Email Security

How does secure email work?

The exchange of secure emails is based on digital certificates used for both signature and encryption. This means that the certificates practically act as digital passports.

The digital certificate can be used to send electronically signed emails. Any modifications in transit can be detected, and the origin of the email can be unambiguously identified. This guarantees email integrity and authenticity.

Encryption is used to send confidential information on a secure basis. Again, the recipient's certificate (public key) is required. Therefore, the public keys must be exchanged prior to the first use of encryption. In the case of S/MIME, the exchange of signed emails is usually sufficient. The digital certificate will be available in the email program after automatic or manual import. For PGP, the public PGP key must be sent as an email attachment.

Certification infrastructure

The PKI of Carl Zeiss AG consists of a two-level certification infrastructure with two certification authorities (CAs): the root CA of Carl Zeiss AG and the operational CA for the email gateway.

The root CA is used exclusively to certify other (subordinate) CAs.

The use of the issued certificates is strictly limited to the protection of email communication within the context of Carl Zeiss AG business matters. Any use of the certificates for other purposes is not permitted.

The certificates of the CAs as well as the current revocation lists are available at Certificates.

Root certificate

The root certificates of Carl Zeiss AG can be checked for authenticity using the following "fingerprints":

Root certificate SHA-2 ("Carl Zeiss E-Mail CA-2028")
SHA-2 db ac b5 0f 28 b9 51 1c dd 9e 7f 79 4d d6 47 cf 95 07 f6 9b (CER format Base64)

Root certificate SHA-2 ("Carl Zeiss AG Root-CA-2036")
SHA-2 2d 1c 11 86 b6 52 a3 96 af 5d de b9 b5 0d 63 58 77 2a 96 eb (CER format Base64)

Root certificate SHA-1 ("Carl-Zeiss-E-Mail-CA")
SHA-1 9b 8b 78 78 35 ba 29 af 21 5f 21 67 8d f3 aa b4 06 dd 76 eb (CER format Base64)

Root certificate SHA-1 ("Carl Zeiss AG Root")
SHA-1 - b2 7f ed 6b 91 51 df ad e3 f0 32 e9 f7 3e 01 b8 1e 54 09 12 (CER format Base64)

The certificates can be downloaded via the download area. You may be required to indicate your trust in these certificates in your email program.

Certificates of Carl Zeiss AG employees

Carl Zeiss AG issues certificates to owners of email addresses, in particular to the employees of the Carl Zeiss Group. If you require such a certificate, e.g. to send an encrypted email to Carl Zeiss AG employees, simply request a signed email or the public PGP key from its owner. In the terminology of EU Directive 1999/93/EC and the German Signature Law of 16 May 2001, these are designated as "advanced signatures".

Status information

Certificates can and must be blocked to prevent any misuse. Status information (blocked/not blocked) regarding Carl Zeiss AG certificates is published on a regular basis in the certificate revocation list (CRL). When a certificate is blocked, a new certificate revocation list is issued and published.

CRL of root CA
(874 Bytes)

CRL of email CA
(926 Bytes)

CRL of email CA 2016
(792 Bytes)

CRL of email CA 2028
(739 Bytes)

Any e-mail programs can retrieve these certificate revocation lists automatically and at regular intervals. You may have to enter the addresses below (URLS) as well. If your email client does not support automatic updates, the certificate revocation list can be downloaded manually here and imported to the email client.

If you receive signed emails from Carl Zeiss AG and their signatures cannot be verified, check the following points:

• Your email program must be able to recognize the Carl Zeiss AG root certificate and the Secure Email root certificate and must trust them as issuers of email certificates. You can download both certificates under Certificates; you must configure the trust setting in your email program.
  
• Your program may require the certificate revocation lists (CRLs) of both CAs, i.e. the current information on blocked certificates of Carl Zeiss AG.
  
• If you are unable to send encrypted emails to a specific employee of Carl Zeiss AG, you probably do not have the digital certificate of this person.
• As a S/MIME user, ask your communication partner at Carl Zeiss AG to send you a signed email; this email will contain the certificate. Many email programs extract and save the certificate automatically, while some programs have to be prompted to do so via a specific function.
  
• As a PGP user, please request the public PGP key of your communication partner at Carl Zeiss AG and import it to your PGP keyring.
  
• Check that the signed email received from Carl Zeiss AG could be verified. Otherwise, proceed as described in the previous paragraph. Only then will the import of certificates work properly.

Should you have further questions, please contact your IT support. Further information is available from your certification department.

Carl Zeiss issues digital certificates for its employees and business partners in accordance with the provisions of the Public Key Disclosure Statement.

The following documents of the Carl Zeiss Public Key Infrastructure (PKI) can be acquired from the contact listed in the Public Key Disclosure Statement when needed.

Certification Policy & Certification Practice Statement CP/CPS of the:

• Carl Zeiss AG Root Certification Authority
• Carl Zeiss AG Email Certification Authority