Configuring PKI authentication on FortiMail
This section provides an example process for configuring PKI authentication on FortiMail.
The process described in this section is an example of one specific method for configuring PKI authentication on FortiMail. This process is not intended to replace the generic FortiMail PKI configuration procedures provided in other parts of this Administration Guide, or local operating practices. |
The procedures in this document are intended for FortiMail administrators responsible for requesting, generating and delivering signed certificates on behalf of all end-users to enable PKI authentication on FortiMail.
Before you begin
When PKI authentication is configured and enabled, client certificates enable the administrator to access the GUI and the end-user to access webmail. This section includes procedures to create server certificates to enable the FortiMail unit to communicate with other devices using PKI authentication (that is, an SMTP server), create and distribute client certificates, and to configure and enable PKI authentication on the FortiMail unit for the users.
This document assumes that you have configured your CA server and are running your own local certification authority (CA). Generating certificates through a commercial CA is not included in this document.
The tasks involved in configuring PKI authentication on FortiMail require a thorough understanding of public-key cryptography, security certificates and certification processes.
The procedures in this document use tools such as Microsoft Management Console (MMC) and the Microsoft Certificate Service (MSCS) to generate certificates for PKI authentication on FortiMail. These tools enable the administrator to create customized client certificates on behalf of all end-users.
Once a client certificate is generated, the administrator must export and transmit that client certificate to the appropriate end-user, and instruct the end-user how to import the client certificate into their browser.
All client certificates and related private keys (usually saved in PKCS12 format) must be stored securely to prevent unauthorized use of the private key and client certificate.
PKI configuration work flow
Example PKI configuration work flow is a work flow diagram that shows an example method for requesting, generating and delivering client certificates to FortiMail end-users and administrators, and for configuring the FortiMail unit for PKI authentication. The procedures cover PKI authentication requirements for FortiMail server, transparent and gateway operation modes. Each block in the work flow diagram is supported by a detailed procedure to complete the task.
Perform the tasks in the order specified by the work flow diagram.
Prerequisites
Ensure that you have completed the following before performing any PKI configuration tasks:
- Read Before you begin.
- Installed Windows Server 2003, Enterprise Edition.
- Configured a Windows Server 2003 server as a stand-alone certification authority (CA).
- Have access to Microsoft Internet Explorer version 7 or higher.
- Installed Microsoft Certificate Services (MSCS) with web enrollment on the CA server.
Example PKI configuration work flow
Creating a custom certificate request template using MMC
Use this procedure to create a custom certificate request template using the Microsoft Management Console (MMC).
MMC comes with a variety of certificate templates. However, none of those templates are designed to meet the specific needs of FortiMail. A custom certificate template includes all information required by the FortiMail certification authority (CA) server to establish the identity of the client and create trusts for the secure exchange of information.
The custom certificate request template removes ambiguity and enables administrators to create certificate signature requests (CSR) specifically for FortiMail clients (that is, email users and administrators).
The custom certificate template is created using the MMC Certificate Template snap-in.
Before you begin this procedure, refer to Prerequisites.
To create a custom certificate template
- Log in to the local certificate authority (CA) server and start MMC (on the Start Menu, click Run, type MMC, and then click OK).
- In the Console Root folder, add the Certificate Template and Certificate Authority snap-ins.
- Select the Certificate Templates snap-in from the Console Root folder.
- In the right pane, right-click User in the Template Display Name column and select Duplicate Template from the dropdown menu.
- On the General tab, fill in the template name, validity period and renewal period according to your specific requirements.
- On the Request Handling tab, select Signature and encryption in the Purpose field.
- On the Subject Name tab, select Supply in the request. A subject name must be supplied in the request because the default subject name does not work with FortiMail.
- On the Security tab, select Administrator and select (check) Allow as the Enroll Permission for Administrator.
- On the Extensions tab, select Application Policies and verify that Client Authentication appears in Description of Application Policies.
- On the Superseded Templates tab, select User in the Certificate templates area. This is the template that will be used as a base for the new template.
- Leave the remainder of the settings on the Properties of New Template window as their default values and click OK.
- Select the Certificate Authority snap-in from the Console Root folder.
- Right-click Certificate Template and select New > Certificate Template to Issue.
- Select the new template created in step On the General tab, fill in the template name, validity period and renewal period according to your specific requirements. and click OK.
- Once the custom template installed, you can proceed to Requesting a client certificate to create client certificates, or Downloading a CA certificate for FortiMail to configure FortiMail.
The Properties of New Template window appears.
The new template is created and stored on the local certificate authority (CA) server.
The Enable Certificate Templates window appears.
The new custom template is now installed on the local certificate authority (CA).
Requesting a client certificate
Use this procedure to request a client certificate using the Microsoft Certificate Services (MSCS) web enrollment tool.
A client certificate is a digitally-signed statement that binds the value of a public key to the identity of the person, device, or service that holds the corresponding private key.
Certificates are generally used to establish identity and create trusts for the secure exchange of information. Therefore, certification authorities (CAs) can issue certificates to people, such as FortiMail end-users, and to devices, such as the FortiMail unit itself when acting as a client of an SMTP mail server.
The entity that receives the certificate is the subject of the certificate. The issuer and signer of the certificate is a certification authority (CA).
Typically, certificates contain the following information:
- The subject's public key value.
- The subject's identifier information, such as the name and e-mail address.
- The validity period (the length of time that the certificate is considered valid).
- Issuer identifier information.
- The digital signature of the issuer, which attests to the validity of the binding between the subject’s public key and the subject’s identifier information.
Every certificate contains Valid From and Valid To dates, which set the boundaries of the validity period. Once a certificate's validity period has passed, a new certificate must be requested by the subject of the now-expired certificate.
This document assumes all certificates are requested by the administrator on behalf of end-users. Certificate creation by individual end-users is beyond the scope of this document. If end users are permitted to create their own certificates, refer to the documentation accompanying the tools used by the end-user to create their own certificates. |
To create a client certificate
- Open your web browser and enter the following in the address bar:
- Log in to the CA server as administrator.
- Select the Request a certificate link.
- Click the Advanced certificate request link.
- Click Create and Submit a request to this CA link.
- In the Certificate Template dropdown list, select the new template created in Creating a custom certificate request template using MMC.
- Fill in the Name field with the email address of the end-user (subject) on behalf of which the client certificate request is being made.
- Click Submit to send a certificate signature request (CSR) to the CA server on behalf of the end-user.
- If a message appears, warning you that the Website is requesting a new certification on your behalf, click Yes to proceed.
- Click the Install this certificate link to load the certificate into the certificate store on your browser.
- If a message appears, warning you that the web site is adding one or more certificates to your computer, click Yes to proceed.
- Return to the Microsoft Certificate Services (MSCS) home page for your local CA and repeat steps Select the Request a certificate link. through If a message appears, warning you that the web site is adding one or more certificates to your computer, click Yes to proceed. for each end-user that will communicate with FortiMail using PKI authentication.
- Proceed to Exporting a client certificate to export and transmit the client certificate to the end-user.
http://<ip_of_your_ms_ca_server>/certsrv/
Where <ip_of_your_ms_ca_server>
is the IP address of the Windows 2003 Server that hosts the local Certification Authority (CA).
The Microsoft Certificate Services home page for your local CA appears.
The Request a Certificate page appears.
The Advanced Certificate Request page appears.
The Certificate Request Template appears.
For the purposes of FortiMail, the Name field must exactly match the email address of the end-user recorded in the FortiMail unit. For more information, see Creating email accounts on FortiMail for PKI users. |
Once the CA server completes processing the request, the Certificate Issued window appears.
The Certificate Installed window appears.
The client certificate is now stored in certificate store on your browser. The certificate is stored with the name specified in steps Fill in the Name field with the email address of the end-user (subject) on behalf of which the client certificate request is being made..
Exporting a client certificate
Use this procedure to export and transmit a client certificate created in Requesting a client certificate to the appropriate end-user.
The client certificate must reside in the certificate store of the end-user computer before the end-user can connect to the FortiMail unit using PKI authentication.
To export and transmit the client certificate
- Open your browser, and select Tools > Internet Options > Content > Certificates.
- Select the Personal tab to display a list of the client certificates created in Requesting a client certificate.
- Select a client certificate from the list and click Export to export the certificate.
- Click Next to continue from the Certificate Export welcome page.
- Select Yes, export the private key and select Next.
- Select Personal Information Exchange - PKCS #12 (.PFX) as the file format.
- Select Enable strong protection for the password and select Next.
- Enter and confirm a password for the certificate and select Next.
- Enter a unique file name for the certificate and browse to the location where you want to save the exported certificate and private key.
- When Completing Certificate Export Wizard appears, click Finish to export the certificate and private key to the location specified in step Enter a unique file name for the certificate and browse to the location where you want to save the exported certificate and private key..
- Transmit the certificate .pfx file to the end-user, along with instructions on what the user has to do to install the certificate on their web browser.
- Proceed to Importing a client certificate to an end-user browser to import the certificate .pfx file on the end-user browser.
The Certificates window appears.
The Certificate Export Wizard welcome page appears.
The Export Private Key window appears.
You must export the private key at the same time as the certificate. The private key is associated with a specific end-user, and contains information used by the certification authority to authenticate the end-user. Private keys must be password protected, and must be securely transmitted to end-users. |
The Export File Format window appears.
The Password selection window appears.
The File name window appears.
For clarity, a consistent naming convention should be used for client certificate names, email account names, PKI user names and recipient base policy names. This will help associate specific users with the various components of PKI authentication. |
The certificate and private key are exported to the specified location as a single file with a .pfx extension.
Importing a client certificate to an end-user browser
Use this procedure to import the client certificate into the end-user browser. The certificate is transmitted from the administrator in a .pfx file, using the procedure Exporting a client certificate.
The following is a generic procedure for importing a certificate into a browser. You must provide the end-user with specific instructions for importing the certificate according to browser type/version and local operating procedures. |
To import a client certificate into Internet Explorer
- Retrieve the .pfx file that was transmitted to the end-user from the administrator and store the file in a folder that is accessible from the end-user computer.
- Open an IE browser on the end-user computer, and select Tools > Internet Options > Content > Certificates and select the Personal tab.
- Open the Personal tab and select Import.
- Click Next to continue from the Certificate Import welcome page.
- Select Browse and ensure that the Files of type is set to Personal Information Exchange (*.pfx, *.p12), or All Files (*.*), or whatever file format was used to export the certificate in Exporting a client certificate.
- Browse to the location on the end-user computer where the .pfx file is stored, select the certificate file and select Open.
- The path to the certificate location appears in the File to Import window. Select Next.
- Type the password supplied by the administrator that is used to retrieve the private key and select Next.
- Select the Place all certificates in the following store button, browse to the Personal Certificate Store and select Next.
- When Completing Certificate Import Wizard appears, click Finish to import the certificate and private key to the location specified in step Select the Place all certificates in the following store button, browse to the Personal Certificate Store and select Next..
- Proceed to Creating email accounts on FortiMail for PKI users.
The Certificates window appears.
The Certificate Import Wizard welcome page appears.
The File to Import window appears.
The Password window appears.
The Certificate Store window appears.
The certificate and private key are now imported to the Personal certificate store in the end-user browser. The browser is now has the appropriate client certificate for PKI authentication on the FortiMail unit.
Downloading a CA certificate for FortiMail
Use this procedure to download a CA certificate from your CA server to your local certificate store. The CA certificate will then be imported to FortiMail and used as part of the client authentication process when end-users connect to FortiMail.
To download a CA certificate
- Open your web browser and enter the following in the address bar:
- Log in to the CA server as administrator.
- Select the Download CA certificate link.
- Select Base64 as the CA certificate encoding method.
- Click Download CA certificate and choose a location to save the CA certificate.
- Proceed to Importing a CA certificate to FortiMail to import the CA certificate into the FortiMail unit.
http://<ip_of_your_ms_ca_server>/certsrv/
Where <ip_of_your_ms_ca_server>
is the IP address of the Windows 2003 Server that hosts the local Certification Authority (CA).
The Microsoft Certificate Services (MSCS) home page for your local CA appears.
The Download a CA Certificate page appears.
Importing a CA certificate to FortiMail
Use this procedure to import a CA certificate that was downloaded in Downloading a CA certificate for FortiMail.
Use the FortiMail GUI and the following procedure to import the CA certificate.
- From System > Certificate > CA Certificate, select the Import button.
Creating email accounts on FortiMail for PKI users
An email account must exist on the FortiMail unit for each PKI user. End-users cannot be authenticated using PKI if their email accounts do not exist on FortiMail, even if they have the required client certificate installed in their browsers.
The FortiMail operation mode determines whether end user email accounts are created automatically by FortiMail (transparent and gateway modes) or whether the end-user accounts need to be created manually on FortiMail (server mode).
If the FortiMail units is operating in server mode, see Configuring local user accounts (server mode only) to manually create end-user email accounts.
If the FortiMail unit is operating in gateway or transparent mode, the FortiMail unit can be configured to store quarantined (spam) email. In this configuration, email accounts are created automatically on the FortiMail unit when it receives quarantined email. The quarantined email is stored in a bulk folder on the FortiMail unit. The email user can review, delete or release their quarantined email. For more information, see Managing the quarantines.
Once the email accounts are created on FortiMail, proceed to Configuring PKI authentication.
A PKI user can be either an individual email user, all email users associated with a specific domain, or a FortiMail administrator.
If PKI authentication is used for email users and for FortiMail administrators, ensure that unique PKI users are created for the administrator accounts, and those PKI users are associated with the appropriate administrator accounts. For more information, see Configuring PKI access for administrators. Failure to create unique PKI users for administrators could result in email user access to administrator functions. |
Once the PKI user is created on FortiMail, proceed to Configuring policy for PKI access to webmail (server mode).
Configuring policy for PKI access to webmail (server mode)
Use this procedure to configure a recipient based policy for email access using PKI authentication.
This procedure applies only if the FortiMail unit is operating in server mode. In server mode, PKI users can access all email, including quarantine email, stored on the FortiMail unit.
If the FortiMail unit is operating in transparent or gateway mode, see Configuring policies for PKI access to email quarantine (transparent and gateway mode).
- Ensure that the CA certificate has been imported to the FortiMail unit. For more information, see Importing a CA certificate to FortiMail.
- Create a PKI user for each webmail user that requires access to regular email residing on the FortiMail unit (server mode). For more information, see Configuring PKI authentication.
- From Policy > Recipient Policy, select New to create a new recipient based policy, or Edit to change an existing policy. For more information on recipient base policies, see Controlling email based on sender and recipient addresses.
- In the recipient based policy, expand Advanced Setting and configure the following:
- Ensure the Enable PKI authentication for webmail access is enabled.
- If desired, select a PKI user name from the dropdown list.
Ensure the PKI user is appropriate for the selected recipient. Choosing the wrong PKI user could result in email user access to administrator functions. For more information, see Configuring PKI authentication. |
- Ensure Certificate validation is mandatory is enabled. This will enforce PKI authentication for the specified PKI user.
Configuring policies for PKI access to email quarantine (transparent and gateway mode)
Use this procedure to configure a recipient-based policy for quarantine (spam) email access using PKI authentication.
This procedure applies only if the FortiMail unit is operating in gateway or transparent modes. In gateway or transparent mode, the FortiMail unit can be configured to store regular email on an SMTP server and quarantine email in a bulk folder on the FortiMail unit. From the end-user perspective, connection to the regular email folders and bulk (quarantine) email folder is seamless, but the folders actually reside on two separate servers.
For more information on storing quarantine email on FortiMail, see Managing the quarantines.
To configure access to email quarantine using PKI
- Ensure that the CA certificate has been imported to the FortiMail unit. For more information, see Importing a CA certificate to FortiMail.
- Create a PKI user for each email user that requires access to quarantine email. For more information, see Configuring PKI authentication.
- From Policy > Recipient Policy, select New to create a new recipient based policy for quarantined email or Edit to change an existing policy. For more information on recipient base policies, see Controlling email based on sender and recipient addresses.
- Expand Advanced Setting and configure the following:
- Ensure the Enable PKI authentication for webmail access is enabled.
- If desired, select a PKI user name from the dropdown list.
Ensure the PKI user is appropriate for the selected recipient. Choosing the wrong PKI user could result in email user access to administrator functions. |
- Ensure Certificate validation is mandatory is enabled. This will enforce PKI authentication for the specified PKI user.
Configuring PKI access for administrators
Use this procedure to configure PKI authentication for administrative access to the FortiMail unit. This procedure applies only to administrators, and can be used if the FortiMail unit is operating server, transparent or gateway mode.
- Ensure that the CA certificate has been imported to the FortiMail unit. For more information, see Importing a CA certificate to FortiMail.
- Create a PKI user for each administrator that requires to access FortiMail administrative functions. For more information, see Configuring PKI authentication.
- From System > Administrator, select an existing administrator or create a new administrator account for which PKI authentication will be used. For more information, see Configuring administrator accounts and access profiles.
- In the Administer window, configure the following:
- Select PKI from the Auth type dropdown list.
- Select the appropriate PKI user name from the PKI user dropdown list.
Enabling PKI authentication globally with CLI
Use this procedure to enable PKI authentication globally. PKI authentication is enabled globally using the command line interface (CLI). Using CLI ensure that PKI authentication is enabled for all domains.
For more information on CLI commands, see the FortiMail CLI Reference.
To enable PKI authentication with CLI
- Open a CLI session on the FortiMail unit.
- Enter the following CLI commands:
config system global
set pki-mode enable
end
PKI authentication is now enabled for all designated users (email and administrator) and domains.
From this point forward, when email users access their webmail, or when administrators connect to the FortiMail unit, they will be prompted to confirm their client certificate when connecting to FortiMail.
Proceed to Testing PKI authentication to validate that PKI authentication is working properly.
Testing PKI authentication
Comment: Procedure is based on original Webmail PKI Tech Note, Appendix steps 7.
Use this procedure to test whether PKI authentication is working properly.
To test PKI authentication
- From a client browser that has been configured for PKI authentication, enter the URL of the webmail server.
- Verify that a Confirm Certificate prompt appears.
- If the Confirm Certificate prompt appears, select OK and go to step The user is automatically logged on. The FortiMail webmail account and all appropriate folder appear in their browser..
- Return to step From a client browser that has been configured for PKI authentication, enter the URL of the webmail server. and try the URL again.
- The user is automatically logged on. The FortiMail webmail account and all appropriate folder appear in their browser.
If the certificate confirmation prompt does not appears, it might be because the FortiMail HHTP server has not yet loaded the new settings. Enter the following CLI command to manually enforce a reload of the configuration.
execute reload
This confirms that the certificate bound to the end-user browser is valid, and that PKI authentication is working properly.
All users and administrators configured for PKI authentication can now log in to FortiMail without password.