Manage Certificates¶
S/MIME is disabled by default. Enable it to start adding certificates.

Manage certificates in the Admin Panel under System > Integrations > S/MIME. Certificates may be pasted in as plain text or uploaded from a file.¶
Add Certificate Data¶
- Add Certificate
Import public-key certificates for both your own organization and your contacts.
You can also add a bunch of certificates in one go by providing a single file with all relevant certificates.
Warning
🕵️ ALWAYS verify certificates in-person or over the phone!
The whole point of signatures is to alert you when someone is trying to pretend to be someone they’re not. Never accept a certificate from someone online without verifying it first.
Note
📇 What about trusted certificate authorities?
In some cases (e.g. when dealing with large enterprises), you may be given a certificate for an entire CA, rather than a single contact. Add it here to trust all certificates issued by that CA.
Commercial CAs can usually be verified online. Zammad does not include a list of built-in, trusted CAs.
- Add Private Key
Once you’ve added a public-key certificate, you can import its matching private key.
Private keys are for your own organization only; never ask your contacts for their private keys.
A note is displayed on certificates with a matching private key (see line 2).¶
Note
📤 Certificates and private keys must be uploaded separately.
If your certificate and private key are bundled together in the same file or PEM block, import it twice (once using each button).
Please note that bulk imports of private keys are not possible.
Download Certificate Data¶
You can download the earlier provided certificates and private keys at any time from your Zammad instance.
Please note that passphrase-protected private keys stay protected and when you download them, you have to know the passphrase to use them after downloading.

Download stored certificates and their keys¶
Default Behavior¶
The ticket composer will set all outgoing messages to signed and encrypted by default (assuming the required certificates exist).
These defaults can be modified on a per-group basis:
Of course, agents can always manually change these settings on each email they send out.