Managing users : Configuring PKI authentication
Configuring PKI authentication
Go to User > PKI User to configure public key infrastructure (PKI) user authentication.
PKI users can authenticate by presenting a valid client certificate, rather than by entering a user name and password.
A PKI user can be either an email user or a FortiMail administrator.
When a PKI user connects to the FortiMail unit with a web browser, the browser presents the PKI user’s certificate to the FortiMail unit. If the certificate is valid, the FortiMail unit then authenticates the PKI user. To be valid, a client certificate must:
not be expired
not be revoked by either certificate revocation list (CRL) or, if enabled, online certificate status protocol (OCSP)
be signed by a certificate authority (CA), whose certificate you have imported into the FortiMail unit
contain a CA field whose value matches the CA certificate
contain a Issuer field whose value matches the Subject field in the CA certificate
contain a Subject field whose value contains the subject, or is empty
contain a Common Name (CN) or Subject Alternative field, if LDAP Query is enabled, whose value matches the email address of a user object retrieved using the User Query Options of the LDAP profile.
 
Web browsers may have their own certificate validation requirements in addition to FortiMail requirements. For example, personal certificates may be required to contain the PKI user’s email address in the Subject Alternative Name field, and that Key Usage field contain Digital Signature, Data Encipherment, Key Encipherment. For browser requirements, see your web browser’s documentation.
If the client certificate is not valid, depending on whether you have configured the FortiMail unit to require valid certificates, authentication will either fail absolutely, or fail over to user name and password authentication.
If the certificate is valid and authentication succeeds, the PKI user’s web browser is redirected to either the web UI (for PKI users that are FortiMail administrators), or FortiMail webmail or the personal quarantine (for PKI users that are email users).
For details and examples about how to use PKI authentication for FortiMail email users and administrators, see Appendix D in the FortiMail Administration Guide.
To access this part of the web UI, your administrator account’s:
Domain must be System
access profile must have Read or Read-Write permission to the Policy category
For details, see “About administrator account permissions and domains”.
To view and configure PKI users
1. Go to User > User > PKI User.
2. Click New to add PKI authentication for an email user or administrator account or double-click an account to modify it.
A dialog appears.
3. Configure the following:
 
GUI item
Description
User name
For a new user, enter the name of the PKI user.
There is no requirement to use the same name as the administrator or email user’s account name, although you may find it helpful to be so.
For example, you might have an administrator account named admin1.You might therefore find it most straightforward to also name the PKI user admin1, making it easy to remember which account you intended to use these PKI settings.
Domain
Select either the protected domain to which the PKI user is assigned, or, if the PKI user is a FortiMail administrator, select System.
You can see only the domains that are permitted by your administrator profile.
CA
Select either None or the name of the CA certificate to use when validating the CA’s signature of the client certificate. For more information, see “Managing certificate authority certificates”.
If you select None, you must configure “Subject”.
Subject
Enter the value which must match the Subject field of the client certificate, or leave this field empty. If empty, matching values are not considered when validating the client certificate presented by the PKI user’s web browser.
If you do not configure “Subject”, you must configure “CA”.
LDAP query
Enable to query an LDAP directory, such as Microsoft Active Directory, to determine the existence of the PKI user who is attempting to authenticate, then also configure “LDAP profile” and “Query field”.
Note: If this option is enabled, no local user configuration is necessary. Instead, the FortiMail unit creates the personal quarantine folder and other necessary items when PKI authentication queries the LDAP server.
 
LDAP profile
From the drop-down list, select the LDAP profile to use when querying the LDAP server.
If no profile exists, click New to create one.
If a profile exists but needs modification, select it and click Edit.
In both cases, the Edit LDAP Profile dialog appears. For more information, see “Configuring LDAP profiles”.
This option is available only if “LDAP query” is enabled.
 
Query field
Select the name of the field in the client certificate (either CN or Subject Alternative) which contains the email address of the PKI user.
This email address will be compared with the value of the email address attribute for each user object queried from the LDAP directory to determine if the PKI user exists in the LDAP directory.
This option is available only if “LDAP query” is enabled.
OCSP
Enable to use an Online Certificate Status Protocol (OCSP) server to query whether the client certificate has been revoked, then also configure “URL”, “Remote certificate”, and “Unavailable action”.
 
URL
Displays the URL of the OCSP server.
This option is available only if “OCSP” is enabled.
 
Remote certificate
Select the remote certificate that is used to verify the identity of the OCSP server. For more information, see “Managing OCSP server certificates”.
This option is available only if “OCSP” is enabled.
 
Unavailable action
Select the action to take if the OCSP server is unavailable. If set to Ignore, the FortiMail unit allows the user to authenticate. If set to Revoke, the FortiMail unit behaves as if the certificate is currently revoked, and authentication fails.
This option is available only if “OCSP” is enabled.
You need to take additional steps to activate and complete a PKI user’s configuration.
To complete PKI user configuration
1. To enable PKI authentication on your FortiMail unit for all PKI users, open the CLI and enter the following command:
config system global
set pki-mode enable
end
2. For each PKI user, import the client certificate into the user’s web browser on each computer the PKI user will use to access the FortiMail unit. For details on installing certificates, see the documentation for your web browser. Client certificates must be valid. For information on how FortiMail units validate the client certificates of PKI users, see “Configuring PKI authentication”.
3. In the web UI, import the CA certificate into the FortiMail unit. For more information, see “Managing certificate authority certificates”.
4. For PKI users that are FortiMail administrators, select the PKI authentication type and select a PKI user to which the administrator account corresponds. For more information, see “Configuring administrator accounts and access profiles”.
5. For PKI users that are email users, enable PKI user authentication in the incoming recipient-based policies which match those email users. For more information, see “Controlling email based on recipient addresses”.
 
Control access to each PKI user’s computer. Certificate-based PKI authentication controls access to the FortiMail unit based on PKI certificates, which are installed on each email user or administrator’s computer. If anyone can access the computers where those PKI certificates are installed, they can gain access to the FortiMail unit, which can compromise the security of your FortiMail unit.