DescriptionIf the FortiMail unit’s local certificate is signed by an intermediate CA rather than a root CA, before clients will trust the FortiMail unit’s local certificate, a link must be demonstrated with trusted root CAs, thereby proving that the FortiMail unit’s certificate is genuine.
This chain of trust can be demonstrated either by:
• installing each intermediate CA’s certificate in the client’s list of trusted CAs.
• including a signing chain in the FortiMail unit’s local certificate.
This article will focus on the second method.
SolutionTo include a signing chain, before importing the local certificate to the FortiMail unit, open the FortiMail unit’s local certificate file in a plain text editor. Append the certificate of each intermediate CA in order from the intermediate CA who signed the FortiMail unit’s certificate to the intermediate CA whose certificate was signed directly by a trusted root CA, then save the certificate.
For example, a local certificate which includes a signing chain might use the following structure:
-----BEGIN CERTIFICATE-----
<FortiMail unit’s local server certificate>
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
<certificate of intermediate CA 1, who signed the FortiMail certificate>
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
<certificate of intermediate CA 2, who signed the certificate of intermediate CA 1 and whose certificate was signed by a trusted root CA>
-----END CERTIFICATE-----
Save the certificate file. Then, go to System > Certificate > Local Certificate and select the option import.