

In addition to the links in the above e-mail, SwissSign provides the following link <%OEM-NEW-SWISSSIGN-CA%> with an additional description.

 

 

On the side of SEPPmail Secure E-Mail Gateway, usually the following settings are to be changed (example for "Silver" certificates):
 

 

(see also SwissSign)

 

(no longer applicable as of 22.03.2023)

After certificates with a term of three years are issued via the new CA by default, it is essential that the URL entry is extended by "?validity=1y", thus to

https://cmc.swisssign.ch/ws/cmc?validity=1y

.

 

With the entry of the new Product name "SwissSign Personal S/MIME E-Mail ID Silver" for domain-validated certificates, upon receipt of the certificate, the required parameters are by SEPPmail Secure E-Mail Gateway automatically sent to SwissSign, so no other entries are necessary.

 

For organisation-validated certificates "SwissSign Pro S/MIME E-Mail ID Gold" it should be noted that the validation of the organisation is no longer done by certificate, but by "SwissID" (see also https://www.swissid.ch/).

 

Furthermore, due to new security regulations, validation of the domains for which certificates are to be obtained will be required once a year now, see SwissSign - Yearly Domain Check.

 

Note on RA operators

 

RA operators are persons who have been entrusted with the certificate administration for a domain/MPKI contract (definition by SwissSign).

All RA operators must obtain a SwissID with the registered e-mail address. This must be verified by means of a passport. This can be done either immediately or within 2 working days. If new RA operators are to be registered, the existing RA operators must report this to SwissSign using this form. If the "Managed PKI number" MPKI-0000xxx is not known, this information can be requested from SwissSign. If the RA operators registered with SwissSign are no longer available, at least one name and e-mail address of one of the former RA operators must be known in order to register new ones.

 

A SwissSign description of the new CA and the associated actions required on the part of the customer can be found at https://www.youtube.com/watch?v=0ebbxLAcTjc.

 

SwissSign Support can be reached at mpki@swisssign.com for further questions.