Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

FortiMail STARTTLS unable to get local certificate from Exchange


we are in trouble with a certificate error delivering mail.

Our delivery chain is Exchange Servers -> Load Balancer -> FortiMail -> Outside.

Incoming email are correctly verified with TLS 1.2 and i have verify=OK, but when we send out we have this message:


STARTTLS=server, cert-subject=/CN=NAMEEXC01, cert-issuer=/CN=NAMEEXC01, verifymsg=unable to get local issuer certificate

STARTTLS=server, relay=[NAMEEXC01_IP], version=TLSv1.2, verify=CAFAIL, cipher=ECDHE-RSA-AES256-SHA384, bits=256/256


The message is the same for all of our 4 Exchange Servers that relay to FortiMail.


I tried to import local NAMEEXC certificates from the 4 Servers into FortiMail, but message still appears.

Did someone have same issue or can someone help me?




New Contributor

marco.digirolamo wrote:


we are in trouble with a certificate error delivering mail.

Our delivery chain is Exchange Servers -> Load Balancer -> FortiMail -> Outside.

Incoming email are correctly verified with TLS 1.2 and i have verify=OK, but when we send out we have this message:


STARTTLS=server, cert-subject=/CN=NAMEEXC01, cert-issuer=/CN=NAMEEXC01, verifymsg=unable to get local issuer certificate

STARTTLS=server, relay=[NAMEEXC01_IP], version=TLSv1.2, verify=CAFAIL, cipher=ECDHE-RSA-AES256-SHA384, bits=256/256


The message is the same for all of our 4 Exchange Servers that relay to FortiMail.


I tried to import local NAMEEXC certificates from the 4 Servers into FortiMail, but message still appears.

Did someone have same issue or can someone help me?




I once had the same issue, but tried talking to the Exchange team to apply the cert other than self-signed, then remove the self-signed cert should deal with this.


I, however, stumble upon another issue where FortiMail complains that my cert is "unsupported certificate purpose"... Using internal Windows CA to generate and sign certificate for STARTTLS


STARTTLS=server, cert-subject=/C=/ST=/L=/O=/OU=/CN=*, cert-issuer=/DC=com/DC=domain/CN=ca, verifymsg=unsupported certificate purpose


The other way around (FortiMail delivering email to Exchange) does not have the same issue.


Has anyone dealt with the problem before?


Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Top Kudoed Authors