Secure Email

Carl Zeiss AG has set up a Secure Email Gateway to protect email communication. This solution provides a secure environment for the exchange of confidential, electronically signed emails with partners and customers in the widely used S/MIME standard and using PGP. For communication on this basis, you need a trustworthy digital certificate and a S/MIME-capable or PGP-capable email program.

  • Functionality & Structure

    How does Secure Email work?

    The exchange of secure emails is based on digital certificates used for both signature and encryption. This means that the certificates practically act as digital passports.

    The digital certificate can be used to send electronically signed emails. Any modifications in transit can be detected, and the origin of the email can be unambiguously identified. This guarantees email authenticity and integrity.

    Encryption is used to send confidential information on a secure basis. Again, the recipient's certificate (public key) is required. Therefore, the public keys must be exchanged prior to the first use of encryption. In the case of S/MIME, the exchange of signed emails is usually sufficient. The digital certificate will be available in the email program after automatic or manual import. For PGP, the public PGP key must be sent as an email attachment.

    Certification Infrastructure

    The PKI of Carl Zeiss AG consists of a two-level certification infrastructure with two certification authorities (CAs): the root CA of Carl Zeiss AG and the operational CA for the email gateway.

    The root CA is exclusively used to certify other (subordinate) CAs.

    The use of the issued certificates is strictly limited to the protection of email communication within the context of Carl Zeiss AG business issues. Any use of the certificates for other purposes is not permitted.

    The CA certificates and the current revocation lists are available under the tab Certificates.

  • Certificates

    Download of Certificates

    Root Certificate

    The authenticity of the Carl Zeiss AG root certificates can be verified by means of the following fingerprints:

    Certificate 1 (Carl-Zeiss-E-Mail-CA):
    SHA-1 18 b2 ad 1b 85 38 56 d6 8a 04 3f 7c 2a 7e ca 47 5e 81 b6 99

    Carl-Zeiss-AG-E-Mail-CA.crt (CER format Base64)
    Carl-Zeiss-E-Mail-CA.der (DER encoded)
    Carl-Zeiss-AG-E-Mail-CA.p7b (PKCS#7 format)

    Root certificate 2 ("Carl Zeiss AG Root "):
    SHA-1 - b2 7f ed 6b 91 51 df ad e3 f0 32 e9 f7 3e 01 b8 1e 54 09 12

    Carl-Zeiss-AG-Root-CA.crt (CER format Base64)
    Carl-Zeiss-AG-Root-CA.der (DER-encoded)
    Carl-Zeiss-AG-Root-CA.p7b (PKCS#7 format)

    The certificates can be downloaded from the download field. You may be required to indicate your trust in these certificates in your email program.


    Certificates of Carl Zeiss AG Employees

    Carl Zeiss AG issues certificates to owners of email addresses, in particular to the employees of the Carl Zeiss Group. If you require such a certificate, e.g. to send an encrypted email to Carl Zeiss AG employees, simply request a signed email or the public PGP key from its owner. These are advanced signatures within the terminology of EU Directive 1999/93/EC and the German Signature Law of 2001-05-16.


    Status Information

    Certificates can and must be revoked to prevent any misuse. Status information (revoked/not revoked) regarding
    Carl Zeiss AG certificates is published on a regular basis in the certificate revocation list (CRL). In the event that a certificate is revoked, a new CRL is immediately compiled and published. of root CA (874 Bytes) of email CA (926 Bytes)

    Many email programs are able to automatically download these lists at regular intervals. You may need to specify the above addresses (URLs) for this purpose. If your email client does not assist the automatically update, you can download the CRL’s and import it manually.

  • Troubleshooting

    If you receive any signed emails from Carl Zeiss AG where the signature cannot be verified,
    please check the following points:

    • Your email program must be able to recognize the Carl Zeiss AG root certificate and the Secure Email certificate and must trust them as issuers of email certificates. You can download both certificates from Certificates; the trust setting has to be made by you in your email program.

    • Your program may require the certificate revocation lists (CRLs) of both CAs, i.e. the current information on revoked certificates of Carl Zeiss AG.

    • If you are unable to send encrypted emails to a specific employee of Carl Zeiss AG, you probably do not have the digital certificate of this person.
    • As a S/MIME user, ask your communication partner at Carl Zeiss AG to send you a signed email; this email will contain the certificate. Many email programs extract and save the certificate automatically, while some programs have to be prompted to do so via a specific function.

    • As a PGP user, please request the public PGP key of your communication partner at Carl Zeiss AG and import it to your PGP keyring.

    • Check that the signed email received from Carl Zeiss AG could be verified. Otherwise, proceed as described in the previous paragraph. Only then will the import of certificates work properly.

    Should further questions arise, please contact your IT support.
    Further information is available from your certification department as well.

  • Public Key Disclosure Statement

    Carl Zeiss issues digital certificates for signature and encryption to its employees and business partners for email traffic in accordance with the Public Key Disclosure Statement.

    The documents of the Carl Zeiss Public Key Infrastructure (PKI) can be acquired from the contact listed in the Public Key Disclosure Statement when needed.

    Certification Policy and Certification Practice Statement CP/CPS of the:

    • Carl Zeiss AG Root Certification Authority
    • Carl Zeiss AG Email Certification Authority