Importing certificates into Fortimail/Fortivoice

Fortimail and Frotivoice units are shipped with Factory/Self signed certificates that will produce warning in users browsers.  In many cases this is acceptable for administrator use however if Fortimail users will be loggin into their quarantine or Fortivoice users accessing their voicemail then a certificate signed by a CA will need to be imported.

If quarantine or voicemail will only be accessed internally then a locally signed certificate may be adequate, the local root CA would need to be loaded into each browser. In a domain environment the Domain Controller can sign the certificate and domain member workstations will trust the connection.

If quarantine or voicemail will be externally accessible then purchasing a signed certificate from a CA is the better chioce.

Getting a signed certificate involves 3 components:

1 – The private key
2 – The Certificate request
3 – The signed certificate

If you already have a signed certiifcate (including SAN or wildcard) then you should also have the private key. These can be in PEM format with a cer/crt file and key file or in PKCS12 (pfx file). Skip ahead to Step 4.

If you don’t have a signed certificate yet then you can generate the certificate signing request on the Fortimail/Fortivoice unit

Step 1 – Generate Certificate Signing Request (CSR)

Fill out the certificate Signing Request and hit OK. This generates both the certificate private key and the Certificate signing request.


Step 2 – Download the certificate signing request

The New certificate request should now show a status of Pending. Select and download the CSR so you you can send to the CA to get signed. DO NOT DELETE THIS AFTER DOWNLOADING!!!!

Step 3 – Get the certificate signed

Step 4 – Import the signed certificate into the Fortimail/Fortivoice

If the CSR was generated on the Fortimail/Fortivoice unit in the previous steps use Type: Local Certificate

If you already have a signed certificate (wildcard/SAN etc) then use Type PKCS12 for p12 or pfx file or Certificate for pem/cer/crt files. If the private key is not encrypted then leave the password field blank.

Step 5 – Verify and set status

Once the certificate is imported successfully the status will change to OK, to make the certificate active on the unit select the certificate and click “Set Status”


Step 6 – Import CA Root and Intermediate certificates

Your CA will often include the CA root and intermediate certificates bundle along with the signed certificate. If not included then they will be available for download from their website. These Root and intermediate certificates will need to be loaded into the CA certificate tab on the Fortimail/Fortivoice unit.


If you try importing a certificate and get the “No matched local certificate is found” error this means that the certificate you are importing doesn’t match the CSR/private key that was generated in step 1

Leave a Reply