When PKI authentication is configured and enabled, client certificates enable the administrator to access the web UI and the end-user to access webmail. This section includes procedures to create server certificates to enable the FortiMail unit to communicate with other devices using PKI authentication (that is, an SMTP server), create and distribute client certificates, and to configure and enable PKI authentication on the FortiMail unit for the users.

This document assumes that you have configured your CA server and are running your own local certification authority (CA). Generating certificates through a commercial CA is not included in this document.

The tasks involved in configuring PKI authentication on FortiMail require a thorough understanding of public-key cryptography, security certificates and certification processes.

The procedures in this document use tools such as Microsoft Management Console (MMC) and the Microsoft Certificate Service (MSCS) to generate certificates for PKI authentication on FortiMail. These tools enable the administrator to create customized client certificates on behalf of all end-users.

Once a client certificate is generated, the administrator must export and transmit that client certificate to the appropriate end-user, and instruct the end-user how to import the client certificate into their browser.

All client certificates and related private keys (usually saved in PKCS12 format) must be stored securely to prevent unauthorized use of the private key and client certificate.