E-mail Security


Carl Zeiss AG has set up a secure e-mail gateway to protect email communication. This solution provides a secure environment for the exchange of confidential, electronically signed e-mails with partners and customers in the widely used S/MIME standard and using PGP. For communication on this basis, you need a trustworthy digital certificate and a S/MIME-capable or PGP-capable e-mail program.

  • Functions and Structure

    How does Secure E-mail work?

    The exchange of secure e-mails is based on digital certificates used for both signature and encryption. This means that the certificates practically act as digital passports.

    The digital certificate can be used to send electronically signed e-mails. Any modifications in transit can be detected, and the origin of the e-mail can be unambiguously identified. This guarantees e-mail integrity and authenticity.

    Encryption is used to send confidential information on a secure basis. Again, the recipient's certificate (public key) is required. Therefore, the public keys must be exchanged prior to the first use of encryption. In the case of S/MIME, the exchange of signed e-mails is usually sufficient. The digital certificate will be available in the e-mail program after automatic or manual import. For PGP, the public PGP key must be sent as an e-mail attachment.

    Certification infrastructure

    The PKI of Carl Zeiss AG consists of a two-level certification infrastructure with two certification authorities (CAs): the root CA of Carl Zeiss AG and the operational CA for the e-mail gateway.

    The root CA is used exclusively to certify other (subordinate) CAs.

    The use of the issued certificates is strictly limited to the protection of e-mail communication within the context of Carl Zeiss AG business matters. Any use of these certificates for other purposes is not permitted.

    The certificates of the CAs as well as the current revocation lists are available at Certificates.

  • Certificates

    Down certificates

    Root certificate

    The root certificates of Carl Zeiss AG can be checked for authenticity using the following "fingerprints":

    Root certificate 1 ("Carl-Zeiss-E-Mail-CA"):
    SHA-1 18 b2 ad 1b 85 38 56 d6 8a 04 3f 7c 2a 7e ca 47 5e 81 b6 99

    Carl-Zeiss-AG-E-Mail-CA.crt (CER format Base64)
    Carl-Zeiss-E-Mail-CA.der (DER encoded)
    Carl-Zeiss-AG-E-Mail-CA.p7b (PKCS#7 format)


    Root certificate 2 ("Carl Zeiss AG Root"):
    SHA-1 - b2 7f ed 6b 91 51 df ad e3 f0 32 e9 f7 3e 01 b8 1e 54 09 12

    Carl-Zeiss-AG-Root-CA.crt (CER format Base64)
    Carl-Zeiss-AG-Root-CA.der (DER-encoded)
    Carl-Zeiss-AG-Root-CA.p7b (PKCS#7 format)

    The certificates can be downloaded via the Download area. You may be required to indicate your trust in these certificates in your e-mail program.

     

    Certificates of Carl Zeiss AG employees

    Carl Zeiss AG issues certificates to owners of e-mail addresses, in particular to the employees of the Carl Zeiss Group. If you require such a certificate, e.g. to send an encrypted e-mail to Carl Zeiss AG employees, simply request a signed e-mail or the public PGP key from its owner. In the terminology of EU Directive 1999/93/EC and the German Signature Law of 16 May 2001, these are designated as "advanced signatures".

    Status information

    Certificates can and must be blocked to prevent any misuse. Status information (blocked/not blocked) regarding
    Carl Zeiss AG certificates is published on a regular basis in the certificate revocation list (CRL). When a certificate is blocked, a new certificate revocation list is issued and published.

    applications.zeiss.com/cert/CRL of root CA (874 Bytes)
    applications.zeiss.com/cert/CRL of email CA (926 Bytes)

    any e-mail programs can retrieve these certificate revocation lists automatically and at regular intervals. You may have to enter the addresses below (URLS) as well. If your e-mail client does not support automatic updates, the certificate revocation list can be downloaded manually here and imported to the mail client.

  • Notes

    If you receive signed e-mails from Carl Zeiss AG and their signatures cannot be verified,
    check the following points:

    • Your email program must be able to recognize the Carl Zeiss AG root certificate and the Secure E-mail root certificate and must trust them as issuers of e-mail certificates. You can download both certificates under Certificates; you must configure the trust setting in your e-mail program.

    • Your program may require the certificate revocation lists (CRLs) of both CAs, i.e. the current information on blocked certificates of Carl Zeiss AG.

    • If you are unable to send encrypted e-mails to a specific employee of Carl Zeiss AG, you probably do not have the digital certificate of this person.
    • As a S/MIME user, ask your communication partner at Carl Zeiss AG to send you a signed e-mail; this e-mail will contain the certificate. Many e-mail programs extract and save the certificate automatically, while some programs have to be prompted to do so via a specific function.

    • As a PGP user, please request the public PGP key of your communication partner at Carl Zeiss AG and import it to your PGP keyring.

    • Check that the signed e-mail received from Carl Zeiss AG could be verified.Otherwise, proceed as described in the previous paragraph.Only then will the import of certificates work properly.

    Should you have further questions, please contact your IT support.
    Further information is available from your certification department.

  • Public Key Disclosure Statement

    Carl Zeiss issues digital certificates for its employees and business partners in accordance with the provisions of the Public Key Disclosure Statement.

    The following documents of the Carl Zeiss Public Key Infrastructure (PKI) can be acquired from the contact listed in the Public Key Disclosure Statement when needed.

    Certification Policy & Certification Practice Statement CP/CPS of the:

    • Carl Zeiss AG Root Certification Authority
    • Carl Zeiss AG E-mail Certification Authority