Fortinet black logo

Administration Guide

Configuring PKI authentication on FortiMail

Configuring PKI authentication on FortiMail

This section provides an example process for configuring PKI authentication on FortiMail.

Caution

The process described in this section is an example of one specific method for configuring PKI authentication on FortiMail. This process is not intended to replace the generic FortiMail PKI configuration procedures provided in other parts of this Administration Guide, or local operating practices.

The procedures in this document are intended for FortiMail administrators responsible for requesting, generating and delivering signed certificates on behalf of all end-users to enable PKI authentication on FortiMail.

Before you begin

When PKI authentication is configured and enabled, client certificates enable the administrator to access the web UI and the end-user to access webmail. This section includes procedures to create server certificates to enable the FortiMail unit to communicate with other devices using PKI authentication (that is, an SMTP server), create and distribute client certificates, and to configure and enable PKI authentication on the FortiMail unit for the users.

This document assumes that you have configured your CA server and are running your own local certification authority (CA). Generating certificates through a commercial CA is not included in this document.

The tasks involved in configuring PKI authentication on FortiMail require a thorough understanding of public-key cryptography, security certificates and certification processes.

The procedures in this document use tools such as Microsoft Management Console (MMC) and the Microsoft Certificate Service (MSCS) to generate certificates for PKI authentication on FortiMail. These tools enable the administrator to create customized client certificates on behalf of all end-users.

Once a client certificate is generated, the administrator must export and transmit that client certificate to the appropriate end-user, and instruct the end-user how to import the client certificate into their browser.

All client certificates and related private keys (usually saved in PKCS12 format) must be stored securely to prevent unauthorized use of the private key and client certificate.

PKI configuration work flow

Example PKI configuration work flow is a work flow diagram that shows an example method for requesting, generating and delivering client certificates to FortiMail end-users and administrators, and for configuring the FortiMail unit for PKI authentication. The procedures cover PKI authentication requirements for FortiMail server, transparent and gateway operation modes. Each block in the work flow diagram is supported by a detailed procedure to complete the task.

Perform the tasks in the order specified by the work flow diagram.

Prerequisites

Ensure that you have completed the following before performing any PKI configuration tasks:

  • Read Before you begin.
  • Installed Windows Server 2003, Enterprise Edition.
  • Configured a Windows Server 2003 server as a stand-alone certification authority (CA).
  • Have access to Microsoft Internet Explorer version 7 or higher.
  • Installed Microsoft Certificate Services (MSCS) with web enrollment on the CA server.
Example PKI configuration work flow

Creating a custom certificate request template using MMC

Use this procedure to create a custom certificate request template using the Microsoft Management Console (MMC).

MMC comes with a variety of certificate templates. However, none of those templates are designed to meet the specific needs of FortiMail. A custom certificate template includes all information required by the FortiMail certification authority (CA) server to establish the identity of the client and create trusts for the secure exchange of information.

The custom certificate request template removes ambiguity and enables administrators to create certificate signature requests (CSR) specifically for FortiMail clients (that is, email users and administrators).

The custom certificate template is created using the MMC Certificate Template snap-in.

Before you begin this procedure, refer to Prerequisites.

To create a custom certificate template
  1. Log in to the local certificate authority (CA) server and start MMC (on the Start Menu, click Run, type MMC, and then click OK).
  2. In the Console Root folder, add the Certificate Template and Certificate Authority snap-ins.
  3. Select the Certificate Templates snap-in from the Console Root folder.
  4. In the right pane, right-click User in the Template Display Name column and select Duplicate Template from the drop-down menu.
  5. The Properties of New Template window appears.

  6. On the General tab, fill in the template name, validity period and renewal period according to your specific requirements.
  7. On the Request Handling tab, select Signature and encryption in the Purpose field.
  8. On the Subject Name tab, select Supply in the request. A subject name must be supplied in the request because the default subject name does not work with FortiMail.
  9. On the Security tab, select Administrator and select (check) Allow as the Enroll Permission for Administrator.
  10. On the Extensions tab, select Application Policies and verify that Client Authentication appears in Description of Application Policies.
  11. On the Superseded Templates tab, select User in the Certificate templates area. This is the template that will be used as a base for the new template.
  12. Leave the remainder of the settings on the Properties of New Template window as their default values and click OK.
  13. The new template is created and stored on the local certificate authority (CA) server.

  14. Select the Certificate Authority snap-in from the Console Root folder.
  15. Right-click Certificate Template and select New > Certificate Template to Issue.
  16. The Enable Certificate Templates window appears.

  17. Select the new template created in step On the General tab, fill in the template name, validity period and renewal period according to your specific requirements. and click OK.
  18. The new custom template is now installed on the local certificate authority (CA).

  19. Once the custom template installed, you can proceed to Requesting a client certificate to create client certificates, or Downloading a CA certificate for FortiMail to configure FortiMail.

Requesting a client certificate

Use this procedure to request a client certificate using the Microsoft Certificate Services (MSCS) web enrollment tool.

A client certificate is a digitally-signed statement that binds the value of a public key to the identity of the person, device, or service that holds the corresponding private key.

Certificates are generally used to establish identity and create trusts for the secure exchange of information. Therefore, certification authorities (CAs) can issue certificates to people, such as FortiMail end-users, and to devices, such as the FortiMail unit itself when acting as a client of an SMTP mail server.

The entity that receives the certificate is the subject of the certificate. The issuer and signer of the certificate is a certification authority (CA).

Typically, certificates contain the following information:

  • The subject's public key value.
  • The subject's identifier information, such as the name and e-mail address.
  • The validity period (the length of time that the certificate is considered valid).
  • Issuer identifier information.
  • The digital signature of the issuer, which attests to the validity of the binding between the subject’s public key and the subject’s identifier information.

Every certificate contains Valid From and Valid To dates, which set the boundaries of the validity period. Once a certificate's validity period has passed, a new certificate must be requested by the subject of the now-expired certificate.

Note

This document assumes all certificates are requested by the administrator on behalf of end-users. Certificate creation by individual end-users is beyond the scope of this document. If end users are permitted to create their own certificates, refer to the documentation accompanying the tools used by the end-user to create their own certificates.

To create a client certificate
  1. Open your web browser and enter the following in the address bar:
  2. http://<ip_of_your_ms_ca_server>/certsrv/

    Where <ip_of_your_ms_ca_server> is the IP address of the Windows 2003 Server that hosts the local Certification Authority (CA).

  3. Log in to the CA server as administrator.
  4. The Microsoft Certificate Services home page for your local CA appears.

  5. Select the Request a certificate link.
  6. The Request a Certificate page appears.

  7. Click the Advanced certificate request link.
  8. The Advanced Certificate Request page appears.

  9. Click Create and Submit a request to this CA link.
  10. The Certificate Request Template appears.

  11. In the Certificate Template drop-down list, select the new template created in Creating a custom certificate request template using MMC.
  12. Fill in the Name field with the email address of the end-user (subject) on behalf of which the client certificate request is being made.
  13. Note

    For the purposes of FortiMail, the Name field must exactly match the email address of the end-user recorded in the FortiMail unit. For more information, see Creating email accounts on FortiMail for PKI users.
    If desired, the full name of the user can be entered in the Friendly Name field.

  14. Click Submit to send a certificate signature request (CSR) to the CA server on behalf of the end-user.
  15. If a message appears, warning you that the Website is requesting a new certification on your behalf, click Yes to proceed.
  16. Once the CA server completes processing the request, the Certificate Issued window appears.

  17. Click the Install this certificate link to load the certificate into the certificate store on your browser.
  18. If a message appears, warning you that the web site is adding one or more certificates to your computer, click Yes to proceed.
  19. The Certificate Installed window appears.

    The client certificate is now stored in certificate store on your browser. The certificate is stored with the name specified in steps Fill in the Name field with the email address of the end-user (subject) on behalf of which the client certificate request is being made..

  20. Return to the Microsoft Certificate Services (MSCS) home page for your local CA and repeat steps Select the Request a certificate link. through If a message appears, warning you that the web site is adding one or more certificates to your computer, click Yes to proceed. for each end-user that will communicate with FortiMail using PKI authentication.
  21. Proceed to Exporting a client certificate to export and transmit the client certificate to the end-user.

Exporting a client certificate

Use this procedure to export and transmit a client certificate created in Requesting a client certificate to the appropriate end-user.

The client certificate must reside in the certificate store of the end-user computer before the end-user can connect to the FortiMail unit using PKI authentication.

To export and transmit the client certificate
  1. Open your browser, and select Tools > Internet Options > Content > Certificates.
  2. The Certificates window appears.

  3. Select the Personal tab to display a list of the client certificates created in Requesting a client certificate.
  4. Select a client certificate from the list and click Export to export the certificate.
  5. The Certificate Export Wizard welcome page appears.

  6. Click Next to continue from the Certificate Export welcome page.
  7. The Export Private Key window appears.

    Note

    You must export the private key at the same time as the certificate. The private key is associated with a specific end-user, and contains information used by the certification authority to authenticate the end-user. Private keys must be password protected, and must be securely transmitted to end-users.

  8. Select Yes, export the private key and select Next.
  9. The Export File Format window appears.

  10. Select Personal Information Exchange - PKCS #12 (.PFX) as the file format.
  11. Select Enable strong protection for the password and select Next.
  12. The Password selection window appears.

  13. Enter and confirm a password for the certificate and select Next.
  14. The File name window appears.

  15. Enter a unique file name for the certificate and browse to the location where you want to save the exported certificate and private key.
  16. Note

    For clarity, a consistent naming convention should be used for client certificate names, email account names, PKI user names and recipient base policy names. This will help associate specific users with the various components of PKI authentication.

  17. When Completing Certificate Export Wizard appears, click Finish to export the certificate and private key to the location specified in step Enter a unique file name for the certificate and browse to the location where you want to save the exported certificate and private key..
  18. The certificate and private key are exported to the specified location as a single file with a .pfx extension.

  19. Transmit the certificate .pfx file to the end-user, along with instructions on what the user has to do to install the certificate on their web browser.
  20. Proceed to Importing a client certificate to an end-user browser to import the certificate .pfx file on the end-user browser.

Importing a client certificate to an end-user browser

Use this procedure to import the client certificate into the end-user browser. The certificate is transmitted from the administrator in a .pfx file, using the procedure Exporting a client certificate.

Note

The following is a generic procedure for importing a certificate into a browser. You must provide the end-user with specific instructions for importing the certificate according to browser type/version and local operating procedures.

To import a client certificate into Internet Explorer
  1. Retrieve the .pfx file that was transmitted to the end-user from the administrator and store the file in a folder that is accessible from the end-user computer.
  2. Open an IE browser on the end-user computer, and select Tools > Internet Options > Content > Certificates and select the Personal tab.
  3. The Certificates window appears.

  4. Open the Personal tab and select Import.
  5. The Certificate Import Wizard welcome page appears.

  6. Click Next to continue from the Certificate Import welcome page.
  7. The File to Import window appears.

  8. Select Browse and ensure that the Files of type is set to Personal Information Exchange (*.pfx, *.p12), or All Files (*.*), or whatever file format was used to export the certificate in Exporting a client certificate.
  9. Browse to the location on the end-user computer where the .pfx file is stored, select the certificate file and select Open.
  10. The path to the certificate location appears in the File to Import window. Select Next.
  11. The Password window appears.

  12. Type the password supplied by the administrator that is used to retrieve the private key and select Next.
  13. The Certificate Store window appears.

  14. Select the Place all certificates in the following store button, browse to the Personal Certificate Store and select Next.
  15. When Completing Certificate Import Wizard appears, click Finish to import the certificate and private key to the location specified in step Select the Place all certificates in the following store button, browse to the Personal Certificate Store and select Next..
  16. The certificate and private key are now imported to the Personal certificate store in the end-user browser. The browser is now has the appropriate client certificate for PKI authentication on the FortiMail unit.

  17. Proceed to Creating email accounts on FortiMail for PKI users.

Downloading a CA certificate for FortiMail

Use this procedure to download a CA certificate from your CA server to your local certificate store. The CA certificate will then be imported to FortiMail and used as part of the client authentication process when end-users connect to FortiMail.

To download a CA certificate
  1. Open your web browser and enter the following in the address bar:
  2. http://<ip_of_your_ms_ca_server>/certsrv/

    Where <ip_of_your_ms_ca_server> is the IP address of the Windows 2003 Server that hosts the local Certification Authority (CA).

  3. Log in to the CA server as administrator.
  4. The Microsoft Certificate Services (MSCS) home page for your local CA appears.

  5. Select the Download CA certificate link.
  6. The Download a CA Certificate page appears.

  7. Select Base64 as the CA certificate encoding method.
  8. Click Download CA certificate and choose a location to save the CA certificate.
  9. Proceed to Importing a CA certificate to FortiMail to import the CA certificate into the FortiMail unit.

Importing a CA certificate to FortiMail

Use this procedure to import a CA certificate that was downloaded in Downloading a CA certificate for FortiMail.

Use the FortiMail web UI and the following procedure to import the CA certificate.

  1. From System > Certificate > CA Certificate, select the Import button.

Creating email accounts on FortiMail for PKI users

An email account must exist on the FortiMail unit for each PKI user. End-users cannot be authenticated using PKI if their email accounts do not exist on FortiMail, even if they have the required client certificate installed in their browsers.

The FortiMail operation mode determines whether end user email accounts are created automatically by FortiMail (transparent and gateway modes) or whether the end-user accounts need to be created manually on FortiMail (server mode).

If the FortiMail units is operating in server mode, see Configuring local user accounts (server mode only) to manually create end-user email accounts.

If the FortiMail unit is operating in gateway or transparent mode, the FortiMail unit can be configured to store quarantined (spam) email. In this configuration, email accounts are created automatically on the FortiMail unit when it receives quarantined email. The quarantined email is stored in a bulk folder on the FortiMail unit. The email user can review, delete or release their quarantined email. For more information, see Managing the quarantines.

Once the email accounts are created on FortiMail, proceed to Configuring PKI authentication.

A PKI user can be either an individual email user, all email users associated with a specific domain, or a FortiMail administrator.

Caution

If PKI authentication is used for email users and for FortiMail administrators, ensure that unique PKI users are created for the administrator accounts, and those PKI users are associated with the appropriate administrator accounts. For more information, see Configuring PKI access for administrators.

Failure to create unique PKI users for administrators could result in email user access to administrator functions.

Once the PKI user is created on FortiMail, proceed to Configuring policy for PKI access to webmail (server mode).

Configuring policy for PKI access to webmail (server mode)

Use this procedure to configure a recipient based policy for email access using PKI authentication.

This procedure applies only if the FortiMail unit is operating in server mode. In server mode, PKI users can access all email, including quarantine email, stored on the FortiMail unit.

If the FortiMail unit is operating in transparent or gateway mode, see Configuring policies for PKI access to email quarantine (transparent and gateway mode).

  1. Ensure that the CA certificate has been imported to the FortiMail unit. For more information, see Importing a CA certificate to FortiMail.
  2. Create a PKI user for each webmail user that requires access to regular email residing on the FortiMail unit (server mode). For more information, see Configuring PKI authentication.
  3. From Policy > Recipient Policy, select New to create a new recipient based policy, or Edit to change an existing policy. For more information on recipient base policies, see Controlling email based on sender and recipient addresses.
  4. In the recipient based policy, expand Advanced Setting and configure the following:
  • Ensure the Enable PKI authentication for webmail access is enabled.
  • If desired, select a PKI user name from the drop-down list.
Caution

Ensure the PKI user is appropriate for the selected recipient. Choosing the wrong PKI user could result in email user access to administrator functions. For more information, see Configuring PKI authentication.

  • Ensure Certificate validation is mandatory is enabled. This will enforce PKI authentication for the specified PKI user.
  • Repeat steps From Policy > Recipient Policy, select New to create a new recipient based policy, or Edit to change an existing policy. For more information on recipient base policies, see Controlling email based on sender and recipient addresses. and In the recipient based policy, expand Advanced Setting and configure the following: for each webmail PKI user.
  • If there are quarantine email PKI users to add, proceed to Configuring policies for PKI access to email quarantine (transparent and gateway mode). Otherwise, proceed to Configuring PKI access for administrators.
  • Configuring policies for PKI access to email quarantine (transparent and gateway mode)

    Use this procedure to configure a recipient-based policy for quarantine (spam) email access using PKI authentication.

    This procedure applies only if the FortiMail unit is operating in gateway or transparent modes. In gateway or transparent mode, the FortiMail unit can be configured to store regular email on an SMTP server and quarantine email in a bulk folder on the FortiMail unit. From the end-user perspective, connection to the regular email folders and bulk (quarantine) email folder is seamless, but the folders actually reside on two separate servers.

    For more information on storing quarantine email on FortiMail, see Managing the quarantines.

    To configure access to email quarantine using PKI
    1. Ensure that the CA certificate has been imported to the FortiMail unit. For more information, see Importing a CA certificate to FortiMail.
    2. Create a PKI user for each email user that requires access to quarantine email. For more information, see Configuring PKI authentication.
    3. From Policy > Recipient Policy, select New to create a new recipient based policy for quarantined email or Edit to change an existing policy. For more information on recipient base policies, see Controlling email based on sender and recipient addresses.
    4. Expand Advanced Setting and configure the following:
    • Ensure the Enable PKI authentication for webmail access is enabled.
    • If desired, select a PKI user name from the drop-down list.
    Caution

    Ensure the PKI user is appropriate for the selected recipient. Choosing the wrong PKI user could result in email user access to administrator functions.

    • Ensure Certificate validation is mandatory is enabled. This will enforce PKI authentication for the specified PKI user.
  • Repeat steps From Policy > Recipient Policy, select New to create a new recipient based policy for quarantined email or Edit to change an existing policy. For more information on recipient base policies, see Controlling email based on sender and recipient addresses. and Expand Advanced Setting and configure the following: for each PKI user that requires access to quarantine email.
  • Proceed to Configuring PKI access for administrators
  • Configuring PKI access for administrators

    Use this procedure to configure PKI authentication for administrative access to the FortiMail unit. This procedure applies only to administrators, and can be used if the FortiMail unit is operating server, transparent or gateway mode.

    1. Ensure that the CA certificate has been imported to the FortiMail unit. For more information, see Importing a CA certificate to FortiMail.
    2. Create a PKI user for each administrator that requires to access FortiMail administrative functions. For more information, see Configuring PKI authentication.
    3. From System > Administrator, select an existing administrator or create a new administrator account for which PKI authentication will be used. For more information, see Configuring administrator accounts and access profiles.
    4. In the Administer window, configure the following:
    • Select PKI from the Auth type drop-down list.
    • Select the appropriate PKI user name from the PKI user drop-down list.
  • Repeat steps From System > Administrator, select an existing administrator or create a new administrator account for which PKI authentication will be used. For more information, see Configuring administrator accounts and access profiles. and In the Administer window, configure the following: for each administrative PKI user.
  • Return to the Enabling PKI authentication globally with CLI.
  • Enabling PKI authentication globally with CLI

    Use this procedure to enable PKI authentication globally. PKI authentication is enabled globally using the command line interface (CLI). Using CLI ensure that PKI authentication is enabled for all domains.

    For more information on CLI commands, see the FortiMail CLI Reference.

    To enable PKI authentication with CLI
    1. Open a CLI session on the FortiMail unit.
    2. Enter the following CLI commands:

    config system global

    set pki-mode enable

    end

      PKI authentication is now enabled for all designated users (email and administrator) and domains.

      From this point forward, when email users access their webmail, or when administrators connect to the FortiMail unit, they will be prompted to confirm their client certificate when connecting to FortiMail.

      Proceed to Testing PKI authentication to validate that PKI authentication is working properly.

    Testing PKI authentication

    Comment: Procedure is based on original Webmail PKI Tech Note, Appendix steps 7.

    Use this procedure to test whether PKI authentication is working properly.

    To test PKI authentication
    1. From a client browser that has been configured for PKI authentication, enter the URL of the webmail server.
    2. Verify that a Confirm Certificate prompt appears.
    3. If the Confirm Certificate prompt appears, select OK and go to step The user is automatically logged on. The FortiMail webmail account and all appropriate folder appear in their browser..
    4. If the certificate confirmation prompt does not appears, it might be because the FortiMail HHTP server has not yet loaded the new settings. Enter the following CLI command to manually enforce a reload of the configuration.

      execute reload

    5. Return to step From a client browser that has been configured for PKI authentication, enter the URL of the webmail server. and try the URL again.
    6. The user is automatically logged on. The FortiMail webmail account and all appropriate folder appear in their browser.
    7. This confirms that the certificate bound to the end-user browser is valid, and that PKI authentication is working properly.

      All users and administrators configured for PKI authentication can now log in to FortiMail without password.

    Configuring PKI authentication on FortiMail

    This section provides an example process for configuring PKI authentication on FortiMail.

    Caution

    The process described in this section is an example of one specific method for configuring PKI authentication on FortiMail. This process is not intended to replace the generic FortiMail PKI configuration procedures provided in other parts of this Administration Guide, or local operating practices.

    The procedures in this document are intended for FortiMail administrators responsible for requesting, generating and delivering signed certificates on behalf of all end-users to enable PKI authentication on FortiMail.

    Before you begin

    When PKI authentication is configured and enabled, client certificates enable the administrator to access the web UI and the end-user to access webmail. This section includes procedures to create server certificates to enable the FortiMail unit to communicate with other devices using PKI authentication (that is, an SMTP server), create and distribute client certificates, and to configure and enable PKI authentication on the FortiMail unit for the users.

    This document assumes that you have configured your CA server and are running your own local certification authority (CA). Generating certificates through a commercial CA is not included in this document.

    The tasks involved in configuring PKI authentication on FortiMail require a thorough understanding of public-key cryptography, security certificates and certification processes.

    The procedures in this document use tools such as Microsoft Management Console (MMC) and the Microsoft Certificate Service (MSCS) to generate certificates for PKI authentication on FortiMail. These tools enable the administrator to create customized client certificates on behalf of all end-users.

    Once a client certificate is generated, the administrator must export and transmit that client certificate to the appropriate end-user, and instruct the end-user how to import the client certificate into their browser.

    All client certificates and related private keys (usually saved in PKCS12 format) must be stored securely to prevent unauthorized use of the private key and client certificate.

    PKI configuration work flow

    Example PKI configuration work flow is a work flow diagram that shows an example method for requesting, generating and delivering client certificates to FortiMail end-users and administrators, and for configuring the FortiMail unit for PKI authentication. The procedures cover PKI authentication requirements for FortiMail server, transparent and gateway operation modes. Each block in the work flow diagram is supported by a detailed procedure to complete the task.

    Perform the tasks in the order specified by the work flow diagram.

    Prerequisites

    Ensure that you have completed the following before performing any PKI configuration tasks:

    • Read Before you begin.
    • Installed Windows Server 2003, Enterprise Edition.
    • Configured a Windows Server 2003 server as a stand-alone certification authority (CA).
    • Have access to Microsoft Internet Explorer version 7 or higher.
    • Installed Microsoft Certificate Services (MSCS) with web enrollment on the CA server.
    Example PKI configuration work flow

    Creating a custom certificate request template using MMC

    Use this procedure to create a custom certificate request template using the Microsoft Management Console (MMC).

    MMC comes with a variety of certificate templates. However, none of those templates are designed to meet the specific needs of FortiMail. A custom certificate template includes all information required by the FortiMail certification authority (CA) server to establish the identity of the client and create trusts for the secure exchange of information.

    The custom certificate request template removes ambiguity and enables administrators to create certificate signature requests (CSR) specifically for FortiMail clients (that is, email users and administrators).

    The custom certificate template is created using the MMC Certificate Template snap-in.

    Before you begin this procedure, refer to Prerequisites.

    To create a custom certificate template
    1. Log in to the local certificate authority (CA) server and start MMC (on the Start Menu, click Run, type MMC, and then click OK).
    2. In the Console Root folder, add the Certificate Template and Certificate Authority snap-ins.
    3. Select the Certificate Templates snap-in from the Console Root folder.
    4. In the right pane, right-click User in the Template Display Name column and select Duplicate Template from the drop-down menu.
    5. The Properties of New Template window appears.

    6. On the General tab, fill in the template name, validity period and renewal period according to your specific requirements.
    7. On the Request Handling tab, select Signature and encryption in the Purpose field.
    8. On the Subject Name tab, select Supply in the request. A subject name must be supplied in the request because the default subject name does not work with FortiMail.
    9. On the Security tab, select Administrator and select (check) Allow as the Enroll Permission for Administrator.
    10. On the Extensions tab, select Application Policies and verify that Client Authentication appears in Description of Application Policies.
    11. On the Superseded Templates tab, select User in the Certificate templates area. This is the template that will be used as a base for the new template.
    12. Leave the remainder of the settings on the Properties of New Template window as their default values and click OK.
    13. The new template is created and stored on the local certificate authority (CA) server.

    14. Select the Certificate Authority snap-in from the Console Root folder.
    15. Right-click Certificate Template and select New > Certificate Template to Issue.
    16. The Enable Certificate Templates window appears.

    17. Select the new template created in step On the General tab, fill in the template name, validity period and renewal period according to your specific requirements. and click OK.
    18. The new custom template is now installed on the local certificate authority (CA).

    19. Once the custom template installed, you can proceed to Requesting a client certificate to create client certificates, or Downloading a CA certificate for FortiMail to configure FortiMail.

    Requesting a client certificate

    Use this procedure to request a client certificate using the Microsoft Certificate Services (MSCS) web enrollment tool.

    A client certificate is a digitally-signed statement that binds the value of a public key to the identity of the person, device, or service that holds the corresponding private key.

    Certificates are generally used to establish identity and create trusts for the secure exchange of information. Therefore, certification authorities (CAs) can issue certificates to people, such as FortiMail end-users, and to devices, such as the FortiMail unit itself when acting as a client of an SMTP mail server.

    The entity that receives the certificate is the subject of the certificate. The issuer and signer of the certificate is a certification authority (CA).

    Typically, certificates contain the following information:

    • The subject's public key value.
    • The subject's identifier information, such as the name and e-mail address.
    • The validity period (the length of time that the certificate is considered valid).
    • Issuer identifier information.
    • The digital signature of the issuer, which attests to the validity of the binding between the subject’s public key and the subject’s identifier information.

    Every certificate contains Valid From and Valid To dates, which set the boundaries of the validity period. Once a certificate's validity period has passed, a new certificate must be requested by the subject of the now-expired certificate.

    Note

    This document assumes all certificates are requested by the administrator on behalf of end-users. Certificate creation by individual end-users is beyond the scope of this document. If end users are permitted to create their own certificates, refer to the documentation accompanying the tools used by the end-user to create their own certificates.

    To create a client certificate
    1. Open your web browser and enter the following in the address bar:
    2. http://<ip_of_your_ms_ca_server>/certsrv/

      Where <ip_of_your_ms_ca_server> is the IP address of the Windows 2003 Server that hosts the local Certification Authority (CA).

    3. Log in to the CA server as administrator.
    4. The Microsoft Certificate Services home page for your local CA appears.

    5. Select the Request a certificate link.
    6. The Request a Certificate page appears.

    7. Click the Advanced certificate request link.
    8. The Advanced Certificate Request page appears.

    9. Click Create and Submit a request to this CA link.
    10. The Certificate Request Template appears.

    11. In the Certificate Template drop-down list, select the new template created in Creating a custom certificate request template using MMC.
    12. Fill in the Name field with the email address of the end-user (subject) on behalf of which the client certificate request is being made.
    13. Note

      For the purposes of FortiMail, the Name field must exactly match the email address of the end-user recorded in the FortiMail unit. For more information, see Creating email accounts on FortiMail for PKI users.
      If desired, the full name of the user can be entered in the Friendly Name field.

    14. Click Submit to send a certificate signature request (CSR) to the CA server on behalf of the end-user.
    15. If a message appears, warning you that the Website is requesting a new certification on your behalf, click Yes to proceed.
    16. Once the CA server completes processing the request, the Certificate Issued window appears.

    17. Click the Install this certificate link to load the certificate into the certificate store on your browser.
    18. If a message appears, warning you that the web site is adding one or more certificates to your computer, click Yes to proceed.
    19. The Certificate Installed window appears.

      The client certificate is now stored in certificate store on your browser. The certificate is stored with the name specified in steps Fill in the Name field with the email address of the end-user (subject) on behalf of which the client certificate request is being made..

    20. Return to the Microsoft Certificate Services (MSCS) home page for your local CA and repeat steps Select the Request a certificate link. through If a message appears, warning you that the web site is adding one or more certificates to your computer, click Yes to proceed. for each end-user that will communicate with FortiMail using PKI authentication.
    21. Proceed to Exporting a client certificate to export and transmit the client certificate to the end-user.

    Exporting a client certificate

    Use this procedure to export and transmit a client certificate created in Requesting a client certificate to the appropriate end-user.

    The client certificate must reside in the certificate store of the end-user computer before the end-user can connect to the FortiMail unit using PKI authentication.

    To export and transmit the client certificate
    1. Open your browser, and select Tools > Internet Options > Content > Certificates.
    2. The Certificates window appears.

    3. Select the Personal tab to display a list of the client certificates created in Requesting a client certificate.
    4. Select a client certificate from the list and click Export to export the certificate.
    5. The Certificate Export Wizard welcome page appears.

    6. Click Next to continue from the Certificate Export welcome page.
    7. The Export Private Key window appears.

      Note

      You must export the private key at the same time as the certificate. The private key is associated with a specific end-user, and contains information used by the certification authority to authenticate the end-user. Private keys must be password protected, and must be securely transmitted to end-users.

    8. Select Yes, export the private key and select Next.
    9. The Export File Format window appears.

    10. Select Personal Information Exchange - PKCS #12 (.PFX) as the file format.
    11. Select Enable strong protection for the password and select Next.
    12. The Password selection window appears.

    13. Enter and confirm a password for the certificate and select Next.
    14. The File name window appears.

    15. Enter a unique file name for the certificate and browse to the location where you want to save the exported certificate and private key.
    16. Note

      For clarity, a consistent naming convention should be used for client certificate names, email account names, PKI user names and recipient base policy names. This will help associate specific users with the various components of PKI authentication.

    17. When Completing Certificate Export Wizard appears, click Finish to export the certificate and private key to the location specified in step Enter a unique file name for the certificate and browse to the location where you want to save the exported certificate and private key..
    18. The certificate and private key are exported to the specified location as a single file with a .pfx extension.

    19. Transmit the certificate .pfx file to the end-user, along with instructions on what the user has to do to install the certificate on their web browser.
    20. Proceed to Importing a client certificate to an end-user browser to import the certificate .pfx file on the end-user browser.

    Importing a client certificate to an end-user browser

    Use this procedure to import the client certificate into the end-user browser. The certificate is transmitted from the administrator in a .pfx file, using the procedure Exporting a client certificate.

    Note

    The following is a generic procedure for importing a certificate into a browser. You must provide the end-user with specific instructions for importing the certificate according to browser type/version and local operating procedures.

    To import a client certificate into Internet Explorer
    1. Retrieve the .pfx file that was transmitted to the end-user from the administrator and store the file in a folder that is accessible from the end-user computer.
    2. Open an IE browser on the end-user computer, and select Tools > Internet Options > Content > Certificates and select the Personal tab.
    3. The Certificates window appears.

    4. Open the Personal tab and select Import.
    5. The Certificate Import Wizard welcome page appears.

    6. Click Next to continue from the Certificate Import welcome page.
    7. The File to Import window appears.

    8. Select Browse and ensure that the Files of type is set to Personal Information Exchange (*.pfx, *.p12), or All Files (*.*), or whatever file format was used to export the certificate in Exporting a client certificate.
    9. Browse to the location on the end-user computer where the .pfx file is stored, select the certificate file and select Open.
    10. The path to the certificate location appears in the File to Import window. Select Next.
    11. The Password window appears.

    12. Type the password supplied by the administrator that is used to retrieve the private key and select Next.
    13. The Certificate Store window appears.

    14. Select the Place all certificates in the following store button, browse to the Personal Certificate Store and select Next.
    15. When Completing Certificate Import Wizard appears, click Finish to import the certificate and private key to the location specified in step Select the Place all certificates in the following store button, browse to the Personal Certificate Store and select Next..
    16. The certificate and private key are now imported to the Personal certificate store in the end-user browser. The browser is now has the appropriate client certificate for PKI authentication on the FortiMail unit.

    17. Proceed to Creating email accounts on FortiMail for PKI users.

    Downloading a CA certificate for FortiMail

    Use this procedure to download a CA certificate from your CA server to your local certificate store. The CA certificate will then be imported to FortiMail and used as part of the client authentication process when end-users connect to FortiMail.

    To download a CA certificate
    1. Open your web browser and enter the following in the address bar:
    2. http://<ip_of_your_ms_ca_server>/certsrv/

      Where <ip_of_your_ms_ca_server> is the IP address of the Windows 2003 Server that hosts the local Certification Authority (CA).

    3. Log in to the CA server as administrator.
    4. The Microsoft Certificate Services (MSCS) home page for your local CA appears.

    5. Select the Download CA certificate link.
    6. The Download a CA Certificate page appears.

    7. Select Base64 as the CA certificate encoding method.
    8. Click Download CA certificate and choose a location to save the CA certificate.
    9. Proceed to Importing a CA certificate to FortiMail to import the CA certificate into the FortiMail unit.

    Importing a CA certificate to FortiMail

    Use this procedure to import a CA certificate that was downloaded in Downloading a CA certificate for FortiMail.

    Use the FortiMail web UI and the following procedure to import the CA certificate.

    1. From System > Certificate > CA Certificate, select the Import button.

    Creating email accounts on FortiMail for PKI users

    An email account must exist on the FortiMail unit for each PKI user. End-users cannot be authenticated using PKI if their email accounts do not exist on FortiMail, even if they have the required client certificate installed in their browsers.

    The FortiMail operation mode determines whether end user email accounts are created automatically by FortiMail (transparent and gateway modes) or whether the end-user accounts need to be created manually on FortiMail (server mode).

    If the FortiMail units is operating in server mode, see Configuring local user accounts (server mode only) to manually create end-user email accounts.

    If the FortiMail unit is operating in gateway or transparent mode, the FortiMail unit can be configured to store quarantined (spam) email. In this configuration, email accounts are created automatically on the FortiMail unit when it receives quarantined email. The quarantined email is stored in a bulk folder on the FortiMail unit. The email user can review, delete or release their quarantined email. For more information, see Managing the quarantines.

    Once the email accounts are created on FortiMail, proceed to Configuring PKI authentication.

    A PKI user can be either an individual email user, all email users associated with a specific domain, or a FortiMail administrator.

    Caution

    If PKI authentication is used for email users and for FortiMail administrators, ensure that unique PKI users are created for the administrator accounts, and those PKI users are associated with the appropriate administrator accounts. For more information, see Configuring PKI access for administrators.

    Failure to create unique PKI users for administrators could result in email user access to administrator functions.

    Once the PKI user is created on FortiMail, proceed to Configuring policy for PKI access to webmail (server mode).

    Configuring policy for PKI access to webmail (server mode)

    Use this procedure to configure a recipient based policy for email access using PKI authentication.

    This procedure applies only if the FortiMail unit is operating in server mode. In server mode, PKI users can access all email, including quarantine email, stored on the FortiMail unit.

    If the FortiMail unit is operating in transparent or gateway mode, see Configuring policies for PKI access to email quarantine (transparent and gateway mode).

    1. Ensure that the CA certificate has been imported to the FortiMail unit. For more information, see Importing a CA certificate to FortiMail.
    2. Create a PKI user for each webmail user that requires access to regular email residing on the FortiMail unit (server mode). For more information, see Configuring PKI authentication.
    3. From Policy > Recipient Policy, select New to create a new recipient based policy, or Edit to change an existing policy. For more information on recipient base policies, see Controlling email based on sender and recipient addresses.
    4. In the recipient based policy, expand Advanced Setting and configure the following:
    • Ensure the Enable PKI authentication for webmail access is enabled.
    • If desired, select a PKI user name from the drop-down list.
    Caution

    Ensure the PKI user is appropriate for the selected recipient. Choosing the wrong PKI user could result in email user access to administrator functions. For more information, see Configuring PKI authentication.

    • Ensure Certificate validation is mandatory is enabled. This will enforce PKI authentication for the specified PKI user.
  • Repeat steps From Policy > Recipient Policy, select New to create a new recipient based policy, or Edit to change an existing policy. For more information on recipient base policies, see Controlling email based on sender and recipient addresses. and In the recipient based policy, expand Advanced Setting and configure the following: for each webmail PKI user.
  • If there are quarantine email PKI users to add, proceed to Configuring policies for PKI access to email quarantine (transparent and gateway mode). Otherwise, proceed to Configuring PKI access for administrators.
  • Configuring policies for PKI access to email quarantine (transparent and gateway mode)

    Use this procedure to configure a recipient-based policy for quarantine (spam) email access using PKI authentication.

    This procedure applies only if the FortiMail unit is operating in gateway or transparent modes. In gateway or transparent mode, the FortiMail unit can be configured to store regular email on an SMTP server and quarantine email in a bulk folder on the FortiMail unit. From the end-user perspective, connection to the regular email folders and bulk (quarantine) email folder is seamless, but the folders actually reside on two separate servers.

    For more information on storing quarantine email on FortiMail, see Managing the quarantines.

    To configure access to email quarantine using PKI
    1. Ensure that the CA certificate has been imported to the FortiMail unit. For more information, see Importing a CA certificate to FortiMail.
    2. Create a PKI user for each email user that requires access to quarantine email. For more information, see Configuring PKI authentication.
    3. From Policy > Recipient Policy, select New to create a new recipient based policy for quarantined email or Edit to change an existing policy. For more information on recipient base policies, see Controlling email based on sender and recipient addresses.
    4. Expand Advanced Setting and configure the following:
    • Ensure the Enable PKI authentication for webmail access is enabled.
    • If desired, select a PKI user name from the drop-down list.
    Caution

    Ensure the PKI user is appropriate for the selected recipient. Choosing the wrong PKI user could result in email user access to administrator functions.

    • Ensure Certificate validation is mandatory is enabled. This will enforce PKI authentication for the specified PKI user.
  • Repeat steps From Policy > Recipient Policy, select New to create a new recipient based policy for quarantined email or Edit to change an existing policy. For more information on recipient base policies, see Controlling email based on sender and recipient addresses. and Expand Advanced Setting and configure the following: for each PKI user that requires access to quarantine email.
  • Proceed to Configuring PKI access for administrators
  • Configuring PKI access for administrators

    Use this procedure to configure PKI authentication for administrative access to the FortiMail unit. This procedure applies only to administrators, and can be used if the FortiMail unit is operating server, transparent or gateway mode.

    1. Ensure that the CA certificate has been imported to the FortiMail unit. For more information, see Importing a CA certificate to FortiMail.
    2. Create a PKI user for each administrator that requires to access FortiMail administrative functions. For more information, see Configuring PKI authentication.
    3. From System > Administrator, select an existing administrator or create a new administrator account for which PKI authentication will be used. For more information, see Configuring administrator accounts and access profiles.
    4. In the Administer window, configure the following:
    • Select PKI from the Auth type drop-down list.
    • Select the appropriate PKI user name from the PKI user drop-down list.
  • Repeat steps From System > Administrator, select an existing administrator or create a new administrator account for which PKI authentication will be used. For more information, see Configuring administrator accounts and access profiles. and In the Administer window, configure the following: for each administrative PKI user.
  • Return to the Enabling PKI authentication globally with CLI.
  • Enabling PKI authentication globally with CLI

    Use this procedure to enable PKI authentication globally. PKI authentication is enabled globally using the command line interface (CLI). Using CLI ensure that PKI authentication is enabled for all domains.

    For more information on CLI commands, see the FortiMail CLI Reference.

    To enable PKI authentication with CLI
    1. Open a CLI session on the FortiMail unit.
    2. Enter the following CLI commands:

    config system global

    set pki-mode enable

    end

      PKI authentication is now enabled for all designated users (email and administrator) and domains.

      From this point forward, when email users access their webmail, or when administrators connect to the FortiMail unit, they will be prompted to confirm their client certificate when connecting to FortiMail.

      Proceed to Testing PKI authentication to validate that PKI authentication is working properly.

    Testing PKI authentication

    Comment: Procedure is based on original Webmail PKI Tech Note, Appendix steps 7.

    Use this procedure to test whether PKI authentication is working properly.

    To test PKI authentication
    1. From a client browser that has been configured for PKI authentication, enter the URL of the webmail server.
    2. Verify that a Confirm Certificate prompt appears.
    3. If the Confirm Certificate prompt appears, select OK and go to step The user is automatically logged on. The FortiMail webmail account and all appropriate folder appear in their browser..
    4. If the certificate confirmation prompt does not appears, it might be because the FortiMail HHTP server has not yet loaded the new settings. Enter the following CLI command to manually enforce a reload of the configuration.

      execute reload

    5. Return to step From a client browser that has been configured for PKI authentication, enter the URL of the webmail server. and try the URL again.
    6. The user is automatically logged on. The FortiMail webmail account and all appropriate folder appear in their browser.
    7. This confirms that the certificate bound to the end-user browser is valid, and that PKI authentication is working properly.

      All users and administrators configured for PKI authentication can now log in to FortiMail without password.