Requesting a client certificate
Use this procedure to request a client certificate using the Microsoft Certificate Services (MSCS) web enrollment tool.
A client certificate is a digitally-signed statement that binds the value of a public key to the identity of the person, device, or service that holds the corresponding private key.
Certificates are generally used to establish identity and create trusts for the secure exchange of information. Therefore, certification authorities (CAs) can issue certificates to people, such as FortiMail end-users, and to devices, such as the FortiMail unit itself when acting as a client of an SMTP mail server.
The entity that receives the certificate is the subject of the certificate. The issuer and signer of the certificate is a certification authority (CA).
Typically, certificates contain the following information:
• The subject's public key value.
• The subject's identifier information, such as the name and e-mail address.
• The validity period (the length of time that the certificate is considered valid).
• Issuer identifier information.
• The digital signature of the issuer, which attests to the validity of the binding between the subject’s public key and the subject’s identifier information.
Every certificate contains Valid From and Valid To dates, which set the boundaries of the validity period. Once a certificate's validity period has passed, a new certificate must be requested by the subject of the now-expired certificate.
| This document assumes all certificates are requested by the administrator on behalf of end-users. Certificate creation by individual end-users is beyond the scope of this document. If end users are permitted to create their own certificates, refer to the documentation accompanying the tools used by the end-user to create their own certificates. |
To create a client certificate
1. Open your web browser and enter the following in the address bar:
http://<ip_of_your_ms_ca_server>/certsrv/
Where <ip_of_your_ms_ca_server> is the IP address of the Windows 2003 Server that hosts the local Certification Authority (CA).
2. Log in to the CA server as administrator.
The Microsoft Certificate Services home page for your local CA appears.
3. Select the Request a certificate link.
The Request a Certificate page appears.
4. Click the Advanced certificate request link.
The Advanced Certificate Request page appears.
5. Click Create and Submit a request to this CA link.
The Certificate Request Template appears.
7. Fill in the Name field with the email address of the end-user (subject) on behalf of which the client certificate request is being made.
| For the purposes of FortiMail, the Name field must exactly match the email address of the end-user recorded in the FortiMail unit. For more information, see “Creating email accounts on FortiMail for PKI users”. If desired, the full name of the user can be entered in the Friendly Name field. |
8. Click Submit to send a certificate signature request (CSR) to the CA server on behalf of the end-user.
9. If a message appears, warning you that the Website is requesting a new certification on your behalf, click Yes to proceed.
Once the CA server completes processing the request, the Certificate Issued window appears.
10. Click the Install this certificate link to load the certificate into the certificate store on your browser.
11. If a message appears, warning you that the web site is adding one or more certificates to your computer, click Yes to proceed.
The Certificate Installed window appears.
The client certificate is now stored in certificate store on your browser. The certificate is stored with the name specified in steps
7.
12. Return to the
Microsoft Certificate Services (MSCS) home page for your local CA and repeat steps
3 through
11 for each end-user that will communicate with FortiMail using PKI authentication.