Control access to each PKI user’s computer. Certificate-based PKI authentication controls access to the FortiMail unit based upon PKI certificates, which are installed on each email user or administrator’s computer. If anyone can access the computers where those PKI certificates are installed, they can gain access to the FortiMail unit, which can compromise the security of your FortiMail unit. |
Variable | Description | Default |
name <name_str> | Enter the name of the PKI user. | |
ca <certificate_str> | Enter the name of the CA certificate used when verifying the CA’s signature of the client certificate. For information on uploading a CA certificate, see the FortiMail Administration Guide. | |
domain <protected-domain_str> | Enter the name of the protected domain to which the PKI user is assigned, or enter system if the PKI user is a FortiMail administrator and belongs to all domains configured on the FortiMail unit. For more information on protected domains, see “domain”. | |
ldap-field {cn | subjectalternative} | Enter the name of the field in the client certificate (either CN or Subject Alternative) which contains the email address of the PKI user, either subjectalternative (if the field is a Subject Alternative) or cn (if the field is a common name). This email address will be compared with the value of the email address attribute for each user object queried from the LDAP directory to determine if the PKI user exists in the LDAP directory. This variable is used only if ldap-query is enable. | subject |
ldap-profile <profile_str> | Enter the LDAP profile to use when querying the LDAP server for the PKI user’s existence. For more information on LDAP profiles, see “profile ldap”. This variable is used only if ldap-query is enable. | |
ldap-query {enable | disable} | Enable to query an LDAP directory, such as Microsoft Active Directory, to determine the existence of the PKI user who is attempting to authenticate. Also configure ldap-profile <profile_str> and ldap-field {cn | subjectalternative}. | disable |
ocsp-ca <remote-certificate_str> | Enter the name of the remote certificate that is used to verify the identity of the OCSP server. For information on uploading a remote (OCSP) certificate, see the FortiMail Administration Guide. This option applies only if oscpverify is enable. | |
ocsp-check {enable | disable} | Enable to use an Online Certificate Status Protocol (OCSP) server to query whether the client certificate has been revoked. Also configure ocsp-url <url_str>, [ocsp-ca <remote-certificate_str>, and ocsp-unavailable-action {revoke | ignore}. | disable |
ocsp-unavailable-action {revoke | ignore} | Enter the action to take if the OCSP server is unavailable. If set to ignore, the FortiMail unit allows the user to authenticate. If set to revoke, the FortiMail unit behaves as if the certificate is currently revoked, and authentication fails. This option applies only if oscp-check is enable. | ignore |
ocsp-url <url_str> | Enter the URL of the OCSP server. This option applies only if oscp-check is enable. | |
subject <subject_str> | Enter the value which must match the “subject" field of the client certificate. If empty, matching values are not considered when validating the client certificate presented by the PKI user’s web browser. |