Tag Archives: fortinet fortimail

Managing Certificates

Managing certificates

This section explains how to manage X.509 security certificates using the FortiMail web UI. Using the Certificate submenu, you can generate certificate requests, install signed certificates, import CA root certificates and certificate revocation lists, and back up and restore installed certificates and private keys.

FortiMail uses certificates for PKI authentication in secure connections. PKI authentication is the process of determining if a remote host can be trusted with access to network resources. To establish its trustworthiness, the remote host must provide an acceptable authentication certificate by obtaining a certificate from a certification authority (CA).

You can manage the following types of certificates on FortiMail:

Table 44:Certificate types

Certificate type Usage
CA certificates FortiMail uses CA certificates to authenticate the PKI users, including administrators and web mail users. For details, see “Configuring PKI authentication” on page 435 and “Managing certificate authority certificates” on page 354.
Server certificates FortiMail must present its local server certificate for the following secure connections:

•      the web UI (HTTPS connections only)

•      webmail (HTTPS connections only)

•      secure email, such as SMTPS, IMAPS, and POP3S

For details, see “Managing local certificates” on page 347.

Personal certificates Mail users’ personal certificates are used for S/MIME encryption. For details, see “Configuring certificate bindings” on page 362.

This section contains the following topics:

  • Managing local certificates
  • Managing certificate authority certificates
  • Managing the certificate revocation list
  • Managing OCSP server certificates

Managing local certificates

System > Certificate > Local Certificate displays both the signed server certificates and unsigned certificate requests.

On this tab, you can also generate certificate signing requests and import signed certificates in order to install them for local use by the FortiMail unit.

FortiMail units require a local server certificate that it can present when clients request secure connections, including:

  • the web UI (HTTPS connections only)
  • webmail (HTTPS connections only)
  • secure email, such as SMTPS, IMAPS, and POP3S

To access this part of the web UI, your administrator account’s:

  • Domain must be System
  • access profile must have Read or Read-Write permission to the Others category

For details, see “About administrator account permissions and domains” on page 290.

To view local certificates

  1. Go to System > Certificate > Local Certificate.

Figure 139:Local Certificate tab

GUI item Description
Delete

(button)

Removes the selected certificate.
View

(button)

Select a certificate and click View to display its issuer, subject, and range of dates within which the certificate is valid.
Generate (button) Click to generate a local certificate request. For more information, see “Generating a certificate signing request” on page 348.
Download

(button)

Click the row of a certificate file or certificate request file in order to select it, then click this button and select either:

•      Download: Download a certificate (.cer) or certificate request (.csr) file. You can send the request to your certificate authority (CA) to obtain a signed certificate for the FortiMail unit. For more information, see “Downloading a certificate signing request” on page 351.

•      Download PKCS12 File: Download a PKCS #12 (.p12) file. For details, see

“Downloading a PKCS #12 certificate” on page 354.

GUI item Description
Set status Click the row of a certificate in order to select it, then click this button to use it as the “default” (that is, currently chosen for use) certificate. The Status column changes to indicate that the certificate is the current (Default) certificate.

This button is not available if the selected certificate is already the “default.”

Import

(button)

Click to import a signed certificate for local use. For more information, see “Importing a certificate” on page 352.
Name Displays the name of the certificate file or certificate request file.
Subject Displays the Distinguished Name (DN) located in the Subject field of the certificate.

If the certificate has not yet been signed, this field is empty.

Status Displays the status of the local certificates or certificate signing request.

•      Default: Indicates that the certificate was successfully imported, and is currently selected for use by the FortiMail unit.

•      OK: Indicates that the certificate was successfully imported, but is not selected as the certificate currently in use. To use the certificate, click the row of the certificate in order to select it, then click Set status.

•      Pending: Indicates that the certificate request has been generated, but must be downloaded, signed, and imported before it can be used as a local certificate. For details, see “Obtaining and installing a local certificate” on page 348.

Obtaining and installing a local certificate

There are two methods to obtain and install a local certificate:

  • If you already have a signed server certificate (a backup certificate, a certificate exported from other devices, and so on), you can import the certificate into FortiMail. For details, see “Importing a certificate” on page 352.
  • Generate a certificate signing request on the FortiMail unit, get the request signed by a CA ,and import the signed certificate into FortiMail.

For the second method, follow these steps:

  • Generating a certificate signing request
  • Downloading a certificate signing request
  • Submitting a certificate request to your CA for signing
  • Importing a certificate

Generating a certificate signing request

You can generate a certificate request file, based on the information you enter to identify the FortiMail unit. Certificate request files can then be submitted for verification and signing by a certificate authority (CA).

For other related steps, see “Obtaining and installing a local certificate” on page 348.

To generate a certificate request

  1. Go to System > Certificate > Local Certificate.
  2. Click Generate.

A dialog appears.

  1. Configure the following:

Figure 140:Generate Certificate Signing Request dialog

GUI item Description
Certification name Enter a unique name for the certificate request, such as fmlocal.
Subject Information Information that the certificate is required to contain in order to uniquely identify the FortiMail unit.

 

GUI item Description
ID type Select which type of identifier will be used in the certificate to identify the FortiMail unit:

•      Host IP

•      Domain name

•      E-mail

Which type you should select varies by whether or not your FortiMail unit has a static IP address, a fully-qualified domain name (FQDN), and by the primary intended use of the certificate.

For example, if your FortiMail unit has both a static IP address and a domain name, but you will primarily use the local certificate for HTTPS connections to the web UI by the domain name of the FortiMail unit, you might prefer to generate a certificate based on the domain name of the FortiMail unit, rather than its IP address.

•      Host IP requires that the FortiMail unit have a static, public IP address. It may be preferable if clients will be accessing the FortiMail unit primarily by its IP address.

•      Domain name requires that the FortiMail unit have a fully-qualified domain name (FQDN). It may be preferable if clients will be accessing the FortiMail unit primarily by its domain name.

•      E-mail does not require either a static IP address or a domain name. It may be preferable if the FortiMail unit does not have a domain name or public IP address.

IP Enter the static IP address of the FortiMail unit.

This option appears only if ID Type is Host IP.

Domain name Type the fully-qualified domain name (FQDN) of the FortiMail unit.

The domain name may resolve to either a static or, if the FortiMail unit is configured to use a dynamic DNS service, a dynamic IP address. For more information, see “Configuring the network interfaces” on page 247 and “Configuring dynamic DNS” on page 259.

If a domain name is not available and the FortiMail unit subscribes to a dynamic DNS service, an unable to verify certificate message may appear in the user’s browser whenever the public IP address of the FortiMail unit changes.

This option appears only if ID Type is Domain name.

E-mail Type the email address of the owner of the FortiMail unit.

This option appears only if ID type is E-mail.

Optional Information Information that you may include in the certificate, but which is not required.
GUI item Description
Organization unit Type the name of your organizational unit, such as the name of your department. (Optional.)

To enter more than one organizational unit name, click the + icon, and enter each organizational unit separately in each field.

Organization Type the legal name of your organization. (Optional.)
Locality(City) Type the name of the city or town where the FortiMail unit is located. (Optional.)
State/Province Type the name of the state or province where the FortiMail unit is located. (Optional.)
Country Select the name of the country where the FortiMail unit is located. (Optional.)
E-mail Type an email address that may be used for contact purposes. (Optional.)
Key type Displays the type of algorithm used to generate the key.

This option cannot be changed, but appears in order to indicate that only RSA is currently supported.

Key size Select a security key size of 1024 Bit, 1536 Bit or 2048 Bit.

Larger keys are slower to generate, but provide better security.

  1. Click OK.

The certificate is generated, and can be downloaded to your management computer for submission to a certificate authority (CA) for signing. For more information, see “Downloading a certificate signing request” on page 351.

Downloading a certificate signing request

After you have generated a certificate request, you can download the request file to your management computer in order to submit the request file to a certificate authority (CA) for signing.

For other related steps, see “Obtaining and installing a local certificate” on page 348.

To download a certificate request

  1. Go to System > Certificate > Local Certificate.
  2. Click the row that corresponds to the certificate request in order to select it.
  3. Click Download, then select Download from the pop-up menu.

Your web browser downloads the certificate request (.csr) file.

Submitting a certificate request to your CA for signing

After you have download the certificate request file, you can submit the request to you CA for signing.

For other related steps, see “Obtaining and installing a local certificate” on page 348.

To submit a certificate request

  1. Using the web browser on the management computer, browse to the web site for your CA.
  2. Follow your CA’s instructions to place a Base64-encoded PKCS #12 certificate request, uploading your certificate request.
  3. Follow your CA’s instructions to download their root certificate and Certificate Revocation List (CRL), and then install the root certificate and CRL on each remote client.
  4. When you receive the signed certificate from the CA, install the certificate on the FortiMail unit. For more information, see “Importing a certificate” on page 352.

Importing a certificate

You can upload Base64-encoded certificates in either privacy-enhanced email (PEM) or public key cryptography standard #12 (PKCS #12) format from your management computer to the FortiMail unit.

  • restoring a certificate backup
  • installing a certificate that has been generated on another system
  • installing a certificate, after the certificate request has been generated on the FortiMail unit and signed by a certificate authority (CA)

If you generated the certificate request using the FortiMail unit, after you submit the certificate request to CA, the CA will verify the information and register the contact information in a digital certificate that contains a serial number, an expiration date, and the public key of the CA. The CA will then sign the certificate and return it to you for installation on the FortiMail unit. To install the certificate, you must import it. For other related steps, see “Obtaining and installing a local certificate” on page 348.

If the FortiMail unit’s local certificate is signed by an intermediate CA rather than a root CA, before clients will trust the FortiMail unit’s local certificate, you must demonstrate a link with trusted root CAs, thereby proving that the FortiMail unit’s certificate is genuine. You can demonstrate this chain of trust either by:

  • installing each intermediate CA’s certificate in the client’s list of trusted CAs
  • including a signing chain in the FortiMail unit’s local certificate

To include a signing chain, before importing the local certificate to the FortiMail unit, first open the FortiMail unit’s local certificate file in a plain text editor, append the certificate of each intermediate CA in order from the intermediate CA who signed the FortiMail unit’s certificate to the intermediate CA whose certificate was signed directly by a trusted root CA, then save the certificate. For example, a local certificate which includes a signing chain might use the following structure:

—–BEGIN CERTIFICATE—-<FortiMail unit’s local server certificate>

—–END CERTIFICATE—–

—–BEGIN CERTIFICATE—–

<certificate of intermediate CA 1, who signed the FortiMail certificate>

—–END CERTIFICATE—–

—–BEGIN CERTIFICATE—–

<certificate of intermediate CA 2, who signed the certificate of intermediate CA 1 and whose certificate was signed by a trusted

root CA>

—–END CERTIFICATE—–

To import a local certificate

  1. Go to System > Certificate > Local Certificate.
  2. Click Import.
  3. From Type, select the type of the import file or files:
    • Local Certificate: Select this option if you are importing a signed certificate issued by your CA. For other related steps, see “Obtaining and installing a local certificate” on page 348.
    • PKCS12 Certificate: Select this option if you are importing an existing certificate whose certificate file and private key are stored in a PKCS #12 (.p12) password-encrypted file.
    • Certificate: Select this option if you are importing an existing certificate whose certificate file (.cert) and key file (.key) are stored separately. The private key is password-encrypted.

The remaining fields vary by your selection in Type.

Figure 141:Uploading a local certificate

Figure 142:Uploading a PKCS12 certificate)

Figure 143:Uploading a certificate

  1. Configure the following:
GUI item Description
Certificate file Enter the location of the previously .cert or .pem exported certificate (or, for PKCS #12 certificates, the .p12 certificate-and-key file), or click Browse to locate the file.
Key file Enter the location of the previously exported key file, or click Browse to locate the file.

This option appears only when Type is Certificate.

Password Enter the password that was used to encrypt the file, enabling the FortiMail unit to decrypt and install the certificate.

This option appears only when Type is PKCS12 certificate or Certificate.

Downloading a PKCS #12 certificate

You can export certificates from the FortiMail unit to a PKCS #12 file for secure download and import to another platform, or for backup purposes.

To download a PKCS #12 file

  1. Go to System > Certificate > Local Certificate.
  2. Click the row that corresponds to the certificate in order to select it.
  3. Click Download, then select Download PKCS12 File on the pop-up menu.

A dialog appears.

  1. In Password and Confirm password, enter the password that will be used to encrypt the exported certificate file. The password must be at least four characters long.
  2. Click Download.
  3. If your browser prompts you for a location to save the file, select a location.

Your web browser downloads the PKCS #12 (.p12) file. For information on importing a PKCS #12 file, see “Importing a certificate” on page 352.

Managing certificate authority certificates

Go to System > Certificates > CA Certificate to view and import certificates for certificate authorities (CA).

Certificate authorities validate and sign other certificates in order to indicate to third parties that those other certificates may be trusted to be authentic.

CA certificates are required by connections that use transport layer security (TLS), and by S/MIME encryption. For more information, see “Configuring TLS security profiles” on page 591 and “Configuring certificate bindings” on page 362. Depending on the configuration of each PKI user, CA certificates may also be required to authenticate PKI users. For more information, see “Configuring PKI authentication” on page 435.

To access this part of the web UI, your administrator account’s:

  • Domain must be System
  • access profile must have Read or Read-Write permission to the Others category For details, see “About administrator account permissions and domains” on page 290.

To view a the list of CA certificates, go to System > Certificate > CA Certificate.

Figure 144:CA Certificate tab

Table 45:Managing CA certificates

GUI item Description
Delete

(button)

Removes the selected certificate.
View

(button)

Select a certificate and click View to display certificate details including the certificate name, issuer, subject, and the range of dates within which the certificate is valid.
Download

(button)

Click the row of a certificate in order to select it, then click Download to download a copy of the CA certificate (.cer).
Import

(button)

Click to import a CA certificate.
Name Displays the name of the CA certificate.
Subject Displays the Distinguished Name (DN) located in the Subject field of the certificate.

Managing the certificate revocation list

The Certificate Revocation List tab lets you view and import certificate revocation lists.

To ensure that your FortiMail unit validates only valid (not revoked) certificates, you should periodically upload a current certificate revocation list, which may be provided by certificate authorities (CA). Alternatively, you can use online certificate status protocol (OCSP) to query for certificate statuses. For more information, see “Managing OCSP server certificates” on page 356.

To access this part of the web UI, your administrator account’s:

  • Domain must be System
  • access profile must have Read or Read-Write permission to the Others category

For details, see “About administrator account permissions and domains” on page 290.

To view remote certificates, go to System > Certificate > Certificate Revocation List.

Figure 145:Certificate Revocation List tab

Table 46:Managing certificate revocation lists

GUI item Description
Delete

(button)

Removes the selected list.
View

(button)

Select a certificate revocation list and click View to display details.
Download

(button)

Select a certificate revocation list and click Download to download a copy of the CRL file (.cer).
Import

(button)

Click to import a certificate revocation list.
Name Displays the name of the certificate revocation list.
Subject Displays the Distinguished Name (DN) located in the Subject field of the certificate revocation list.

Managing OCSP server certificates

Go to System > Certificate > Remote to view and import the certificates of the online certificate status protocol (OCSP) servers of your certificate authority (CA).

OCSP lets you revoke or validate certificates by query, rather than by importing certificate revocation lists (CRL). For information about importing CRLs, see “Managing the certificate revocation list” on page 355.

Remote certificates are required if you enable OCSP for PKI users. For more information, see “Configuring PKI authentication” on page 435.

To access this part of the web UI, your administrator account’s:

  • Domain must be System
  • access profile must have Read or Read-Write permission to the Others category For details, see “About administrator account permissions and domains” on page 290.

To view a the list of remote certificates, go to System > Certificate > Remote.

Figure 146:Remote tab

Table 47:Managing OCSP server certificates

GUI item Description
Delete

(button)

Removes the selected certificate.
View

(button)

Select a certificate and click View to display certificate details including the certificate name, issuer, subject, and the range of dates within which the certificate is valid.

Table 47:Managing OCSP server certificates

Download

(button)

Click the row of a certificate in order to select it, then click

Download to download a copy of the OCSP server certificate (.cer).

Import

(button)

Click to import an OCSP server certificate.
Name Displays the name of the OCSP server certificate.
Subject Displays the Distinguished Name (DN) located in the Subject field of the certificate.

Configuring FortiGuard Updates and AntiSPAM Queries

Configuring FortiGuard updates and antispam queries

The Maintenance > FortiGuard > Update tab displays the most recent updates to

FortiGuard Antivirus engines, antivirus definitions, and FortiGuard antispam definitions

(antispam heuristic rules). You can also configure how the FortiMail unit will retrieve updates.

FortiGuard AntiSpam packages for FortiMail units are not the same as those provided to FortiGate units. To support FortiMail’s more full-featured antispam scans, FortiGuard AntiSpam packages for FortiMail contain platform-specific additional updates.

For example, FortiGuard AntiSpam packages for FortiMail contain heuristic antispam rules used by the a heuristic scan. Updates add to, remove from, and re-order the list of heuristic rules so that the current most common methods spammers use are ranked highest in the list. As a result, even if you configure a lower percentage of heuristic rules to be used by that scan, with regular updates, the heuristic scan automatically adjusts to use whichever heuristic rules are currently most effective. This helps to achieve an effective spam catch rate, while both reducing administrative overhead and improving performance by using the least necessary amount of FortiMail system resources.

FortiMail units receive updates from the FortiGuard Distribution Network (FDN), a world-wide network of FortiGuard Distribution Servers (FDS). FortiMail units connect to the FDN by connecting to the FDS nearest to the FortiMail unit by its configured time zone.

In addition to manual update requests, FortiMail units support two kinds of automatic update mechanisms:

  • scheduled updates, by which the FortiMail unit periodically polls the FDN to determine if there are any available updates
  • push updates, by which the FDN notifies FortiMail units when updates become available

For information on configuring scheduled updates, see “Configuring scheduled updates” on page 240. For information on configuring push updates, see “Configuring push updates” on page 241.

You may want to configure both scheduled and push updates. In this way, if the network experiences temporary problems such as connectivity issues that interfere with either method, the other method may still provide your FortiMail unit with updated protection. You can alternatively manually update the FortiMail unit by uploading an update file. For more information on uploading updates, see “License Information widget” on page 176.

For FortiGuard Antispam and FortiGuard Antivirus update connectivity requirements and troubleshooting information, see “Troubleshoot FortiGuard connection issues” on page 707.

To access this part of the web UI, your administrator account’s:

  • Domain must be System
  • access profile must have Read-Write permission to the Others category

For details, see “About administrator account permissions and domains” on page 290.

To view or change the currently installed FortiGuard status

  1. Go to Maintenance > FortiGuard > Update.

Figure 95:Update tab

  1. Configure the following:

 

GUI item Description
FortiGuard Service Status  
Name The name of the updatable item, such as Anti Virus Definition.
Version The version number of the item currently installed on the FortiMail unit.
Expiry Date The expiry date of the license for the item.
Last Update Attempt The date and time when the FortiMail unit last attempted to download an update.
Last Update Status The result of the last update attempt.

•      No updates: Indicates the last update attempt was successful but no new updates are available.

•      Installed updates: Indicates the last update attempt was successful and new updates were installed.

•      Other messages, such as Network Error, indicate that the FortiMail unit could not connect to the FDN, or other error conditions. For more information, see “Troubleshoot FortiGuard connection issues” on page 707.

Included signatures Displays the total number of the virus and spam signatures.
FortiGuard distribution network The result of the previous scheduled update (TCP 443) connection attempt to the FortiGuard Distribution Network (FDN) or, if enabled and configured, the override server.

•      Available: Indicates that the FortiMail unit successfully connected to the FDN.

•      Unavailable: Indicates that the FortiMail unit could not connect to the FDN. For more information, see “Verifying connectivity with FortiGuard services” on page 237.

•      Unknown: Indicates that the FortiMail unit has not yet attempted to connect to the FDN.

To test the connection, click Refresh.

Push update The result of the previous push update (UDP 9443) connection attempt from the FDN.

•      Available: Indicates that the FDN successfully connected to the FortiMail unit to send push updates. For more information, see “Configuring push updates” on page 241.

•      Unavailable: Indicates that the FDN could not connect to the FortiMail unit. For more information, see “Troubleshoot FortiGuard connection issues” on page 707.

•      Unknown: Indicates that the FortiMail unit has not yet attempted to connect to the FDN.

To test the connection, click Refresh.

GUI item Description
Refresh

(button)

Click to test the scheduled (TCP 443) and push (UDP 9443) update connection of the FortiMail unit to the FDN or, if enabled, the IP address configured in Use override server address.

When the test completes, the tab refreshes and results beside FortiGuard distribution network. Time required varies by the speed of the FortiMail unit’s network connection, and the number of timeouts that occur before the connection attempt is successful or the FortiMail unit determines that it cannot connect.

Note: This does not test the connection for FortiGuard Antispam rating queries, which occurs over a different connection and must be tested separately. For details, see “Configuring FortiGuard updates and antispam queries” on page 233.

Use override server address Enable to override the default FortiGuard Distribution Server (FDS) to which the FortiMail unit connects for updates, then enter the IP address of the override public or private FDS.

For more information, see “Verifying connectivity with FortiGuard services” on page 237.

Allow push update Enable to allow the FortiMail unit to accept push notifications (UDP 9443). If the FortiMail unit is behind a NAT device, you may also need to enable and configure Use override push IP. For details, see “Configuring push updates” on page 241.

Push notifications only notify the FortiMail unit that an update is available. They do not transmit the update itself. After receiving a push notification, the FortiMail unit then initiates a separate TCP 443 connection, similar to scheduled updates, in order to the FDN to download the update.

Use override push Enable to override the IP address and default port number to which

IP                           the FDN sends push notifications.

  • When enabled, the FortiMail unit notifies the FDN to send push updates to the IP address and port number that you enter (for example, a virtual IP/port forward on a NAT device that will forward push notifications to the FortiMail unit).
  • When disabled, the FortiMail unit notifies the FDN to send push updates to the FortiMail unit’s IP address, using the default port number (UDP 9443). This is useful only if the FortiMail unit has a public network IP address.

For more information, see “Configuring push updates” on page 241.

This option is available only if Allow push update is enabled.

GUI item Description
Scheduled update Enable to perform updates according to a schedule, then select one of the following as the frequency of update requests. When the FortiMail unit requests an update at the scheduled time, results appear in Last Update Status.

•      Every: Select to request to update once every 1 to 23 hours, then select the number of hours between each update request.

•      Daily: Select to request to update once a day, then select the hour of the day to check for updates.

•      Weekly: Select to request to update once a week, then select the day of the week, the hour, and the minute of the day to check for updates.

If you select 00 minutes, the update request occurs at a randomly determined time within the selected hour.

Apply

(button)

Click to save configuration changes on this tab and, if you have enabled Allow push update, notify the FDN of the destination IP address and port number for push notifications to this FortiMail unit.
Update Now

(button)

Click to manually initiate a FortiGuard Antivirus and FortiGuard Antispam engine and definition update request. Results will appear in Last Update Status. Time required varies by the availability of updates, size of the updates, and speed of the FortiMail unit’s network connection.