The trust relationship to the infrastructure of the Commerzbank AG
This webpage informs you about the technical infrastructure of the Commerzbank inhouse certificate services. You will find all the information here to establish an X.509 trust between Commerzbank AG and your company to use eMail security. Information on the QuoVadis Trust Center is not filed here and should be obtained directly from QuoVadis.
The Commerzbank CA hierarchy
The Commerzbank AG uses a three-step hierarchic certificate infrastructure:- A Root-CA certificate
- A sub certificate (Sub-CA) signed by the Root-CA certificate
- The certificate of the employee, signed by the sub certificate
You have to set your email program in a way, that you either trust the Root-CA certificate (recommended) or the user certificate (with no automatically security validation via internet). The Root-CA certificate can be downloaded below:
The CA certificates
Download Root-CA certificate
- "Commerzbank AG Inhouse Root CA (SHA-1)" - Fingerprint: 9c 36 c6 c6 9e 7d ec 92 5b 7e 1b 88 e5 64 c4 cd a6 87 c4 2c
- "Commerzbank AG Inhouse Root CA2 (SHA-2)" - Fingerprint: f5 1d fd 22 ea e3 2d 97 7f 3e d2 2f 22 d1 e3 25 55 28 da 43
If you trust the Root certificate and add a certificate of an employee of the Commerzbank to your mail program, then the sub issued certificates will be installed also via the Internet. You can download the sub issued certificate here, if a problem occurs during the automated download:
Download eMail Security Sub-CA certificate
- Standard solution: “Commerzbank AG Inhouse Sub CA 03 (SHA-1)” - Fingerprint: ec bf b1 df 12 a7 79 1a be b7 13 46 39 e2 ad b8 65 66 03 db
- Standard solution: “Commerzbank AG Inhouse Sub CA 03 (SHA-2)” - Fingerprint: 3d 31 76 29 5e 25 03 75 07 51 fa e9 c0 37 8c 1c 4e f5 90 35
The Certificate Revocation List (CRL)
Different to PGP the X.509 certificates have a special security property: A special file called CRL („Certificate Revocation List“) lists all corrupted, insecure or revoked certificates. If a certificate is found in the CRL then it has a high probability that a new one was issued to the owner, which should then be used for communication. You should configure your email client in such a way, that the list is checked every time you open a signed email of a Commerzbank employee. If you have activated this function, then your PC will download such a list periodically.
You can find the current CRL here, if you have problems to download it automatically. The CRLs are signed by the issuing certificates for security reasons. To check the signature a trust relationship is necessary.
Download Certificate Revocation List (CRL)
If you have any further questions please ask your IT support. In special cases you may contact the certificate services of the bank via your Commerzbank contact.