FortiMail provides advanced, multi-layer protection against the full spectrum of email-borne threats
Article Id 194681
This article explains how to replace the default certificate used by a FortiMail for secure connections.

All FortiMail units have a self-signed certificate installed on them by default.  It is recommended to replace this certificate with valid digital certificate for the protected domains, to keep the contents of email secure.

1. Generating a certificate request

If a signed certificate is already available, proceed to step two.

On the FortiMail, go to System > Certificate > Local Certificate and select Generate. Set the information in the Generate Certificate Signing Request as required.

The request will appear in the certificate list, with its status shown as Pending.  Select the request, then select Download.

Send the certificate request file (.csr) to a certificate authority (CA) for signing.

2. Importing the signed certificate

With the signed certificate, go to System > Certificate > Local Certificate and select Import.  Set Type to Local Certificate and choose the certificate file (.cer).

In the certificate list, select the certificate, then select Set status to set the certificate as the default.

3. Check that the default certificate has been changed

Go to System > Certificate > Local Certificate. The imported certificate is shown as Default in the Status column.

The FortiMail will now automatically use this new default certificate for making secure connections.