Fortinet black logo

Administration Guide

Configuring certificate bindings

Configuring certificate bindings

Go to Encryption > S/MIME > Certificate Binding to create certificate binding profiles, which establish the relationship between an email address and the certificate that:

  • proves an individual’s identity
  • provides their keys for use with encryption profiles

Use this relationship and that information for secure MIME (S/MIME) as per RFC 2634.

If an incoming email message is encrypted, FortiMail compares the recipient’s identity with the list of certificate bindings to determine if it has a key that can decrypt the email. If it has a matching private key, it will decrypt the email before delivering it. If it does not, it forwards the still-encrypted email to the recipient.

If you have selected an encryption profile with encryption action in the message delivery rule that applies to the session, the FortiMail unit compares the recipient’s identity with the list of certificate bindings to determine if it has a certificate and public key. If it has a matching public key, it will encrypt the email using the algorithm specified in the encryption profile (see Configuring encryption profiles). If it does not, it performs the failure action indicated in the encryption profile.

If an incoming email message is digitally signed, FortiMail will not verify the signature. Instead, it will deliver the message unmodified. The email clients usually do the verification.

If you have selected an encryption profile with signing action in the message delivery rule that applies to the session, the FortiMail unit compares the sender’s identity with the list of certificate bindings to determine if it has a certificate and private key. If it has a matching private key, it will add a digital signature using the algorithm specified in the encryption profile (see Configuring encryption profiles). If it does not, it performs the failure action indicated in the encryption profile.

The FortiMail unit does not check if an outgoing email is already encrypted. Email clients can apply their own additional layer of S/MIME encryption if they want to (such as if they require non-repudiation) before they submit email for delivery through the FortiMail unit.

The destination of an S/MIME email can be another FortiMail unit, for gateway-to-gateway S/MIME, but it could alternatively be any email gateway or server, as long as one of the following supports S/MIME and possesses the sender’s certificate and public key:

  • the destination’s MTA or mail server
  • the recipient’s MUA

This is necessary to decrypt the email; otherwise, the recipient cannot read the email.

Before any personal certificate that you upload will be valid for use, you must upload the certificate of its signing certificate authority (CA). For details, see Managing certificate authority certificates.

To view and configure certificate binding
  1. Go to Encryption > S/MIME > Certificate Binding.
  2. GUI item

    Description

    Profile ID

    Displays the name of the profile.

    Address Pattern

    Displays the email address or domain associated with the identity represented by the personal or server certificate.

    Key Usage

    Displays if the key is for encryption, signing, or encryption and signing.

    Identity

    Displays the identity, often a first and last name, included in the common name (CN) field of the Subject line of the personal or server certificate.

    Private Key

    Displays the private key associated with the identity, used to decrypt and sign email from that identity.

    Valid From

    Displays the beginning date of the period of time during which the certificate and its keys are valid for use by signing and encryption.

    Valid To

    Displays the end date of the certificate’s period of validity. After this date and time, the certificate expires, although the keys may be retained for the purpose of decrypting and reading email that was signed and encrypted previously.

    Status

    Indicates whether the certificate is currently not yet valid, valid, or expired, depending on the current system time and the certificate’s validity period.

    (Green dot in column heading)

    Indicates whether or not the entry is currently referred to by another item in the configuration. If another item is using this entry, a red dot appears in this column, and the entry cannot be deleted.

  3. Either click New to add a profile or double-click a profile to modify it.
  4. In Address Pattern, enter the email address or email domain that you want to use the certificate in this binding.
  5. For example, you might bind a personal certificate for User1 to the email address, user1@example.com.

  6. From Key type, select what kind of keys you want to upload. If you only have a public key, you can only use it to encrypt email. If you have a public key and private key pair, you can use them to encrypt email (with a public key), decrypt email (with a private key), or digitally sign email (with a private key).
  7. Select one of the following ways to either import and bind a personal certificate, or to bind an existing server certificate:
  • Import PKCS12 file: Upload and bind a personal certificate-and-key file that uses the public key cryptography standard #12 (PKCS #12), stored in a password-protected file format (.p12).
  • Import PEM files: Upload and bind a pair of personal certificates and public and private keys that use privacy-enhanced email (PEM), a password-protected file format (.pem).
  • Choose from local certificate list sic: Bind a server certificate that you have previously uploaded to the FortiMail unit. For details, see Managing local certificates.

Depending on your selection in Import key from, either upload the personal certificate files and enter their password, or select the name of a local certificate from Select local certificate list.

If a certificate import does not succeed and event logging is enabled, to determine the cause of the failure, you can examine the event log messages. Log messages may indicate errors such as an unsupported password-based encryption (PBE) algorithm:

PKCS12 Import: err=0x6074079: digital envelope routines / EVP_PBE_CipherInit / unknown pbe algorithm

Note

For best results, use 3DES with SHA1. RC2 is not supported.

  • Click Create.
  • Certificate bindings will be used automatically as needed for matching message delivery rules in which you have selected an encryption profile. For details, see Using S/MIME encryption, Configuring encryption profiles and Configuring delivery rules. It will also be used in the content profile and then in the policies which use the content profile.

    See also

    Configuring encryption profiles

    Configuring certificate bindings

    Go to Encryption > S/MIME > Certificate Binding to create certificate binding profiles, which establish the relationship between an email address and the certificate that:

    • proves an individual’s identity
    • provides their keys for use with encryption profiles

    Use this relationship and that information for secure MIME (S/MIME) as per RFC 2634.

    If an incoming email message is encrypted, FortiMail compares the recipient’s identity with the list of certificate bindings to determine if it has a key that can decrypt the email. If it has a matching private key, it will decrypt the email before delivering it. If it does not, it forwards the still-encrypted email to the recipient.

    If you have selected an encryption profile with encryption action in the message delivery rule that applies to the session, the FortiMail unit compares the recipient’s identity with the list of certificate bindings to determine if it has a certificate and public key. If it has a matching public key, it will encrypt the email using the algorithm specified in the encryption profile (see Configuring encryption profiles). If it does not, it performs the failure action indicated in the encryption profile.

    If an incoming email message is digitally signed, FortiMail will not verify the signature. Instead, it will deliver the message unmodified. The email clients usually do the verification.

    If you have selected an encryption profile with signing action in the message delivery rule that applies to the session, the FortiMail unit compares the sender’s identity with the list of certificate bindings to determine if it has a certificate and private key. If it has a matching private key, it will add a digital signature using the algorithm specified in the encryption profile (see Configuring encryption profiles). If it does not, it performs the failure action indicated in the encryption profile.

    The FortiMail unit does not check if an outgoing email is already encrypted. Email clients can apply their own additional layer of S/MIME encryption if they want to (such as if they require non-repudiation) before they submit email for delivery through the FortiMail unit.

    The destination of an S/MIME email can be another FortiMail unit, for gateway-to-gateway S/MIME, but it could alternatively be any email gateway or server, as long as one of the following supports S/MIME and possesses the sender’s certificate and public key:

    • the destination’s MTA or mail server
    • the recipient’s MUA

    This is necessary to decrypt the email; otherwise, the recipient cannot read the email.

    Before any personal certificate that you upload will be valid for use, you must upload the certificate of its signing certificate authority (CA). For details, see Managing certificate authority certificates.

    To view and configure certificate binding
    1. Go to Encryption > S/MIME > Certificate Binding.
    2. GUI item

      Description

      Profile ID

      Displays the name of the profile.

      Address Pattern

      Displays the email address or domain associated with the identity represented by the personal or server certificate.

      Key Usage

      Displays if the key is for encryption, signing, or encryption and signing.

      Identity

      Displays the identity, often a first and last name, included in the common name (CN) field of the Subject line of the personal or server certificate.

      Private Key

      Displays the private key associated with the identity, used to decrypt and sign email from that identity.

      Valid From

      Displays the beginning date of the period of time during which the certificate and its keys are valid for use by signing and encryption.

      Valid To

      Displays the end date of the certificate’s period of validity. After this date and time, the certificate expires, although the keys may be retained for the purpose of decrypting and reading email that was signed and encrypted previously.

      Status

      Indicates whether the certificate is currently not yet valid, valid, or expired, depending on the current system time and the certificate’s validity period.

      (Green dot in column heading)

      Indicates whether or not the entry is currently referred to by another item in the configuration. If another item is using this entry, a red dot appears in this column, and the entry cannot be deleted.

    3. Either click New to add a profile or double-click a profile to modify it.
    4. In Address Pattern, enter the email address or email domain that you want to use the certificate in this binding.
    5. For example, you might bind a personal certificate for User1 to the email address, user1@example.com.

    6. From Key type, select what kind of keys you want to upload. If you only have a public key, you can only use it to encrypt email. If you have a public key and private key pair, you can use them to encrypt email (with a public key), decrypt email (with a private key), or digitally sign email (with a private key).
    7. Select one of the following ways to either import and bind a personal certificate, or to bind an existing server certificate:
    • Import PKCS12 file: Upload and bind a personal certificate-and-key file that uses the public key cryptography standard #12 (PKCS #12), stored in a password-protected file format (.p12).
    • Import PEM files: Upload and bind a pair of personal certificates and public and private keys that use privacy-enhanced email (PEM), a password-protected file format (.pem).
    • Choose from local certificate list sic: Bind a server certificate that you have previously uploaded to the FortiMail unit. For details, see Managing local certificates.

    Depending on your selection in Import key from, either upload the personal certificate files and enter their password, or select the name of a local certificate from Select local certificate list.

    If a certificate import does not succeed and event logging is enabled, to determine the cause of the failure, you can examine the event log messages. Log messages may indicate errors such as an unsupported password-based encryption (PBE) algorithm:

    PKCS12 Import: err=0x6074079: digital envelope routines / EVP_PBE_CipherInit / unknown pbe algorithm

    Note

    For best results, use 3DES with SHA1. RC2 is not supported.

  • Click Create.
  • Certificate bindings will be used automatically as needed for matching message delivery rules in which you have selected an encryption profile. For details, see Using S/MIME encryption, Configuring encryption profiles and Configuring delivery rules. It will also be used in the content profile and then in the policies which use the content profile.

    See also

    Configuring encryption profiles