Email security
Carl Zeiss AG has set up a secure email gateway to protect email communication. This solution provides a secure environment for the exchange of confidential, electronically signed emails with partners and customers in the widely used S/MIME standard and using PGP. For communication on this basis, you need a trustworthy digital certificate and a S/MIME-capable or PGP-capable email program.
PKI Disclosure Statement
Email Certification Authority
This document describes the obligations of the certificate owner and the external communications partner and how liability is regulated in the event of a claim.
Functions and structure
Certificates
Certificates download
Root certificate
The root certificates of Carl Zeiss AG can be checked for authenticity using the following "fingerprints":
Root certificate SHA-2 ("Carl Zeiss E-Mail CA-2028"):
Root certificate SHA-2 ("Carl Zeiss AG Root-CA-2036"):
Certificates of Carl Zeiss AG employees
Carl Zeiss AG issues certificates to owners of email addresses, in particular to the employees of the Carl Zeiss Group. If you require such a certificate, e.g. to send an encrypted email to Carl Zeiss AG employees, simply request a signed email or the public PGP key from its owner. In the terminology of EU Directive 1999/93/EC and the German Signature Law of 16 May 2001, these are designated as "advanced signatures".
Status information
Certificates can and must be blocked to prevent any misuse. Status information (blocked/not blocked) regarding Carl Zeiss AG certificates is published on a regular basis in the certificate revocation list (CRL). When a certificate is blocked, a new certificate revocation list is issued and published.
applications.zeiss.com/cert/CRL of root CA
applications.zeiss.com/cert/CRL of email CA
Any e-mail programs can retrieve these certificate revocation lists automatically and at regular intervals. You may have to enter the addresses below (URLS) as well. If your email client does not support automatic updates, the certificate revocation list can be downloaded manually here and imported to the email client.
Notes
If you receive signed emails from Carl Zeiss AG and their signatures cannot be verified, check the following points:
- Your email program must be able to recognize the Carl Zeiss AG root certificate and the Secure Email root certificate and must trust them as issuers of email certificates. You can download both certificates under Certificates; you must configure the trust setting in your email program.
- Your program may require the certificate revocation lists (CRLs) of both CAs, i.e. the current information on blocked certificates of Carl Zeiss AG.
- If you are unable to send encrypted emails to a specific employee of Carl Zeiss AG, you probably do not have the digital certificate of this person.
- As a S/MIME user, ask your communication partner at Carl Zeiss AG to send you a signed email; this email will contain the certificate. Many email programs extract and save the certificate automatically, while some programs have to be prompted to do so via a specific function.
- As a PGP user, please request the public PGP key of your communication partner at Carl Zeiss AG and import it to your PGP keyring.
- Check that the signed email received from Carl Zeiss AG could be verified. Otherwise, proceed as described in the previous paragraph. Only then will the import of certificates work properly.
Should you have further questions, please contact your IT support. Further information is available from your certification department.
Public Key Disclosure Statement
Carl Zeiss issues digital certificates for its employees and business partners in accordance with the provisions of the Public Key Disclosure Statement.
The following documents of the Carl Zeiss Public Key Infrastructure (PKI) can be acquired from the contact listed in the Public Key Disclosure Statement when needed.
Certification Policy & Certification Practice Statement CP/CPS of the:
Carl Zeiss AG Root Certification Authority
Carl Zeiss AG E-mail Certification Authority