Web browsers may have their own certificate validation requirements in addition to FortiMail requirements. For example, personal certificates may be required to contain the PKI user’s email address in the Subject Alternative Name field, and that Key Usage field contain Digital Signature, Data Encipherment, Key Encipherment. For browser requirements, see your web browser’s documentation. |
GUI item | Description | |
User name | For a new user, enter the name of the PKI user. There is no requirement to use the same name as the administrator or email user’s account name, although you may find it helpful to be so. For example, you might have an administrator account named admin1.You might therefore find it most straightforward to also name the PKI user admin1, making it easy to remember which account you intended to use these PKI settings. | |
Domain | Select either the protected domain to which the PKI user is assigned, or, if the PKI user is a FortiMail administrator, select System. You can see only the domains that are permitted by your administrator profile. | |
CA | Select either None or the name of the CA certificate to use when validating the CA’s signature of the client certificate. For more information, see “Managing certificate authority certificates”. | |
Subject | Enter the value which must match the Subject field of the client certificate, or leave this field empty. If empty, matching values are not considered when validating the client certificate presented by the PKI user’s web browser. | |
LDAP query | Enable to query an LDAP directory, such as Microsoft Active Directory, to determine the existence of the PKI user who is attempting to authenticate, then also configure “LDAP profile” and “Query field”. Note: If this option is enabled, no local user configuration is necessary. Instead, the FortiMail unit creates the personal quarantine folder and other necessary items when PKI authentication queries the LDAP server. | |
LDAP profile | From the drop-down list, select the LDAP profile to use when querying the LDAP server. • If no profile exists, click New to create one. • If a profile exists but needs modification, select it and click Edit. In both cases, the Edit LDAP Profile dialog appears. For more information, see “Configuring LDAP profiles”. This option is available only if “LDAP query” is enabled. | |
Query field | Select the name of the field in the client certificate (either CN or Subject Alternative) which contains the email address of the PKI user. This email address will be compared with the value of the email address attribute for each user object queried from the LDAP directory to determine if the PKI user exists in the LDAP directory. This option is available only if “LDAP query” is enabled. | |
OCSP | Enable to use an Online Certificate Status Protocol (OCSP) server to query whether the client certificate has been revoked, then also configure “URL”, “Remote certificate”, and “Unavailable action”. | |
URL | Displays the URL of the OCSP server. This option is available only if “OCSP” is enabled. | |
Remote certificate | Select the remote certificate that is used to verify the identity of the OCSP server. For more information, see “Managing OCSP server certificates”. This option is available only if “OCSP” is enabled. | |
Unavailable action | Select the action to take if the OCSP server is unavailable. If set to Ignore, the FortiMail unit allows the user to authenticate. If set to Revoke, the FortiMail unit behaves as if the certificate is currently revoked, and authentication fails. This option is available only if “OCSP” is enabled. |
Control access to each PKI user’s computer. Certificate-based PKI authentication controls access to the FortiMail unit based on PKI certificates, which are installed on each email user or administrator’s computer. If anyone can access the computers where those PKI certificates are installed, they can gain access to the FortiMail unit, which can compromise the security of your FortiMail unit. |