Configuring PKI authentication

Go to User > PKI User to configure public key infrastructure (PKI) user authentication.

PKI users can authenticate by presenting a valid client certificate, rather than by entering a user name and password.

A PKI user can be either an email user or a FortiMail administrator.

When a PKI user connects to the FortiMail unit with a web browser, the browser presents the PKI user’s certificate to the FortiMail unit. If the certificate is valid, the FortiMail unit then authenticates the PKI user. To be valid, a client certificate must:

• not be expired
• not be revoked by either certificate revocation list (CRL) or, if enabled, online certificate status protocol (OCSP)
• be signed by a certificate authority (CA), whose certificate you have imported into the FortiMail unit
• contain a CA field whose value matches the CA certificate
• contain a Issuer field whose value matches the Subject field in the CA certificate
• contain a Subject field whose value contains the subject, or is empty
• contain a Common Name (CN) or Subject Alternative field, if LDAP Query is enabled, whose value matches the email address of a user object retrieved using the User Query Options of the LDAP profile.

Web browsers may have their own certificate validation requirements in addition to FortiMail requirements. For example, personal certificates may be required to contain the PKI user’s email address in the Subject Alternative Name field, and that Key Usage field contain Digital Signature, Data Encipherment, Key Encipherment. For browser requirements, see your web browser’s documentation.

If the client certificate is not valid, depending on whether you have configured the FortiMail unit to require valid certificates, authentication will either fail absolutely, or fail over to user name and password authentication.

If the certificate is valid and authentication succeeds, the PKI user’s web browser is redirected to either the web UI (for PKI users that are FortiMail administrators), or FortiMail webmail or the personal quarantine (for PKI users that are email users).

For details and examples about how to use PKI authentication for FortiMail email users and administrators, see “Appendix D: PKI Authentication” on page 734.

To access this part of the web UI, your administrator account’s:

• Domain must be System
• access profile must have Read or Read-Write permission to the Policy category

For details, see “About administrator account permissions and domains” on page 290.

To view and configure PKI users

1. Go to User > User > PKI User.

Figure 175:PKI User tab

GUI item	Description
Name	Displays the user name of the PKI user.
Domain	Displays the protected domain to which the PKI user is assigned. If Domain is empty, the PKI user is an administrator.
CA	Displays the name of the CA certificate used when validating the CA’s signature of the client certificate. For more information, see “Managing certificate authority certificates” on page 354.
Subject	Displays a string used to match part of the value in the Subject field of the client certificate. It does not have to match the entire subject. If empty, matching values are not considered when validating the client certificate presented by the PKI user’s web browser.
LDAP	If LDAP query is enabled, the LDAP configuration of this PKI user is shown in three parts: •      Whether the LDAP query setting is enabled (indicated by E) or disabled (indicated by “-”). •      Displays the name of the LDAP profile used for the query. For more information, see “Configuring LDAP profiles” on page 548. •      Displays the name of the field in the client certificate (either Subject Alternative or CN) whose value must match the email address of a user object in the LDAP directory. For example, E/ldapprof/Subject Alternative indicates that LDAP query is enabled, and will use the LDAP profile named ldapprof to validate the Subject Alternative field of the client certificate.
OCSP	If OCSP is enabled, the OCSP configuration of this PKI user is shown in three parts: •      Whether OSCP is enabled (indicated by E) or disabled (indicated by “-”). •      Displays the URL of the OCSP server. •      Displays the action to take if the OCSP server is unavailable. If set to ignore, the FortiMail unit allows the user to authenticate. If set to revoke, the FortiMail unit behaves as if the certificate is currently revoked, and authentication fails. For example, E/https://www.example.com/Revoke indicates OCSP is enabled, using the OSCP server at https://www.example.com, and if the OSCP server is unavailable, the FortiMail unit prevents the user from authenticating.

2. Click New to add PKI authentication for an email user or administrator account or double-click an account to modify it.

A dialog appears.

Figure 176:New User dialog

3. Configure the following:

GUI item	Description
User name	For a new user, enter the name of the PKI user. There is no requirement to use the same name as the administrator or email user’s account name, although you may find it helpful to be so. For example, you might have an administrator account named admin1.You might therefore find it most straightforward to also name the PKI user admin1, making it easy to remember which account you intended to use these PKI settings.
Domain	Select either the protected domain to which the PKI user is assigned, or, if the PKI user is a FortiMail administrator, select System. You can see only the domains that are permitted by your administrator profile.
CA	Select either None or the name of the CA certificate to use when validating the CA’s signature of the client certificate. For more information, see “Managing certificate authority certificates” on page 354. If you select None, you must configure Subject.
Subject	Enter the value which must match the Subject field of the client certificate, or leave this field empty. If empty, matching values are not considered when validating the client certificate presented by the PKI user’s web browser. If you do not configure Subject, you must configure CA.
LDAP query	Enable to query an LDAP directory, such as Microsoft Active Directory, to determine the existence of the PKI user who is attempting to authenticate, then also configure LDAP profile and Query field. Note: If this option is enabled, no local user configuration is necessary. Instead, the FortiMail unit creates the personal quarantine folder and other necessary items when PKI authentication queries the LDAP server.
GUI item	Description
	LDAP profile	From the drop-down list, select the LDAP profile to use when querying the LDAP server. •      If no profile exists, click New to create one. •      If a profile exists but needs modification, select it and click Edit. In both cases, the Edit LDAP Profile dialog appears. For more information, see “Configuring LDAP profiles” on page 548. This option is available only if LDAP query is enabled.
	Query field	Select the name of the field in the client certificate (either CN or Subject Alternative) which contains the email address of the PKI user. This email address will be compared with the value of the email address attribute for each user object queried from the LDAP directory to determine if the PKI user exists in the LDAP directory. This option is available only if LDAP query is enabled.
OCSP	Enable to use an Online Certificate Status Protocol (OCSP) server to query whether the client certificate has been revoked, then also configure URL, Remote certificate, and Unavailable action.
	URL	Displays the URL of the OCSP server. This option is available only if OCSP is enabled.
	Remote certificate	Select the remote certificate that is used to verify the identity of the OCSP server. For more information, see “Managing OCSP server certificates” on page 356. This option is available only if OCSP is enabled.
	Unavailable action	Select the action to take if the OCSP server is unavailable. If set to Ignore, the FortiMail unit allows the user to authenticate. If set to Revoke, the FortiMail unit behaves as if the certificate is currently revoked, and authentication fails. This option is available only if OCSP is enabled.

You need to take additional steps to activate and complete a PKI user’s configuration.

To complete PKI user configuration

1. To enable PKI authentication on your FortiMail unit for all PKI users, open the CLI and enter the following command:

config system global

set pki-mode enable

end

2. For each PKI user, import the client certificate into the user’s web browser on each computer the PKI user will use to access the FortiMail unit. For details on installing certificates, see the documentation for your web browser. Client certificates must be valid. For information on how FortiMail units validate the client certificates of PKI users, see “Configuring PKI authentication” on page 435.
3. In the web UI, import the CA certificate into the FortiMail unit. For more information, see “Managing certificate authority certificates” on page 354.
4. For PKI users that are FortiMail administrators, select the PKI authentication type and select a PKI user to which the administrator account corresponds. For more information, see “Configuring administrator accounts and access profiles” on page 289.
5. For PKI users that are email users, enable PKI user authentication in the incoming recipient-based policies which match those email users. For more information, see “Controlling email based on recipient addresses” on page 468.

Control access to each PKI user’s computer. Certificate-based PKI authentication controls access to the FortiMail unit based on PKI certificates, which are installed on each email user or administrator’s computer. If anyone can access the computers where those PKI certificates are installed, they can gain access to the FortiMail unit, which can compromise the security of your FortiMail unit.

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!