Fortinet white logo
Fortinet white logo

Administration Guide

Configuring certificate bindings

Configuring certificate bindings

Go to Encryption > S/MIME > Certificate Binding to create certificate binding profiles, which establish the relationship between an email address and the certificate that:

  • proves an individual’s identity
  • provides their keys for use with encryption profiles

Use this relationship and that information for secure MIME (S/MIME) according to RFC 2634.

If an incoming email message is encrypted, FortiMail compares the recipient’s identity with the list of certificate bindings to determine if it has a key that can decrypt the email. If there is a matching private key, FortiMail will decrypt the email before delivering it. If there is not, then FortiMail forwards the still-encrypted email to the recipient.

If you have selected an encryption profile (see Configuring encryption profiles) with an encryption action in the message delivery rule that applies to the session, then FortiMail compares the recipient’s identity with the list of certificate bindings to determine if it has a certificate and public key. If there is a matching public key, then FortiMail will encrypt the email using the algorithm specified in the encryption profile. If there is not, then FortiMail performs the failure action indicated in the encryption profile.

If an incoming email message is digitally signed, FortiMail will not verify the signature. Instead, it will deliver the message unmodified. Email clients usually do the verification.

If you have selected an encryption profile with signing action in the message delivery rule that applies to the session, then FortiMail compares the sender’s identity with the list of certificate bindings to determine if it has a certificate and private key. If there is a matching private key, it will add a digital signature using the algorithm specified in the encryption profile. If there is not, then FortiMail performs the failure action indicated in the encryption profile.

FortiMail does not check if an outgoing email is already encrypted. Email clients optionally can apply their own additional layer of S/MIME encryption (such as if they require non-repudiation) before they submit email for delivery through FortiMail.

The destination of an S/MIME email can be another FortiMail, for gateway-to-gateway S/MIME, but it could alternatively be any email gateway or server, as long as one of the following supports S/MIME and possesses the sender’s certificate and public key, either the:

  • destination’s mail relay or mail server
  • recipient’s email client

This is necessary to decrypt the email; otherwise, the recipient cannot read the email.

Before any personal certificate that you upload will be valid for use, you must upload the certificate of its signing certificate authority (CA). For details, see Managing certificate authority certificates.

To view and configure certificate binding

  1. Go to Encryption > S/MIME > Certificate Binding.
  2. GUI item

    Description

    Profile ID

    Displays the name of the profile.

    Address Pattern

    Displays the email address or domain associated with the identity represented by the personal or server certificate.

    Key Usage

    Displays if the key is for encryption, signing, or encryption and signing.

    Identity

    Displays the identity, often a first and last name, included in the common name (CN) field of the Subject line of the personal or server certificate.

    Private Key

    Displays the private key associated with the identity, used to decrypt and sign email from that identity.

    Valid From

    Displays the beginning date of the period of time during which the certificate and its keys are valid for use by signing and encryption.

    Valid To

    Displays the end date of the certificate’s period of validity. After this date and time, the certificate expires, although the keys may be retained for the purpose of decrypting and reading email that was signed and encrypted previously.

    Status

    Indicates whether the certificate is currently not yet valid, valid, or expired, depending on the current system time and the certificate’s validity period.

    (Green dot in column heading)

    Indicates whether or not the entry is currently referred to by another item in the configuration. If another item is using this entry, a red dot appears in this column, and the entry cannot be deleted.

  3. Either click New to add a profile or double-click a profile to modify it.
  4. In Address Pattern, enter the email address or email domain that you want to use the certificate in this binding.

    For example, you might bind a personal certificate for User1 to the email address, user1@example.com.

  5. From Key type, select what kind of keys you want to upload. If you only have a public key, you can only use it to encrypt email. If you have a public key and private key pair, you can use them to encrypt email (with a public key), decrypt email (with a private key), or digitally sign email (with a private key).
  6. Select one of the following ways to either import and bind a personal certificate, or to bind an existing server certificate:

    • Import PKCS12 file: Upload and bind a personal certificate-and-key file that uses the public key cryptography standard #12 (PKCS #12), stored in a password-protected file format (.p12).
    • Import PEM files: Upload and bind a pair of personal certificates and public and private keys that use privacy-enhanced email (PEM), a password-protected file format (.pem).
    • Choose from local certificate list: Bind a certificate that you have previously uploaded to the FortiMail unit. For details, see Managing local certificates.
  7. Depending on your selection in Import key from, either upload the personal certificate files and enter their password, or select the name of a local certificate from Select local certificatelist.

    If a certificate import does not succeed and event logging is enabled, to determine the cause of the failure, you can examine the event log messages. Log messages may indicate errors such as an unsupported password-based encryption (PBE) algorithm:

    PKCS12 Import: err=0x6074079: digital envelope routines / EVP_PBE_CipherInit / unknown pbe algorithm

    Note

    For best results, use 3DES with SHA1. RC2 is not supported.

  8. Click Create.

    Certificate bindings will be used automatically as needed for matching message delivery rules in which you have selected an encryption profile. For details, see Using S/MIME encryption, Configuring encryption profiles, and Configuring delivery rules. It will also be used in the content profile and then in the policies which use the content profile.

See also

Configuring encryption profiles

Configuring certificate bindings

Configuring certificate bindings

Go to Encryption > S/MIME > Certificate Binding to create certificate binding profiles, which establish the relationship between an email address and the certificate that:

  • proves an individual’s identity
  • provides their keys for use with encryption profiles

Use this relationship and that information for secure MIME (S/MIME) according to RFC 2634.

If an incoming email message is encrypted, FortiMail compares the recipient’s identity with the list of certificate bindings to determine if it has a key that can decrypt the email. If there is a matching private key, FortiMail will decrypt the email before delivering it. If there is not, then FortiMail forwards the still-encrypted email to the recipient.

If you have selected an encryption profile (see Configuring encryption profiles) with an encryption action in the message delivery rule that applies to the session, then FortiMail compares the recipient’s identity with the list of certificate bindings to determine if it has a certificate and public key. If there is a matching public key, then FortiMail will encrypt the email using the algorithm specified in the encryption profile. If there is not, then FortiMail performs the failure action indicated in the encryption profile.

If an incoming email message is digitally signed, FortiMail will not verify the signature. Instead, it will deliver the message unmodified. Email clients usually do the verification.

If you have selected an encryption profile with signing action in the message delivery rule that applies to the session, then FortiMail compares the sender’s identity with the list of certificate bindings to determine if it has a certificate and private key. If there is a matching private key, it will add a digital signature using the algorithm specified in the encryption profile. If there is not, then FortiMail performs the failure action indicated in the encryption profile.

FortiMail does not check if an outgoing email is already encrypted. Email clients optionally can apply their own additional layer of S/MIME encryption (such as if they require non-repudiation) before they submit email for delivery through FortiMail.

The destination of an S/MIME email can be another FortiMail, for gateway-to-gateway S/MIME, but it could alternatively be any email gateway or server, as long as one of the following supports S/MIME and possesses the sender’s certificate and public key, either the:

  • destination’s mail relay or mail server
  • recipient’s email client

This is necessary to decrypt the email; otherwise, the recipient cannot read the email.

Before any personal certificate that you upload will be valid for use, you must upload the certificate of its signing certificate authority (CA). For details, see Managing certificate authority certificates.

To view and configure certificate binding

  1. Go to Encryption > S/MIME > Certificate Binding.
  2. GUI item

    Description

    Profile ID

    Displays the name of the profile.

    Address Pattern

    Displays the email address or domain associated with the identity represented by the personal or server certificate.

    Key Usage

    Displays if the key is for encryption, signing, or encryption and signing.

    Identity

    Displays the identity, often a first and last name, included in the common name (CN) field of the Subject line of the personal or server certificate.

    Private Key

    Displays the private key associated with the identity, used to decrypt and sign email from that identity.

    Valid From

    Displays the beginning date of the period of time during which the certificate and its keys are valid for use by signing and encryption.

    Valid To

    Displays the end date of the certificate’s period of validity. After this date and time, the certificate expires, although the keys may be retained for the purpose of decrypting and reading email that was signed and encrypted previously.

    Status

    Indicates whether the certificate is currently not yet valid, valid, or expired, depending on the current system time and the certificate’s validity period.

    (Green dot in column heading)

    Indicates whether or not the entry is currently referred to by another item in the configuration. If another item is using this entry, a red dot appears in this column, and the entry cannot be deleted.

  3. Either click New to add a profile or double-click a profile to modify it.
  4. In Address Pattern, enter the email address or email domain that you want to use the certificate in this binding.

    For example, you might bind a personal certificate for User1 to the email address, user1@example.com.

  5. From Key type, select what kind of keys you want to upload. If you only have a public key, you can only use it to encrypt email. If you have a public key and private key pair, you can use them to encrypt email (with a public key), decrypt email (with a private key), or digitally sign email (with a private key).
  6. Select one of the following ways to either import and bind a personal certificate, or to bind an existing server certificate:

    • Import PKCS12 file: Upload and bind a personal certificate-and-key file that uses the public key cryptography standard #12 (PKCS #12), stored in a password-protected file format (.p12).
    • Import PEM files: Upload and bind a pair of personal certificates and public and private keys that use privacy-enhanced email (PEM), a password-protected file format (.pem).
    • Choose from local certificate list: Bind a certificate that you have previously uploaded to the FortiMail unit. For details, see Managing local certificates.
  7. Depending on your selection in Import key from, either upload the personal certificate files and enter their password, or select the name of a local certificate from Select local certificatelist.

    If a certificate import does not succeed and event logging is enabled, to determine the cause of the failure, you can examine the event log messages. Log messages may indicate errors such as an unsupported password-based encryption (PBE) algorithm:

    PKCS12 Import: err=0x6074079: digital envelope routines / EVP_PBE_CipherInit / unknown pbe algorithm

    Note

    For best results, use 3DES with SHA1. RC2 is not supported.

  8. Click Create.

    Certificate bindings will be used automatically as needed for matching message delivery rules in which you have selected an encryption profile. For details, see Using S/MIME encryption, Configuring encryption profiles, and Configuring delivery rules. It will also be used in the content profile and then in the policies which use the content profile.

See also

Configuring encryption profiles