Configuring certificate bindings
Go to Encryption > S/MIME > Certificate Binding to create certificate binding profiles, which establish the relationship between an email address and the certificate that:
• proves an individual’s identity
• provides their keys for use with encryption profiles
Use this relationship and that information for secure MIME (S/MIME) as per
RFC 2634.
If an incoming email message is encrypted, FortiMail compares the recipient’s identity with the list of certificate bindings to determine if it has a key that can decrypt the email. If it has a matching private key, it will decrypt the email before delivering it. If it does not, it forwards the still-encrypted email to the recipient.
If you have selected an encryption profile with encryption action in the message delivery rule that applies to the session, the FortiMail unit compares the recipient’s identity with the list of certificate bindings to determine if it has a certificate and
public key. If it has a matching public key, it will encrypt the email using the algorithm specified in the encryption profile (see
“Configuring encryption profiles”). If it does
not, it performs the failure action indicated in the encryption profile.
If an incoming email message is digitally signed, FortiMail will not verify the signature. Instead, it will deliver the message unmodified. The email clients usually do the verification.
If you have selected an encryption profile with signing action in the message delivery rule that applies to the session, the FortiMail unit compares the sender’s identity with the list of certificate bindings to determine if it has a certificate and
private key. If it has a matching private key, it will add a digital signature using the algorithm specified in the encryption profile (see
“Configuring encryption profiles”). If it does
not, it performs the failure action indicated in the encryption profile.
The FortiMail unit does not check if an outgoing email is already encrypted. Email clients can apply their own additional layer of S/MIME encryption if they want to (such as if they require non-repudiation) before they submit email for delivery through the FortiMail unit.
The destination of an S/MIME email can be another FortiMail unit, for gateway-to-gateway S/MIME, but it could alternatively be any email gateway or server, as long as one of the following supports S/MIME and possesses the sender’s certificate and public key:
• the destination’s MTA or mail server
• the recipient’s MUA
This is necessary to decrypt the email; otherwise, the recipient cannot read the email.
To access this part of the web UI, your administrator account’s access profile must have
Read or
Read-Write permission to the
Policy category. For details, see
“About administrator account permissions and domains”.
Before any personal certificate that you upload will be valid for use, you must upload the certificate of its signing certificate authority (CA). For details, see
“Managing certificate authority certificates”.
To view and configure certificate binding
1. Go to Encryption > S/MIME > Certificate Binding.
GUI item | Description |
Profile ID | Displays the name of the profile. |
Address Pattern | Displays the email address or domain associated with the identity represented by the personal or server certificate. |
Key Usage | Displays if the key is for encryption, signing, or encryption and signing. |
Identity | Displays the identity, often a first and last name, included in the common name (CN) field of the Subject line of the personal or server certificate. |
Private Key | Displays the private key associated with the identity, used to decrypt and sign email from that identity. |
Valid From | Displays the beginning date of the period of time during which the certificate and its keys are valid for use by signing and encryption. |
Valid To | Displays the end date of the certificate’s period of validity. After this date and time, the certificate expires, although the keys may be retained for the purpose of decrypting and reading email that was signed and encrypted previously. |
Status | Indicates whether the certificate is currently not yet valid, valid, or expired, depending on the current system time and the certificate’s validity period. |
(Green dot in column heading.) | Indicates whether or not the entry is currently referred to by another item in the configuration. If another item is using this entry, a red dot appears in this column, and the entry cannot be deleted. |
2. Either click New to add a profile or double-click a profile to modify it.
3. From Type, select whether the keys and certificate will be used for validating the signature of and decrypting incoming email (External), or to sign and encrypt outgoing email (Internal).
Certificate import formats vary by this selection.
4. In Address Pattern, enter the email address or email domain that you want to use the certificate in this binding.
For example, you might bind a personal certificate for User1 to the email address, user1@example.com.
5. From Key type, select what kind of keys you want to upload. If you only have a public key, you can only use it to encrypt email. If you have a public key and private key pair, you can use them to encrypt email (with a public key), decrypt email (with a private key), or digitally sign email (with a private key).
6. Select one of the following ways to either import and bind a personal certificate, or to bind an existing server certificate:
• Import PKCS12 file: Upload and bind a personal certificate-and-key file that uses the public key cryptography standard #12 (PKCS #12), stored in a password-protected file format (.p12).
• Import PEM files: Upload and bind a pair of personal certificates and public and private keys that use privacy-enhanced email (PEM), a password-protected file format (.pem).
• Choose from local certificate list: Bind a server certificate that you have previously uploaded to the FortiMail unit. For details, see
“Managing local certificates”.
Depending on your selection in Import key from, either upload the personal certificate files and enter their password, or select the name of a local certificate from Select local certificate list.
If a certificate import does not succeed and event logging is enabled, to determine the cause of the failure, you can examine the event log messages. Log messages may indicate errors such as an unsupported password-based encryption (PBE) algorithm:
PKCS12 Import: err=0x6074079: digital envelope routines / EVP_PBE_CipherInit / unknown pbe algorithm
| For best results, use 3DES with SHA1. RC2 is not supported. |
7. Click Create.
Certificate bindings will be used automatically as needed for matching message delivery rules in which you have selected an encryption profile. For details, see
“Using S/MIME encryption”,
“Configuring encryption profiles” and
“Configuring delivery rules”. It will also be used in the content profile and then in the policies which use the content profile.