Configuring certificate bindings

Go to System > Encryption > Certificate Binding to create certificate binding profiles, which establish the relationship between an email address and the certificate that:

• proves an individual’s identity
• provides their keys for use with encryption profiles

Use this relationship and that information for secure MIME (S/MIME) as per RFC 2634.

How certificate bindings are used varies by whether an email is incoming or outgoing.

• Incoming

The FortiMail unit compares the sender’s identity with the list of certificate bindings to determine if it has a key that can decrypt the email. If it has a matching private key, it will decrypt the email before delivering it. If it does not, it forwards the still-encrypted email to the recipient.

• Outgoing

If you have selected an encryption profile in the message delivery rule that applies to the session, the FortiMail unit compares the sender’s identity with the list of certificate bindings to determine if it has a certificate and public key. If it has a matching public key, it will encrypt the email using the algorithm specified in the encryption profile (see “Configuring encryption profiles” on page 594). If it does not, it performs the failure action indicated in the encryption profile.

The FortiMail unit does not check if an outgoing email is already encrypted. Email clients can apply their own additional layer of S/MIME encryption if they want to (such as if they require non-repudiation) before they submit email for delivery through the FortiMail unit.

The destination of an S/MIME email can be another FortiMail unit, for gateway-to-gateway S/MIME, but it could alternatively be any email gateway or server, as long as one of the following supports S/MIME and possesses the sender’s certificate and public key:

• the destination’s MTA or mail server
• the recipient’s MUA

This is necessary to decrypt the email; otherwise, the recipient cannot read the email.

To access this part of the web UI, your administrator account’s access profile must have Read or Read-Write permission to the Policy category. For details, see “About administrator account permissions and domains” on page 290.

Before any personal certificate that you upload will be valid for use, you must upload the certificate of its signing certificate authority (CA). For details, see “Managing certificate authority certificates” on page 354.

To view and configure certificate binding

1. Go to System > Encryption > Certificate Binding.

Figure 150:Certificate Binding tab

GUI item	Description
Type (drop-down list)	Select whether the keys and certificate are used for validating the signature of and decrypting incoming email (External), or to sign and encrypt outgoing email (Internal).
Profile ID	Displays the name of the profile.
Address Pattern	Displays the email address or domain associated with the identity represented by the personal or server certificate.
Type (column)	Displays how the keys and certificate are applied: to all mail, just incoming (External) mail, or just outgoing (Internal) mail.
Identity	Displays the identity, often a first and last name, included in the common name (CN) field of the Subject line of the personal or server certificate.
Public Key	Displays the public key associated with the identity, used for decrypting and validating the signature of an email from that identity.
Private Key	Displays the private key associated with the identity, used to encrypt and sign email from that identity.
GUI item	Description
Valid From	Displays the beginning date of the period of time during which the certificate and its keys are valid for use by signing and encryption.
Valid To	Displays the end date of the certificate’s period of validity. After this date and time, the certificate expires, although the keys may be retained for the purpose of decrypting and reading email that was signed and encrypted previously.
Status	Indicates whether the certificate is currently not yet valid, valid, or expired, depending on the current system time and the certificate’s validity period. For information on configuring the time, see “Configuring the time and date” on page 265.
(Green dot in column heading.)	Indicates whether or not the entry is currently referred to by another item in the configuration. If another item is using this entry, a red dot appears in this column, and the entry cannot be deleted.

2. Either click New to add a profile or double-click a profile to modify it.
3. From Type, select whether the keys and certificate will be used for validating the signature of and decrypting incoming email (External), or to sign and encrypt outgoing email (Internal).

Certificate import formats vary by this selection.

Figure 151:Configuration for incoming/external email

Figure 152:Configuration for outgoing/internal email

4. In Address Pattern, enter the email address or email domain that you want to use the certificate in this binding.

For example, you might bind a personal certificate for User1 to the email address, user1@example.com.

5. For internal address bindings, from Choose import type, select one of the following ways to either import and bind a personal certificate, or to bind an existing server certificate:
   • Import PKCS12 file: Upload and bind a personal certificate-and-key file that uses the public key cryptography standard #12 (PKCS #12), stored in a password-protected file format (.p12).
   • Import PEM files: Upload and bind a pair of personal certificates and public and private keys that use privacy-enhanced email (PEM), a password-protected file format (.pem).
   • Choose from local certificate list: Bind a server certificate that you have previously uploaded to the FortiMail unit. For details, see “Managing local certificates” on page 347.

Depending on your selection in Choose import type, either upload the personal certificate files and enter their password, or select the name of a local certificate from Choose local certificate list.

If a certificate import does not succeed and event logging is enabled, to determine the cause of the failure, you can examine the event log messages. Log messages may indicate errors such as an unsupported password-based encryption (PBE) algorithm:

PKCS12 Import: err=0x6074079: digital envelope routines / EVP_PBE_CipherInit / unknown pbe algorithm

6. For external address bindings, upload and bind a privacy-enhanced email (PEM) file that contains a personal or server certificate and its public key.
7. Click Create.

Certificate bindings will be used automatically as needed for matching message delivery rules in which you have selected an encryption profile. For details, see “Configuring encryption profiles” on page 594 and “Configuring delivery rules” on page 464.

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!