D-Trust MPKI - Reissue S/MIME Certificates

D-Trust informs that S/MIME certificates generated before May 04 2026 have a formal error as viewed by the CA/Browser forum as the regulatory body on certificates. According to D-Trust, the formal errors are not a security risk.

Affected certificates (of type „Advanced Personal eID“, „Advanced Enterprise (inkl. SIG/ENC) ID” and „Advanced Team ID“) will be revoked by D-Trust on May 08 2026 at 15:00 CET.

In order to ensure that the automatic renewal of the D-Trust Certificate revocation goes smoothly for the SEPPmail Appliances, we recommend the following setting changes to be in effect as soon as possible (and not later than 08.05.2026 at 15:00 GMT+2):
Under MPKI Settings, enable the following:

• “Automatically renew expiring certificates if validity days left less than”
• “Automatically create certificates for active users without certificates” (This will ensure that the Automatic Renewal Job, that takes place nightly, will be able to also reissue the revoked D-Trust certificates. This is only necessary, if these changes were not implemented before Thursday, 07.05.2026 at 9:00 p.m.)

We also highly recommend, that the “Automatically renew expiring certificates if validity days left less than” Option be set to 362 days. This is so that all of the certificates that are potentially marked for revocation are renewed before the revocation takes place. Therefore, there is no interruption of certificate services. The setting changes mentioned above can safely be reverted starting 09.05.2026.

Before the renewal job runs, you must update the internal D-Trust product identifiers within your SEPPmail configuration. Failure to do this may cause the renewal requests to be rejected by the CA
| Old Product ID | New Product ID |
| — | — |
| ADVANCED_ENTERPRISE_ID_1 | SMIME_ORG_INDIV_RSA_1 |
| ADVANCED_TEAM_ID_1 | SMIME_ORG_RSA_1 |