Fortinet white logo
Fortinet white logo

Administration Guide

Managing certificates

Managing certificates

You can use the System > Certificate submenu to generate certificate requests, install signed X.509 certificates, import CA root certificates and certificate revocation lists, and back up and restore installed certificates and private keys.

FortiMail uses certificates for public key infrastructure (PKI) authentication in secure connections. PKI can be used to authenticate a user, server, or client software. To prove that they can be trusted, when the connection occurs, the software presents a certificate with its identity. The software on the opposite side of the connection verifies that the certificate is currently valid, is being used for the intended purpose, and has been cryptographically signed by a known, trusted certification authority (CA). Depending on the connection, both the client and server sides of the connection may be required to present their certificates in order to authenticate each other.

Certificates can also be used for encryption. For an example of how to use certificates for PKI authentication of FortiMail administrators and email users, see Appendix F: PKI Authentication.

Depending on the features you use, you may need to configure multiple types of certificates on FortiMail.

Certificate type

Purpose

CA certificates

FortiMail compares trusted CA certificates to the CA signature on certificates presented by client software (including administrators and webmail users' web browsers). For details, see Configuring PKI authentication and Managing certificate authority certificates.

Server certificates

FortiMail must present its server certificate when a client requests a secure connection for the:

  • GUI (HTTPS connections only)
  • webmail (HTTPS connections only)
  • secure email, such as SMTPS, IMAPS, and POP3S

For details, see Managing local certificates.

Client certificates

FortiMail must present its client certificate if another server requests that FortiMail identify itself during a secure connection for:

  • LDAPS
  • SSO

For details, see Managing local certificates and Configuring single sign-on (SSO).

Personal certificates

Mail users’ personal certificates are used for S/MIME encryption. For details, see Configuring certificate bindings.

This section contains the following topics:

Managing local certificates

System > Certificate > Local Certificate displays both signed certificates and unsigned certificate requests.

If you do not have a server certificate for FortiMail, you can generate a certificate signing request and, once a CA has signed it, import the certificate. This installs the certificate for local use by the FortiMail unit.

FortiMail units require a local server certificate that it can present to prove its identity when clients request secure connections, including the:

  • GUI (HTTPS connections only)
  • webmail (HTTPS connections only)
  • secure email, such as SMTPS, IMAPS, and POP3S

A local client certificate may also be required if FortiMail makes secure connections to another server, where FortiMail must authenticate itself, such as in SSO and some LDAPS configurations. The certificate for SSO is not located together with other client certificates; instead see Configuring single sign-on (SSO).

GUI item

Description

View

(button)

Select a certificate and click View to display its issuer, subject, and range of dates within which the certificate is valid.

Delete

(button)

Removes the selected certificate.

Generate

(button)

Click to generate a local certificate request. For more information, see Generating a certificate signing request.

Download

(button)

Click the row of a certificate file or certificate request file in order to select it, then click this button to download a certificate (.cer) or certificate request (.csr) file. You can send the request to your certificate authority (CA) to obtain a signed certificate for the FortiMail unit. For more information, see Downloading a certificate signing request.

Set status

Click the row of a certificate in order to select it, then click this button to use it as the Default (that is, currently chosen for use) certificate. The Status column changes to indicate that the certificate is the current (Default) certificate.

This button is not available if the selected certificate is already Default.

Import

(button)

Click to import a signed certificate for local use. For more information, see Importing a certificate.

Name

Displays the name of the certificate file or certificate request file.

Subject

Displays the Distinguished Name (DN) located in the Subject field of the certificate.

If the certificate has not yet been signed, this field is empty.

Status

Displays the status of the local certificates or certificate signing request.

  • Default: Indicates that the certificate was successfully imported, and is currently selected for use by the FortiMail unit.
  • OK: Indicates that the certificate was successfully imported, but is not selected as the certificate currently in use. To use the certificate, click the row of the certificate in order to select it, then click Set status.
  • Pending: Indicates that the certificate request has been generated, but must be downloaded, signed, and imported before it can be used as a local certificate. For details, see Installing a local certificate.

See also

Generating a certificate signing request

Downloading a certificate signing request

Importing a certificate

Installing a local certificate

To install a local certificate that FortiMail can use, either:

Generating a certificate signing request

You can generate a certificate signing request (CSR) file, based on the information you enter to identify the FortiMail unit. Certificate request files can then be submitted for verification and signing by a certificate authority (CA) in order to make a server certificate.

Alternatively, you may be able to generate a CSR and download a certificate directly on CA servers such as Microsoft Active Directory and Let's Encrypt. See your CA documentation.

To generate a certificate request on FortiMail

  1. Go to System > Certificate > Local Certificate.
  2. Click Generate.
  3. A dialog appears.

  4. Configure the following:
  5. GUI item

    Description

    Certification name

    Enter a unique name for the certificate request, such as fmlocal.

    Subject Information

    Information that the certificate is required to contain in order to uniquely identify the FortiMail unit.

    Certification name

    Select which type of identifier will be used in the certificate to identify the FortiMail unit:

    • Host IP
    • Domain name
    • E-mail

    Which type you should select varies by whether or not your FortiMail unit has a static IP address, a fully-qualified domain name (FQDN), and by the primary intended use of the certificate.

    For example, if your FortiMail unit has both a static IP address and a domain name, but you will primarily use the local certificate for HTTPS connections to the GUI by the domain name of the FortiMail unit, you might prefer to generate a certificate based on the domain name of the FortiMail unit, rather than its IP address.

    • Host IP requires that the FortiMail unit have a static, public IP address. It may be preferable if clients will be accessing the FortiMail unit primarily by its IP address.
    • Domain name requires that the FortiMail unit have a fully-qualified domain name (FQDN). It may be preferable if clients will be accessing the FortiMail unit primarily by its domain name.
    • E-mail does not require either a static IP address or a domain name. It may be preferable if the FortiMail unit does not have a domain name or public IP address.

    IP

    Enter the static IP address of the FortiMail unit.

    This option appears only if ID Type is Host IP.

    Domain name

    Type the fully-qualified domain name (FQDN) of the FortiMail unit.

    The domain name may resolve to either a static or, if the FortiMail unit is configured to use a dynamic DNS service, a dynamic IP address. For more information, see Configuring the network interfaces and Configuring dynamic DNS.

    If a domain name is not available and the FortiMail unit subscribes to a dynamic DNS service, an unable to verify certificate message may appear in the user’s browser whenever the public IP address of the FortiMail unit changes.

    This option appears only if ID Type is Domain name.

    E-mail

    Type the email address of the owner of the FortiMail unit.

    This option appears only if ID Type is E-mail.

    Optional Information

    Information that you may include in the certificate, but which is not required.

    Organization unit

    Type the name of your organizational unit, such as the name of your department (Optional).

    To enter more than one organizational unit name, click the + icon, and enter each organizational unit separately in each field.

    Organization

    Type the legal name of your organization (Optional).

    Locality(City)

    Type the name of the city or town where the FortiMail unit is located (Optional).

    State/Province

    Type the name of the state or province where the FortiMail unit is located (Optional).

    Country

    Select the name of the country where the FortiMail unit is located (Optional).

    E-mail

    Type an email address that may be used for contact purposes (Optional).

    Key type

    Displays the type of algorithm used to generate the key: RSA or Elliptic Curve.

    Key size

    Select a security key size of 1024 Bit, 1536 Bit, 2048 Bit, or 4096 Bit. Larger keys are slower to generate, but provide better security.

    Curve name

    Select an elliptic curve name of secp256r1, secp384r1, or secp521r1. Elliptic Curve Digital Signature Algorithm (ECSDSA) provides a similar encryption strength to RSA but with a shorter key length.

  6. Click OK.

    The certificate is generated, and can be downloaded to your management computer for submission to a certificate authority (CA) for signing. For more information, see Downloading a certificate signing request.

Downloading a certificate signing request

After you have generated a certificate request, you can download the request file to your management computer in order to submit the request file to a certificate authority (CA) for signing.

For other related steps, see Installing a local certificate.

To download a certificate request

  1. Go to System > Certificate > Local Certificate.
  2. Click the row that corresponds to the certificate request in order to select it.
  3. Click Download, then select Download from the pop-up menu.

    Your web browser downloads the certificate request (.csr) file.

Submitting a certificate request to your CA for signing

After you have download the certificate request file, you can submit the request to you CA for signing.

For other related steps, see Installing a local certificate.

To submit a certificate request

  1. Using the web browser on your management computer, go to the web site for your CA.
  2. Follow your CA’s instructions to place a Base64-encoded PKCS #12 certificate request, uploading your certificate request.

    If clients and servers that will be validating the certificate require specific fields such as Subject Alternative Name and Key Usage, then verify that the CA includes those fields when it signs the certificate.

  3. Follow your CA’s instructions to download their root certificate and Certificate Revocation List (CRL), and then install the root certificate and CRL on each remote client.
  4. When you receive the signed certificate from the CA, install the certificate on the FortiMail unit. For more information, see Importing a certificate.
See also

Managing local certificates

Generating a certificate signing request

Importing a certificate

Importing a certificate

Importing a certificate may be useful when:

  • restoring a certificate backup
  • installing a certificate that has been generated on another system
  • installing a certificate, after the certificate request has been signed by a certificate authority (CA)

If you generated the certificate request using the FortiMail unit, after you submit the certificate request to CA, the CA will verify the information and register the contact information in a digital certificate that contains a serial number, an expiration date, and the public key of the CA. The CA will then sign the certificate and return it to you for installation on the FortiMail unit. To install the certificate, you must import it. For other related steps, see Installing a local certificate.

If the FortiMail unit’s local certificate is signed by an intermediate CA rather than a root CA, before clients will trust the FortiMail unit’s local certificate, you must demonstrate a link with trusted root CAs, thereby proving that the FortiMail unit’s certificate is genuine. You can demonstrate this chain of trust either by:

  • installing each intermediate CA's certificate in the client’s list of trusted CAs
  • including a signing chain in the FortiMail unit’s local certificate

To include a signing chain, before importing the local certificate to the FortiMail unit, first open the FortiMail unit’s local certificate file in a plain text editor, append the certificate of each intermediate CA in order from the intermediate CA who signed the FortiMail unit’s certificate to the intermediate CA whose certificate was signed directly by a trusted root CA, then save the certificate. For example, a local certificate which includes a signing chain might use the following structure:

-----BEGIN CERTIFICATE-----

<FortiMail unit’s local server certificate>

-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----

<certificate of intermediate CA 1, who signed the FortiMail certificate>

-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----

<certificate of intermediate CA 2, who signed the certificate of intermediate CA 1 and whose certificate was signed by a trusted root CA>

-----END CERTIFICATE-----

To import a local certificate

  1. Go to System > Certificate > Local Certificate.
  2. Click Import.
  3. Select the type of the import file or files:
    • Local Certificate: Select this option if you are importing a signed certificate issued by your CA. For other related steps, see Installing a local certificate.
    • PKCS12 Certificate: Select this option if you are importing an existing certificate whose certificate file and private key are stored in a PKCS #12 (.p12) password-encrypted file.
    • Certificate: Select this option if you are importing an existing certificate whose certificate file (.cert) and key file (.key) are stored separately. The private key is password-encrypted.
  4. Configure the following:
  5. GUI item

    Description

    Certificate name

    Enter the location of the previously .cert or .pem exported certificate (or, for PKCS #12 certificates, the .p12 certificate-and-key file), or click Browse to locate the file.

    Key file

    Enter the location of the previously exported key file, or click Browse to locate the file.

    This option appears only when Type is Certificate.

    Password

    Enter the password that was used to encrypt the file, enabling the FortiMail unit to decrypt and install the certificate.

    This option appears only when Type is PKCS12 certificate or Certificate.

See also

Managing local certificates

Downloading a certificate signing request

Managing certificate authority certificates

Go to System > Certificate > CA Certificate to view and import the certificates of certificate authorities (CA) that FortiMail should trust.

CAs validate and sign other certificates in order to indicate to third parties that those other certificates are authentic.

Secure connections that use transport layer security (TLS) and S/MIME encryption use CA certificates to validate the signatures on other certificates. For more information, see Configuring TLS security profiles and Configuring certificate bindings. Depending on the configuration of each PKI user, CA certificates may also be required to authenticate PKI users. For more information, see Configuring PKI authentication.

GUI item

Description

View

(button)

Select a certificate and click View to display certificate details including the certificate name, issuer, subject, and the range of dates within which the certificate is valid.

Delete

(button)

Removes the selected certificate.

Download

(button)

Click the row of a certificate in order to select it, then click Download to download a copy of the CA certificate (.cer).

Import

(button)

Click to import a CA certificate.

Name

Displays the name of the CA certificate.

Subject

Displays the Distinguished Name (DN) located in the Subject field of the certificate.

See also

Managing local certificates

Viewing trusted certificate authority certificates

Managing OCSP server certificates

Managing the certificate revocation list

System > Certificate > Certificate Revocation List lets you view and import certificate revocation lists (CRL).

To ensure that your FortiMail unit accepts only valid (not revoked) certificates, you should upload a current certificate revocation list, which may be provided by certificate authorities (CA), whenever a certificate is revoked. Alternatively, you can use online certificate status protocol (OCSP) to query for certificate statuses. See Managing OCSP server certificates.

GUI item

Description

Delete

(button)

Removes the selected list.

View

(button)

Select a certificate revocation list and click View to display details.

Download

(button)

Select a certificate revocation list and click Download to download a copy of the CRL file (.cer).

Import

(button)

Click to import a certificate revocation list.

Name

Displays the name of the certificate revocation list.

Subject

Displays the Distinguished Name (DN) located in the Subject field of the certificate revocation list.

See also

Managing local certificates

Managing certificate authority certificates

Managing OCSP server certificates

Managing OCSP server certificates

Go to System > Certificate > Remote to view and import the certificates of the online certificate status protocol (OCSP) servers of your certificate authority (CA).

OCSP lets you revoke or validate certificates by query (see Appendix C: Port Numbers), rather than by importing certificate revocation lists (CRL; see Managing the certificate revocation list).

Remote certificates are required if you enable OCSP for PKI users. For more information, see Configuring PKI authentication.

GUI item

Description

Delete

(button)

Removes the selected certificate.

View

(button)

Select a certificate and click View to display certificate details including the certificate name, issuer, subject, and the range of dates within which the certificate is valid.

Download

(button)

Click the row of a certificate in order to select it, then click Download to download a copy of the OCSP server certificate (.cer).

Import

(button)

Click to import an OCSP server certificate.

Name

Displays the name of the OCSP server certificate.

Subject

Displays the Distinguished Name (DN) located in the Subject field of the certificate.

Viewing trusted certificate authority certificates

Go to System > Certificate > Trusted CA to view all trusted root certificate authorities (CA) downloaded from FortiGuard.

Certificate authorities validate and sign other certificates in order to indicate to third parties that those other certificates may be trusted to be authentic.

FortiMail keeps this list of trusted CA certificates up to date from FortiGuard.

GUI item

Description

View

(button)

Select a certificate and click View to display certificate details including the certificate name, issuer, subject, and the range of dates within which the certificate is valid.

Download

(button)

Click the row of a certificate in order to select it, then click Download to download a copy of the CA certificate (.cer).

Name

Displays the name of the CA certificate.

Subject

Displays the Distinguished Name (DN) located in the Subject field of the certificate.

See also

Managing local certificates

Managing certificate authority certificates

Managing OCSP server certificates

Managing certificates

Managing certificates

You can use the System > Certificate submenu to generate certificate requests, install signed X.509 certificates, import CA root certificates and certificate revocation lists, and back up and restore installed certificates and private keys.

FortiMail uses certificates for public key infrastructure (PKI) authentication in secure connections. PKI can be used to authenticate a user, server, or client software. To prove that they can be trusted, when the connection occurs, the software presents a certificate with its identity. The software on the opposite side of the connection verifies that the certificate is currently valid, is being used for the intended purpose, and has been cryptographically signed by a known, trusted certification authority (CA). Depending on the connection, both the client and server sides of the connection may be required to present their certificates in order to authenticate each other.

Certificates can also be used for encryption. For an example of how to use certificates for PKI authentication of FortiMail administrators and email users, see Appendix F: PKI Authentication.

Depending on the features you use, you may need to configure multiple types of certificates on FortiMail.

Certificate type

Purpose

CA certificates

FortiMail compares trusted CA certificates to the CA signature on certificates presented by client software (including administrators and webmail users' web browsers). For details, see Configuring PKI authentication and Managing certificate authority certificates.

Server certificates

FortiMail must present its server certificate when a client requests a secure connection for the:

  • GUI (HTTPS connections only)
  • webmail (HTTPS connections only)
  • secure email, such as SMTPS, IMAPS, and POP3S

For details, see Managing local certificates.

Client certificates

FortiMail must present its client certificate if another server requests that FortiMail identify itself during a secure connection for:

  • LDAPS
  • SSO

For details, see Managing local certificates and Configuring single sign-on (SSO).

Personal certificates

Mail users’ personal certificates are used for S/MIME encryption. For details, see Configuring certificate bindings.

This section contains the following topics:

Managing local certificates

System > Certificate > Local Certificate displays both signed certificates and unsigned certificate requests.

If you do not have a server certificate for FortiMail, you can generate a certificate signing request and, once a CA has signed it, import the certificate. This installs the certificate for local use by the FortiMail unit.

FortiMail units require a local server certificate that it can present to prove its identity when clients request secure connections, including the:

  • GUI (HTTPS connections only)
  • webmail (HTTPS connections only)
  • secure email, such as SMTPS, IMAPS, and POP3S

A local client certificate may also be required if FortiMail makes secure connections to another server, where FortiMail must authenticate itself, such as in SSO and some LDAPS configurations. The certificate for SSO is not located together with other client certificates; instead see Configuring single sign-on (SSO).

GUI item

Description

View

(button)

Select a certificate and click View to display its issuer, subject, and range of dates within which the certificate is valid.

Delete

(button)

Removes the selected certificate.

Generate

(button)

Click to generate a local certificate request. For more information, see Generating a certificate signing request.

Download

(button)

Click the row of a certificate file or certificate request file in order to select it, then click this button to download a certificate (.cer) or certificate request (.csr) file. You can send the request to your certificate authority (CA) to obtain a signed certificate for the FortiMail unit. For more information, see Downloading a certificate signing request.

Set status

Click the row of a certificate in order to select it, then click this button to use it as the Default (that is, currently chosen for use) certificate. The Status column changes to indicate that the certificate is the current (Default) certificate.

This button is not available if the selected certificate is already Default.

Import

(button)

Click to import a signed certificate for local use. For more information, see Importing a certificate.

Name

Displays the name of the certificate file or certificate request file.

Subject

Displays the Distinguished Name (DN) located in the Subject field of the certificate.

If the certificate has not yet been signed, this field is empty.

Status

Displays the status of the local certificates or certificate signing request.

  • Default: Indicates that the certificate was successfully imported, and is currently selected for use by the FortiMail unit.
  • OK: Indicates that the certificate was successfully imported, but is not selected as the certificate currently in use. To use the certificate, click the row of the certificate in order to select it, then click Set status.
  • Pending: Indicates that the certificate request has been generated, but must be downloaded, signed, and imported before it can be used as a local certificate. For details, see Installing a local certificate.

See also

Generating a certificate signing request

Downloading a certificate signing request

Importing a certificate

Installing a local certificate

To install a local certificate that FortiMail can use, either:

Generating a certificate signing request

You can generate a certificate signing request (CSR) file, based on the information you enter to identify the FortiMail unit. Certificate request files can then be submitted for verification and signing by a certificate authority (CA) in order to make a server certificate.

Alternatively, you may be able to generate a CSR and download a certificate directly on CA servers such as Microsoft Active Directory and Let's Encrypt. See your CA documentation.

To generate a certificate request on FortiMail

  1. Go to System > Certificate > Local Certificate.
  2. Click Generate.
  3. A dialog appears.

  4. Configure the following:
  5. GUI item

    Description

    Certification name

    Enter a unique name for the certificate request, such as fmlocal.

    Subject Information

    Information that the certificate is required to contain in order to uniquely identify the FortiMail unit.

    Certification name

    Select which type of identifier will be used in the certificate to identify the FortiMail unit:

    • Host IP
    • Domain name
    • E-mail

    Which type you should select varies by whether or not your FortiMail unit has a static IP address, a fully-qualified domain name (FQDN), and by the primary intended use of the certificate.

    For example, if your FortiMail unit has both a static IP address and a domain name, but you will primarily use the local certificate for HTTPS connections to the GUI by the domain name of the FortiMail unit, you might prefer to generate a certificate based on the domain name of the FortiMail unit, rather than its IP address.

    • Host IP requires that the FortiMail unit have a static, public IP address. It may be preferable if clients will be accessing the FortiMail unit primarily by its IP address.
    • Domain name requires that the FortiMail unit have a fully-qualified domain name (FQDN). It may be preferable if clients will be accessing the FortiMail unit primarily by its domain name.
    • E-mail does not require either a static IP address or a domain name. It may be preferable if the FortiMail unit does not have a domain name or public IP address.

    IP

    Enter the static IP address of the FortiMail unit.

    This option appears only if ID Type is Host IP.

    Domain name

    Type the fully-qualified domain name (FQDN) of the FortiMail unit.

    The domain name may resolve to either a static or, if the FortiMail unit is configured to use a dynamic DNS service, a dynamic IP address. For more information, see Configuring the network interfaces and Configuring dynamic DNS.

    If a domain name is not available and the FortiMail unit subscribes to a dynamic DNS service, an unable to verify certificate message may appear in the user’s browser whenever the public IP address of the FortiMail unit changes.

    This option appears only if ID Type is Domain name.

    E-mail

    Type the email address of the owner of the FortiMail unit.

    This option appears only if ID Type is E-mail.

    Optional Information

    Information that you may include in the certificate, but which is not required.

    Organization unit

    Type the name of your organizational unit, such as the name of your department (Optional).

    To enter more than one organizational unit name, click the + icon, and enter each organizational unit separately in each field.

    Organization

    Type the legal name of your organization (Optional).

    Locality(City)

    Type the name of the city or town where the FortiMail unit is located (Optional).

    State/Province

    Type the name of the state or province where the FortiMail unit is located (Optional).

    Country

    Select the name of the country where the FortiMail unit is located (Optional).

    E-mail

    Type an email address that may be used for contact purposes (Optional).

    Key type

    Displays the type of algorithm used to generate the key: RSA or Elliptic Curve.

    Key size

    Select a security key size of 1024 Bit, 1536 Bit, 2048 Bit, or 4096 Bit. Larger keys are slower to generate, but provide better security.

    Curve name

    Select an elliptic curve name of secp256r1, secp384r1, or secp521r1. Elliptic Curve Digital Signature Algorithm (ECSDSA) provides a similar encryption strength to RSA but with a shorter key length.

  6. Click OK.

    The certificate is generated, and can be downloaded to your management computer for submission to a certificate authority (CA) for signing. For more information, see Downloading a certificate signing request.

Downloading a certificate signing request

After you have generated a certificate request, you can download the request file to your management computer in order to submit the request file to a certificate authority (CA) for signing.

For other related steps, see Installing a local certificate.

To download a certificate request

  1. Go to System > Certificate > Local Certificate.
  2. Click the row that corresponds to the certificate request in order to select it.
  3. Click Download, then select Download from the pop-up menu.

    Your web browser downloads the certificate request (.csr) file.

Submitting a certificate request to your CA for signing

After you have download the certificate request file, you can submit the request to you CA for signing.

For other related steps, see Installing a local certificate.

To submit a certificate request

  1. Using the web browser on your management computer, go to the web site for your CA.
  2. Follow your CA’s instructions to place a Base64-encoded PKCS #12 certificate request, uploading your certificate request.

    If clients and servers that will be validating the certificate require specific fields such as Subject Alternative Name and Key Usage, then verify that the CA includes those fields when it signs the certificate.

  3. Follow your CA’s instructions to download their root certificate and Certificate Revocation List (CRL), and then install the root certificate and CRL on each remote client.
  4. When you receive the signed certificate from the CA, install the certificate on the FortiMail unit. For more information, see Importing a certificate.
See also

Managing local certificates

Generating a certificate signing request

Importing a certificate

Importing a certificate

Importing a certificate may be useful when:

  • restoring a certificate backup
  • installing a certificate that has been generated on another system
  • installing a certificate, after the certificate request has been signed by a certificate authority (CA)

If you generated the certificate request using the FortiMail unit, after you submit the certificate request to CA, the CA will verify the information and register the contact information in a digital certificate that contains a serial number, an expiration date, and the public key of the CA. The CA will then sign the certificate and return it to you for installation on the FortiMail unit. To install the certificate, you must import it. For other related steps, see Installing a local certificate.

If the FortiMail unit’s local certificate is signed by an intermediate CA rather than a root CA, before clients will trust the FortiMail unit’s local certificate, you must demonstrate a link with trusted root CAs, thereby proving that the FortiMail unit’s certificate is genuine. You can demonstrate this chain of trust either by:

  • installing each intermediate CA's certificate in the client’s list of trusted CAs
  • including a signing chain in the FortiMail unit’s local certificate

To include a signing chain, before importing the local certificate to the FortiMail unit, first open the FortiMail unit’s local certificate file in a plain text editor, append the certificate of each intermediate CA in order from the intermediate CA who signed the FortiMail unit’s certificate to the intermediate CA whose certificate was signed directly by a trusted root CA, then save the certificate. For example, a local certificate which includes a signing chain might use the following structure:

-----BEGIN CERTIFICATE-----

<FortiMail unit’s local server certificate>

-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----

<certificate of intermediate CA 1, who signed the FortiMail certificate>

-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----

<certificate of intermediate CA 2, who signed the certificate of intermediate CA 1 and whose certificate was signed by a trusted root CA>

-----END CERTIFICATE-----

To import a local certificate

  1. Go to System > Certificate > Local Certificate.
  2. Click Import.
  3. Select the type of the import file or files:
    • Local Certificate: Select this option if you are importing a signed certificate issued by your CA. For other related steps, see Installing a local certificate.
    • PKCS12 Certificate: Select this option if you are importing an existing certificate whose certificate file and private key are stored in a PKCS #12 (.p12) password-encrypted file.
    • Certificate: Select this option if you are importing an existing certificate whose certificate file (.cert) and key file (.key) are stored separately. The private key is password-encrypted.
  4. Configure the following:
  5. GUI item

    Description

    Certificate name

    Enter the location of the previously .cert or .pem exported certificate (or, for PKCS #12 certificates, the .p12 certificate-and-key file), or click Browse to locate the file.

    Key file

    Enter the location of the previously exported key file, or click Browse to locate the file.

    This option appears only when Type is Certificate.

    Password

    Enter the password that was used to encrypt the file, enabling the FortiMail unit to decrypt and install the certificate.

    This option appears only when Type is PKCS12 certificate or Certificate.

See also

Managing local certificates

Downloading a certificate signing request

Managing certificate authority certificates

Go to System > Certificate > CA Certificate to view and import the certificates of certificate authorities (CA) that FortiMail should trust.

CAs validate and sign other certificates in order to indicate to third parties that those other certificates are authentic.

Secure connections that use transport layer security (TLS) and S/MIME encryption use CA certificates to validate the signatures on other certificates. For more information, see Configuring TLS security profiles and Configuring certificate bindings. Depending on the configuration of each PKI user, CA certificates may also be required to authenticate PKI users. For more information, see Configuring PKI authentication.

GUI item

Description

View

(button)

Select a certificate and click View to display certificate details including the certificate name, issuer, subject, and the range of dates within which the certificate is valid.

Delete

(button)

Removes the selected certificate.

Download

(button)

Click the row of a certificate in order to select it, then click Download to download a copy of the CA certificate (.cer).

Import

(button)

Click to import a CA certificate.

Name

Displays the name of the CA certificate.

Subject

Displays the Distinguished Name (DN) located in the Subject field of the certificate.

See also

Managing local certificates

Viewing trusted certificate authority certificates

Managing OCSP server certificates

Managing the certificate revocation list

System > Certificate > Certificate Revocation List lets you view and import certificate revocation lists (CRL).

To ensure that your FortiMail unit accepts only valid (not revoked) certificates, you should upload a current certificate revocation list, which may be provided by certificate authorities (CA), whenever a certificate is revoked. Alternatively, you can use online certificate status protocol (OCSP) to query for certificate statuses. See Managing OCSP server certificates.

GUI item

Description

Delete

(button)

Removes the selected list.

View

(button)

Select a certificate revocation list and click View to display details.

Download

(button)

Select a certificate revocation list and click Download to download a copy of the CRL file (.cer).

Import

(button)

Click to import a certificate revocation list.

Name

Displays the name of the certificate revocation list.

Subject

Displays the Distinguished Name (DN) located in the Subject field of the certificate revocation list.

See also

Managing local certificates

Managing certificate authority certificates

Managing OCSP server certificates

Managing OCSP server certificates

Go to System > Certificate > Remote to view and import the certificates of the online certificate status protocol (OCSP) servers of your certificate authority (CA).

OCSP lets you revoke or validate certificates by query (see Appendix C: Port Numbers), rather than by importing certificate revocation lists (CRL; see Managing the certificate revocation list).

Remote certificates are required if you enable OCSP for PKI users. For more information, see Configuring PKI authentication.

GUI item

Description

Delete

(button)

Removes the selected certificate.

View

(button)

Select a certificate and click View to display certificate details including the certificate name, issuer, subject, and the range of dates within which the certificate is valid.

Download

(button)

Click the row of a certificate in order to select it, then click Download to download a copy of the OCSP server certificate (.cer).

Import

(button)

Click to import an OCSP server certificate.

Name

Displays the name of the OCSP server certificate.

Subject

Displays the Distinguished Name (DN) located in the Subject field of the certificate.

Viewing trusted certificate authority certificates

Go to System > Certificate > Trusted CA to view all trusted root certificate authorities (CA) downloaded from FortiGuard.

Certificate authorities validate and sign other certificates in order to indicate to third parties that those other certificates may be trusted to be authentic.

FortiMail keeps this list of trusted CA certificates up to date from FortiGuard.

GUI item

Description

View

(button)

Select a certificate and click View to display certificate details including the certificate name, issuer, subject, and the range of dates within which the certificate is valid.

Download

(button)

Click the row of a certificate in order to select it, then click Download to download a copy of the CA certificate (.cer).

Name

Displays the name of the CA certificate.

Subject

Displays the Distinguished Name (DN) located in the Subject field of the certificate.

See also

Managing local certificates

Managing certificate authority certificates

Managing OCSP server certificates