diff --git a/ssl_mgmt/ssl_mgmt b/ssl_mgmt/ssl_mgmt
index e67204e..082bb3d 100755
--- a/ssl_mgmt/ssl_mgmt
+++ b/ssl_mgmt/ssl_mgmt
@@ -152,6 +152,12 @@ set_variables ()
 	fi
 	managedCerts=${managedCerts:-}
 	notifiedUsers=${notifiedUsers:-}
+	if [ -n "${notifiedUsers}" -a -z "${keyId:-}" ]
+	then
+		echo -n "You must set keyId to the ID of the key to sign" >&2
+		echo " the message sent to users to be" >&2
+		echo "notified of new certificate." >&2
+	fi
 	notifySubject=${notifySubject:-'New fingerprint for service $service'}
 	if [ -z "${notifyTemplate:-}" ]
 	then
@@ -355,11 +361,21 @@ generate_cert ()
 		mv $keySubdir/$keycertFile $keyDestDir
 		fingerprint="$(openssl x509 -in "$certPath" -noout -fingerprint)"
 		fingerprint=${fingerprint#*=}
-		if [ -n "$notifiedUsers" ]
+		if [ -n "$notifiedUsers" -a -n "$keyId" ]
 		then
 			eval notifySubject="\"$notifySubject\""
 			eval notifyTemplate="\"$notifyTemplate\""
-			mail -s "$notifySubject" $notifiedUsers <<EOF
+			if [ -z "${keyPwdPath:-}" ]
+			then
+				pwdOpt="--passphrase-fd 3"
+				pwdRedir='3<&0'
+			else
+				pwdOpt="--passphrase-file $keyPwdPath"
+				pwdRedir=""
+			fi
+			{ gpg -u $keyId --clearsign -a $pwdOpt \
+				| mail -s "$notifySubject" $notifiedUsers ; } \
+				3<&0 <<EOF
 $notifyTemplate
 EOF
 		fi
diff --git a/ssl_mgmt/ssl_mgmt.conf b/ssl_mgmt/ssl_mgmt.conf
index d9a27ce..c193815 100644
--- a/ssl_mgmt/ssl_mgmt.conf
+++ b/ssl_mgmt/ssl_mgmt.conf
@@ -29,6 +29,16 @@
 # DEFAULT: <none>
 #managedCerts=
 
+# ID of the key to use to sign the message sent to $notifiedUsers when a
+# certificate is created or renewed.
+# DEFAULT: <none>
+#keyId=
+
+# File containing the password to unlock the key to sign the message sent to
+# $notifiedUsers when a certificate is created or renewed.
+# DEFAULT: read from STDIN
+#keyPwdPath=
+
 # List of users to be notified when a certificate is created or renewed.
 # DEFAULT: <none>
 #notifiedUsers=
diff --git a/ssl_mgmt/tests/1/cmdline b/ssl_mgmt/tests/1/cmdline
index 5e9a78f..9bc4556 100644
--- a/ssl_mgmt/tests/1/cmdline
+++ b/ssl_mgmt/tests/1/cmdline
@@ -1 +1 @@
-cnfFilePath=./ssl_mgmt.conf ../ssl_mgmt renew foo
+GNUPGHOME=../gnupg keyId=CAF0A71C keyPwdPath=../gpg_pwd cnfFilePath=./ssl_mgmt.conf ../ssl_mgmt renew foo
diff --git a/ssl_mgmt/tests/gnupg/pubring.gpg b/ssl_mgmt/tests/gnupg/pubring.gpg
new file mode 100644
index 0000000..b0ce778
Binary files /dev/null and b/ssl_mgmt/tests/gnupg/pubring.gpg differ
diff --git a/ssl_mgmt/tests/gnupg/secring.gpg b/ssl_mgmt/tests/gnupg/secring.gpg
new file mode 100644
index 0000000..b829c23
Binary files /dev/null and b/ssl_mgmt/tests/gnupg/secring.gpg differ
diff --git a/ssl_mgmt/tests/gnupg/trustdb.gpg b/ssl_mgmt/tests/gnupg/trustdb.gpg
new file mode 100644
index 0000000..8175c32
Binary files /dev/null and b/ssl_mgmt/tests/gnupg/trustdb.gpg differ
diff --git a/ssl_mgmt/tests/gpg_pwd b/ssl_mgmt/tests/gpg_pwd
new file mode 100644
index 0000000..39202a2
--- /dev/null
+++ b/ssl_mgmt/tests/gpg_pwd
@@ -0,0 +1 @@
+toto42
diff --git a/ssl_mgmt/tests/restore_foo_fini b/ssl_mgmt/tests/restore_foo_fini
index 0ffc0e4..4db629f 100755
--- a/ssl_mgmt/tests/restore_foo_fini
+++ b/ssl_mgmt/tests/restore_foo_fini
@@ -16,3 +16,5 @@ for file in foo-key.pem foo-keycert.pem
 do
 	mv ./destdir/private/${file}.backup ./destdir/private/$file
 done
+
+rm -f ./gnupg/random_seed