S/MIME is disabled by default. Enable it to start adding certificates.
Add Certificate data¶
- Add Certificate
Import public-key certificates for both your own organization and your contacts.
You can also add a bunch of certificates in one go by providing a single file with all relevant certificates.
🕵️ ALWAYS verify certificates in-person or over the phone!
The whole point of signatures is to alert you when someone is trying to pretend to be someone they’re not. Never accept a certificate from someone online without verifying it first.
📇 What about trusted certificate authorities?
In some cases (e.g., when dealing with large enterprises), you may be given a certificate for an entire CA, rather than a single contact. Add it here to trust all certificates issued by that CA.
Commercial CAs can usually be verified online. Zammad does not include a list of built-in, trusted CAs.
- Add Private Key
Once you’ve added a public-key certificate, you can import its matching private key.
Private keys are for your own organization only; never ask your contacts for their private keys.
📤 Certificates and private keys must be uploaded separately.
If your certificate and private key are bundled together in the same file or PEM block, import it twice (once using each button).
Please note that bulk imports of private keys are not possible.
Download Certificate data¶
You can download the earlier provided certificates and private keys at any time from your Zammad instance.
🔐 Passphrase-protected private keys stay protected
Downloading private keys that originally were encrypted with a passphrase will also have this state after retrieval. Knowing the password is mandatory to continue working with keys in question.
The ticket composer will set all outgoing messages to signed and encrypted by default (assuming the required certificates exist).
These defaults can be modified on a per-group basis:
Of course, agents can always manually change these settings on each email they send out.