Using PKI/Certificate to log into Fortimail quarantine/webmail

Fortimail can be configured so users can log into their webmail/quarantine via a certificate loaded in their browser or smartcard. The CA authority will sign each user certificate and these certificates will be verified by the Fortimail for user authenitication.

First, load the CA certificate under System –> Certificate –> CA Certificate

This is the CA certificate that will sign each user client certificate.

Now create the PKI user under Domain&User –> User –> PKI User

This typically isn’t an individual user and would be the PKI profile for all users or can filter certain users. In this example I’m creating a PKI user so only user certificates containing OU=Sales in the Subject will be allowed login. Subject can remain empty to auth all users.

Next we’ll enable PKI via CLI:

Lastly we create a recipient policy and make sure PKI authentication is enabled in the Advanced settings. When troubleshooting it’s a good idea to have PKI auth enabled on all recipient policies if there are more than one in case it’s matching one above.

Now users will need to have their signed client cetificates imported into their browser or on a USB/Smartcard. As shown here when the user accesses the Fortimail they are prompted for the client certificate to use for authentication and access is granted for user sales@fortinettac.com

Leave a Reply