The FortiMail PKI architecture ensures that users present the necessary certificates before communication between the user and FortiMail starts. The two parties exchange certificates and verify the following:
- the certificate is issued by a trusted CA
- the claimed identity matches the one in the certificate
- the certificate has not expired
- the certificate type/usage matches the intended usage in the certificate
The diagram below illustrates a typical FortiMail PKI architecture.
PKI supports standards for Certificate Revocation List (CRL) and Online Certificate Status Protocol (OCSP). Those standards are beyond the scope of this document. For more information on those standards, see RFC 5280, Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile.