J.D. Fox Micro Resource Center
Digital Certificates for E-mail
Here are links to some trusted providers that can issue digital certificates for e-mail (also known as Digital IDs or S/MIME certificates) at retail, meaning an individual or small business can purchase them individually as needed.
If you are new to e-mail digital signatures or Digital IDs, click here to read the introductory article about digital certificates for e-mail.
In the links below, you might see references to e-mail encryption. Keep in mind that e-mail encryption is completely different from e-mail digital signatures.
Some providers offer different levels of verification. The minimum is what we call "no verification", and only requires you to confirm that you received an e-mail from the provider, sent to the address to be validated by the certificate you're purchasing. Additional levels of verification may require you to send a scan of your driver license, and other documentation proving your business exists at a given location. By purchasing a certificate with higher verification, you can provide that much greater assurance to recipients, who may not already know you, of your identity.
Once you purchase a digital certificate for yourself, you will need to create the certificate, which is usually done within a web browser on a Windows or Mac computer while logged in to the provider's site. To use digital certificates on a mobile device, you will need to import the certificate and the private key to your device. For help implementing digital certificates, contact an IT services professional, such as J.D. Fox Micro.
On this page, DigiCert lists Digital IDs for various purposes, including user authentication (logging in to a network), digitally signing a document, e-mail digital signatures, and encryption. For e-mail digital signatures, you need to choose the Digital Signature Plus option.
GlobalSign offers digital certificates at various price ranges, all presented on one page. The difference is in the level of verification conducted. Each price level offers more assurance of identity, which is explained in the table. GlobalSign has long made reference in their offerings to what appears to be the same classification system as that created by VeriSign, and most other providers now do so as well.
Acquiring a certificate from GlobalSign is smooth, and their methods are highly secure.
This company took over the offering by Symantec of low-cost certificates with no verification, and still uses their name and logo. The "Hardware-Based" solution they offer is unique amongst the offerings on this page; it requires purchase of a smart card and card reader, or a small USB device; you can plug this in to any computer, type a PIN to unlock your private key, and use your certificates on that computer not just for e-mail digital signatures, but for logging in to the computer or web-based applications.
Comodo offers free and inexpensive e-mail certificates.
This first link is for a completely free certificate, which requires no validation. The certificate will state that your identity has not been verified.
The "business class" certificate is not free. To issue it, Comodo requires some actual validation of your identity (such as scanning your driver license); this would enhance its value in the eyes of your recipients if you don't have other contact with them. Because of its very low price with verification, it appears to represent the best value of all the links listed on this page, so long as you have no hitches in getting your certificate. But, you very well might, because their system is somewhat unwieldy to begin with, and their customer service is poor. Also, their methods are slightly less secure; for example, the retrieval password is sent through unencrypted e-mail.
Another well-known provider, offering two classes of e-mail digital signing certificates. They have also recently started using the VeriSign class designations.
Their Class 1 offering requires no verification, and therefore provides the lowest level of assurance. Frankly, you would only use this if you have some reason not to use a free offering from another provider for a non-verified certificate.
Class 2 certificates do require verification of your and your company's identity and ownership of your e-mail address. These are offered only with a minimum purchase of five certificates, though, and come with some extra services mostly related to encryption, which might be of interest to a small company with otherwise unmanaged e-mail security.
As of August 2016, Symantec stopped selling digital certificates to individuals at retail, after having offered them since their 2010 acquisition of Verisign. They had offered e-mail certificates with no identity verification (which they called a Class 1 Digital ID), for about the same price as some others listed here that include verification.
For personal certificates (Class 1) at retail, Symantec sold their business to IdenTrust, linked above.
Here is a link to the page announcing their exit from this market.
Symantec continued to offer certificates of a higher Class (that is, with identity verification), using the classification system carried over from Verisign. A Class 2 Digital ID means the user's identity has been verified to some extent, and Class 3 indicates additional vetting. These were available only if your company signed up for the Symantec Managed PKI (MPKI) service, which was sold to DigiCert in 2017 and is now called CertCentral.
Several years ago, GeoTrust offered a certificate called My Credential, with telephone verification of identity and a low price. The Equifax name appeared in their certificates, because GeoTrust purchased Equifax in 2001 and used their root certificates for many years after. GeoTrust was then purchased by VeriSign in 2006, which was purchased by Symantec in 2010. GeoTrust half-heartedly continued offering My Credential until 2013, then discontinued the service. GeoTrust's page now directs you to Symantec's website to buy a certificate, which refers you to DigiCert, since Symantec sold their certificate business to DigiCert in 2017. We leave the link here for reference only.