Appendix F: PKI Authentication : Configuring PKI authentication on FortiMail : Creating a custom certificate request template using MMC
Creating a custom certificate request template using MMC
Use this procedure to create a custom certificate request template using the Microsoft Management Console (MMC).
MMC comes with a variety of certificate templates. However, none of those templates are designed to meet the specific needs of FortiMail. A custom certificate template includes all information required by the FortiMail certification authority (CA) server to establish the identity of the client and create trusts for the secure exchange of information.
The custom certificate request template removes ambiguity and enables administrators to create certificate signature requests (CSR) specifically for FortiMail clients (that is, email users and administrators).
The custom certificate template is created using the MMC Certificate Template snap-in.
Before you begin this procedure, refer to “Prerequisites”.
To create a custom certificate template
1. Log in to the local certificate authority (CA) server and start MMC (on the Start Menu, click Run, type MMC, and then click OK).
2. In the Console Root folder, add the Certificate Template and Certificate Authority snap-ins.
3. Select the Certificate Templates snap-in from the Console Root folder.
4. In the right pane, right-click User in the Template Display Name column and select Duplicate Template from the drop-down menu.
The Properties of New Template window appears.
5. On the General tab, fill in the template name, validity period and renewal period according to your specific requirements.
6. On the Request Handling tab, select Signature and encryption in the Purpose field.
7. On the Subject Name tab, select Supply in the request. A subject name must be supplied in the request because the default subject name does not work with FortiMail.
8. On the Security tab, select Administrator and select (check) Allow as the Enroll Permission for Administrator.
9. On the Extensions tab, select Application Policies and verify that Client Authentication appears in Description of Application Policies.
10. On the Superseded Templates tab, select User in the Certificate templates area. This is the template that will be used as a base for the new template.
11. Leave the remainder of the settings on the Properties of New Template window as their default values and click OK.
The new template is created and stored on the local certificate authority (CA) server.
12. Select the Certificate Authority snap-in from the Console Root folder.
13. Right-click Certificate Template and select New > Certificate Template to Issue.
The Enable Certificate Templates window appears.
14. Select the new template created in step 5 and click OK.
The new custom template is now installed on the local certificate authority (CA).
15. Once the custom template installed, you can proceed to “Requesting a client certificate” to create client certificates, or “Downloading a CA certificate for FortiMail” to configure FortiMail.