E-Mail Encryption and Signing within Allianz Group

In order to transparently exchange encrypted and/or digitally signed Email with exployees of Allianz Group Companies you require:

1. a digital cerificate issued by a Certification Authority accepted by Allianz Group
   (for accepted CAs click here)
   
   
2. an established trust for Allianz UserCA V (our Issuing CA for Email Encryption Certificates)
   
   
3. an Email Client (e.g. MS Outlook, Outlook Express, Lotus Notes, Mozilla Thunderbird etc.) compliant with the S/MIME standard for Email Encryption and Signature.

Step 1: Importing Allianz Group CA-Certificates into your local certificate store

For your Email Programm to be able to verify/trust your communication partner's Allianz UserCA V certificate you first need to have the Allianz UserCA V Intermediate Certificate and the Alllianz Group Root CA II Root Certificate installed in your local browser store.

Clicking the following two links will download the CA Certificates and prompt for installation:

• Allianz Root CA III (Root CA Certificate)
• Allianz UserCA V(Intermediate CA Certificate
  

Download Links for more file formats (eg. Registry Keys) are available here.

Step 2: Enrolling for a digital S/MIME Certificate with a trusted CA

You request a certificate on-line from a reputable, recognized Certification Authority. The CA will examine your request and take steps required to establish your identity and the veracity of the information given by you.

Mind that there are different security levels for certificates depending on the thouroughness of the registration procedure practiced by the CA: For example: a certificate issued after no more than an on-line verification of your e-mail account is considered less trustworthy than a certificate issued only after completing a registration procedure involving appearance in person and producing identity documents (e.g. PostIdent in Germany).

Allianz Group has assessed the enrolment procedures of various CAs and compiled a list of accepted issuers that we consider trustworthy. (For particulars about the enrolment procedure - please consult the respective CA's website.)
Only holding a certificate from one of these issuers you will be able to communicate via secure mail with Allianz Group employees. Certificates issued by other CAs will not be accepted.

Step 3: Exchanging digital certificates with Allianz Group employees

Provided you have acquired a trusted digital certificate and your e-mail programm can do S/MIME, you and the person within Allianz Group you wish to communicate with, still have gain possession of the other's personal certificate.

Two alternative ways exist to accomplish this:

(1) Making your encryption certificate available to all Allianz employees via Allianz Group Directory

Send a digitally signed e-mail to Collect@cert.allianz.com. (mail subject and body do not matter).
Your encryption certificate* will then automatically be extracted from your e-mail and published to Allianz Group Directory, where Allianz employees will now be able to retrieve it and encrypt e-mail for you, provided they correctly know your fully qualified e-mail address.

(*Typically e-mail clients are configured to deliver a user's encryption certificate along with their signing certificate even when you expressly only sign (and not encrypt) an e-mail. In case your E-mail client does not automatically do so, as a workaround you may export your encryption certificate to a file and then send it to Collect@cert.allianz.com as an e-mail attachment).

If you later decide you don't want your certificate public any more, send a digitally signed e-mail to the above e-mail address, only with UNSUBSCRIBE as subject and no further content. If - later again - you change your mind once more, send a digitally signed e-mail with SUBSCRIBE as subject and no further content.

Note that having your certificate published to Allianz Group Directory paves the way for secure mail communications only in your direction. Each party on the Allianz side whom you wish to send encrypted mail, will previously have to send you a digitally signed mail (optionally encrypted - they already have your certificate) to give you the opportunity to import his or her digital certificate as well (see 2).

(2) Exchanging Certificates with individuals

Send a digitally signed (but non-encrypted) email to the person you want to communicate with on the Allianz side. This person will now have to import your certificate into his/her e-mail programm. Likewise the person on the Allianz side sends you a digitally signed mail which you will import into your e-mail client. Now the two of you can communicate via secure e-mail. (See Configuration E-mail Clients for detailed instructions for the most common clients).