Fortinet white logo
Fortinet white logo

CLI Reference

profile certificate-binding

profile certificate-binding

Use this command to create certificate binding profiles, which establish the relationship between an email address and the certificate that:

  • proves an individual’s identity
  • provides their public (and, for protected domains, private) keys for use with encryption profiles

This relationship and information can then be used for secure MIME (S/MIME).

If an email is incoming to a protected domain and it uses S/MIME encryption, the FortiMail unit compares the sender’s identity with the list of certificate bindings to determine if it has a key that can decrypt the email. If it has a matching public key, it will decrypt the email before forwarding it. If it does not, it forwards the still-encrypted email to the recipient; the recipient’s MUA in that case must support S/MIME and possess the sender’s public key.

If an email is outgoing from a protected domain, and you have selected an encryption profile in the message delivery rule that applies to the session, the FortiMail unit compares the sender’s identity with the list of certificate bindings to determine if it has a certificate and private key. If it has a matching private key, it will encrypt the email using the algorithm specified in the encryption profile. If it does not, it performs the failure action indicated in the encryption profile.

Syntax

config profile certificate-binding

edit <profile_id>

set address-pattern <pattern_str>

set key-private <key_str>

set key-public <key_str>

set key-usage {both | encryption | signing}

set password <pwd_str>

end

Variable

Description

Default

<profile_id>

Enter the ID number of the certificate binding profile.

address-pattern <pattern_str>

Enter the email address or domain associated with the identity represented by the personal or server certificate.

key-private <key_str>

Enter the private key associated with the identity, used to encrypt and sign email from that identity.

key-public <key_str>

Enter the public key associated with the identity, used to encrypt and sign email from that identity.

key-usage {both | encryption | signing}

Use the key for encryption, signing, or both.

encryption

password <pwd_str>

Enter the password for the personal certificate files.

Related topics

profile authentication

profile encryption

profile certificate-binding

profile certificate-binding

Use this command to create certificate binding profiles, which establish the relationship between an email address and the certificate that:

  • proves an individual’s identity
  • provides their public (and, for protected domains, private) keys for use with encryption profiles

This relationship and information can then be used for secure MIME (S/MIME).

If an email is incoming to a protected domain and it uses S/MIME encryption, the FortiMail unit compares the sender’s identity with the list of certificate bindings to determine if it has a key that can decrypt the email. If it has a matching public key, it will decrypt the email before forwarding it. If it does not, it forwards the still-encrypted email to the recipient; the recipient’s MUA in that case must support S/MIME and possess the sender’s public key.

If an email is outgoing from a protected domain, and you have selected an encryption profile in the message delivery rule that applies to the session, the FortiMail unit compares the sender’s identity with the list of certificate bindings to determine if it has a certificate and private key. If it has a matching private key, it will encrypt the email using the algorithm specified in the encryption profile. If it does not, it performs the failure action indicated in the encryption profile.

Syntax

config profile certificate-binding

edit <profile_id>

set address-pattern <pattern_str>

set key-private <key_str>

set key-public <key_str>

set key-usage {both | encryption | signing}

set password <pwd_str>

end

Variable

Description

Default

<profile_id>

Enter the ID number of the certificate binding profile.

address-pattern <pattern_str>

Enter the email address or domain associated with the identity represented by the personal or server certificate.

key-private <key_str>

Enter the private key associated with the identity, used to encrypt and sign email from that identity.

key-public <key_str>

Enter the public key associated with the identity, used to encrypt and sign email from that identity.

key-usage {both | encryption | signing}

Use the key for encryption, signing, or both.

encryption

password <pwd_str>

Enter the password for the personal certificate files.

Related topics

profile authentication

profile encryption