Importing a certificate
You can upload Base64-encoded certificates in either privacy-enhanced email (PEM) or public key cryptography standard #12 (PKCS #12) format from your management computer to the FortiMail unit.
| DER encoding is not supported in FortiMail version 4.0 GA and MR1 releases. |
Importing a certificate may be useful when:
• restoring a certificate backup
• installing a certificate that has been generated on another system
• installing a certificate, after the certificate request has been generated on the FortiMail unit and signed by a certificate authority (CA)
If you generated the certificate request using the FortiMail unit, after you submit the certificate request to CA, the CA will verify the information and register the contact information in a digital certificate that contains a serial number, an expiration date, and the public key of the CA. The CA will then sign the certificate and return it to you for installation on the FortiMail unit. To install the certificate, you must import it. For other related steps, see
“Obtaining and installing a local certificate”.
If the FortiMail unit’s local certificate is signed by an intermediate CA rather than a root CA, before clients will trust the FortiMail unit’s local certificate, you must demonstrate a link with trusted root CAs, thereby proving that the FortiMail unit’s certificate is genuine. You can demonstrate this chain of trust either by:
• installing each intermediate CA’s certificate in the client’s list of trusted CAs
• including a signing chain in the FortiMail unit’s local certificate
To include a signing chain, before importing the local certificate to the FortiMail unit, first open the FortiMail unit’s local certificate file in a plain text editor, append the certificate of each intermediate CA in order from the intermediate CA who signed the FortiMail unit’s certificate to the intermediate CA whose certificate was signed directly by a trusted root CA, then save the certificate. For example, a local certificate which includes a signing chain might use the following structure:
-----BEGIN CERTIFICATE-----
<FortiMail unit’s local server certificate>
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
<certificate of intermediate CA 1, who signed the FortiMail certificate>
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
<certificate of intermediate CA 2, who signed the certificate of intermediate CA 1 and whose certificate was signed by a trusted root CA>
-----END CERTIFICATE-----
To import a local certificate
1. Go to System > Certificate > Local Certificate.
2. Click Import.
3. From Type, select the type of the import file or files:
• PKCS12 Certificate: Select this option if you are importing an existing certificate whose certificate file and private key are stored in a PKCS #12 (.p12) password-encrypted file.
• Certificate: Select this option if you are importing an existing certificate whose certificate file (.cert) and key file (.key) are stored separately. The private key is password-encrypted.
The remaining fields vary by your selection in Type.
4. Configure the following:
GUI item | Description |
Certificate file | Enter the location of the previously .cert or .pem exported certificate (or, for PKCS #12 certificates, the .p12 certificate-and-key file), or click Browse to locate the file. |
Key file | Enter the location of the previously exported key file, or click Browse to locate the file. This option appears only when Type is Certificate. |
Password | Enter the password that was used to encrypt the file, enabling the FortiMail unit to decrypt and install the certificate. This option appears only when Type is PKCS12 certificate or Certificate. |