BaFin - Navigation & Service

Stand:updated on 15.02.2022 Secure e-mail communication with BaFin

BaFin offers supervised institutions and undertakings a secure means of transmitting confi-dential information by e-mail.

SecureMail – Options

For transmitting e-mails securely, the following options are available:

  1. Encrypted e-mail communication using PGP or S/MIME
    To use PGP or S/MIME, you need a PGP key or an S/MIME certificate issued for your e-mail address as well as a corresponding e-mail program.
  2. SSL-protected access to a webmail portal
    If you do not have the possibility of using PGP or S/MIME, communication can take place via our GINAmail system. Once you are registered for this portal, you can use it to send e-mails to your contacts at BaFin and to receive e-mails from the
  3. Contact form
    If you want to send a message to BaFin only once, please use BaFin's contact form. Your message will be transmitted securely.

How to proceed with encrypted e-mail communication via PGP or S/MIME

To ensure that BaFin can communicate with you in encrypted form, we require a valid PGP key or a valid S/MIME certificate

  1. Your organisation communicates encrypted with personal S/MIME certificates
    If you already own an S/MIME certificate, please send it to us as a digitally signed e-mail. Your certificate will be automatically stored in our system and linked to your e-mail address. E-mails that contain sensitive information will then be send encrypted to you.
  2. Your organisation communicates encrypted with PGP keys
    If you already own a PGP key, please send it to us as a file attachment (.asc or .pgp). Please use the e-mail address securemail@bafin.de.
  3. Your organisation uses PGP or S/MIME domain encryption
    Please send us your domain certificate in a zip file without password protection to securemail@bafin.de.

To be able to send encrypted e-mails to BaFin, you also need the certificates or keys of BaFin:

Certificates for individual addresses can be obtained here on the “Search” Tab.

By sending an e-mail with the keyword #getcertificate at the beginning of the subject to an @bafin.de address, you can specifically query the certificate of an individual @bafin.de address.

Use our domain certificate as an alternative in order to be able to contact all addresses of BaFin in encrypted form.

How to proceed with encrypted e-mail communication via our GINAmail system

In order to use GINAmail, you must register with us once. During this process, an account for the use of the GINAmail system will be set up on our system.

To initiate the registration process, please get in touch with your contact person at BaFin. This is usually the BaFin department which is responsible for your organisation. An employee will then address to you a secure e-mail. If you are not already registered, this e-mail will be retained by our system and you will receive an automatically generated registration e-mail containing further information about the registration process.

Note: You may receive a warning when this registration email is received. The reason is that this e-mail was signed by a certificate from BaFin, which is not known to your mail program. To prevent this message from appearing in the future, you can classify the certificate as trustworthy.

In the registration e-mail two possible options are described:

  1. If you do own an S/MIME certificate or a PGP key, please proceed as described above.
  2. If you want to use the webmail portal, you will first need a password. You can obtain this from your contact person.

FAQs

Question/issueAnswer
My GINAmail logon doesn’t work anymore.Please get in touch with your contact.
I have forgotten/lost my password.You can reset your password at GINAmail yourself. To do this, use the "Forgotten your password?" button at https://secmail.bafin.de/web.app.
I have encountered technical problems.Please get in touch with your contact.
Key/certificate of my contact person has expired.Personal certificates can be obtained here.
I have not been assigned a BaFin contact yet.Please contact the BaFin department which is responsible for your organisation. If you do not receive any feedback or if you do not know the department which is responsible, please contact BaFin using our secure contact form.
Is my certificate/key recorded immediately when I reply to the registration e-mail?In our system, some trust positions to well-known certification authorities have been set up. As a result, most certificates are trusted immediately. In the case of certificates/keys that are self-signed or issued by an unknown certification authority, a manual verification may be necessary. In this verification, the fingerprint of the certificate/key that is sent to us is compared with the fingerprint of your certificate to verify that our system has received the right one. For this fingerprint comparison, you will be contacted by an administrator.

Root certificates

BaFin PKI Certification Practice Statement

Download: BaFin PKI Certification Practice Statement

BaFin PGP Root certificate

PGP (Web of Trust)

Download:

Valid from: 10.06.2015 – does not expire

Fingerprint:
82 5B B1 04 D6 7A D0 2F DD A8 6B 11 43 C9 7F 05 62 BD 86 25

BaFin Secure Mail Root CA

Note: The certificates issued by "BaFin Secure Mail Root CA" in the past are replaced one by one.

S/MIME Root CA

Download: BaFin Secure Mail Root CA Sha256RSA 1401

Valid from: 14.01.2019 – 09.01.2039

Fingerprint:
c3 a5 ff 6a 1c 47 48 63 75 6c 6b 32 7e f8 cb 01 bf 56 5d ba

-----------------------------------------------------------------------------------

CRL: https://download.gsb.bund.de/BaFin/pki/BaFin-Sub-CA03.crl

Download: BaFin-Issuing CA 3

Valid from: 19.05.2017 - 19.05.2027

Fingerprint:
83 ad 79 67 58 3b 8c 1d ea 11 99 c7 46 3b 6e db f4 fb ac dc

-----------------------------------------------------------------------------------

CRL: https://download.gsb.bund.de/BaFin/pki/BaFin-Root-CA03.crl

Download: BaFin-Root CA 3

Valid from: 16.05.2017 - 16.05.2037

Fingerprint:
11 95 d2 16 95 fb c5 bd 80 1c e2 47 ed ca 03 60 f1 8c de 9d

-----------------------------------------------------------------------------------

CRL: https://download.gsb.bund.de/BaFin/pki/BaFin-Issuing-CA05.crl

Download: BaFin-Issuing-CA05

Valid from: 07.10.2022 - 07.10.2037

Fingerprint:
8c 40 d8 31 ee e7 94 cc a3 4e b5 70 a4 86 1b 35 db c6 48 b7

------------------------------------------------------------------------------------

CRL: https://download.gsb.bund.de/BaFin/pki/BaFin-Root-CA05.crl

Download: BaFin-Root-CA05

Valid from: 28.09.2022 - 29.09.2052

Fingerprint:
fb d3 7d 32 d3 6a 41 b6 b8 cf d0 28 d7 72 9b a7 f3 9a 63 6b

Note: Please do not use the BaFin root certificate for encryption. You can obtain our user certificates here: https://secmail.bafin.de/web.app.

BaFin PKI Certificate Policy for E-Mail Security

Download: BaFin PKI Certificate Policy for E-Mail Security

ESCB PKI - Root CA

Please download and store also the ESCB PKI Root CA:

https://pki.escb.eu/epkweb/en/repository.html

Domain certificates

BaFin PGP Domain certificate

Download: als BaFin_PGP_Domaenenzertifikat.txt und als BaFin_PGP_Domaenenzertifikat.asc

Valid from: 14.09.2009 – läuft nicht ab

Fingerprint:
C405 89EC 0009 6F77 712B AC85 863D 1529 CEC5 FDFD

S/MIME BaFin Domain certificate

Download: „BaFin_SMIME_Domaenenzertifikat.zip"

Valid from: 02.02.2022 - 02.02.2024

Fingerprint:
65:63:02:EB:12:94:A3:F7:D6:DF:CA:6E:25:73:EA:B5:B2:9D:3E:9F

Additional information

Technical contact

Did you find this article helpful?

We appreciate your feedback

Your feedback helps us to continuously improve the website and to keep it up to date. If you have any questions and would like us to contact you, please use our contact form. Please send any disclosures about actual or suspected violations of supervisory provisions to our contact point for whistleblowers.

We appreciate your feedback

* Mandatory field