Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
CL1
Contributor

Created on ‎03-04-2025 04:39 AM

Fortimail admin certification

Hello everyone,

 

I would like to know whether it is possible to generate and create a certificate on FortiMail for internal use for administrators only (ex : internal.example.net). If so, could anyone provide guidance on the process?

 

Thanks in advance

Best regards,

CL
CL
Labels:
386
0 Kudos
10 REPLIES 10
AEK
SuperUser
SuperUser

Created on ‎03-04-2025 06:11 AM

Hi CL1

To sign a certificate you need a CA.

If you don't have a CA then I think you can use any Linux host to create a private CA with OpenSSL and to sign a certificate for your FML.

AEK
AEK
348
CL1
Contributor
In response to AEK

Created on ‎03-05-2025 12:26 AM

Hello AEK,

 

I currently have a public certificate that all users use, but I would like to set up a separate one exclusively for administrators. Is it possible to configure this on FortiMail? I believe this can be done on FortiGate.

 

Best regards,

CL
CL
330
0 Kudos
AEK
SuperUser
SuperUser

Created on ‎03-05-2025 01:20 AM

Hi CL1

You need to generate CSR under menu System > Certificate.

Once generated you download it and you sign it with your CA, then you push it again to FortiMail. Once done you should be able use it exclusively for your admin access from the same menu System > Certificate (sorry I don't have a FML lab to provide more details).

AEK
AEK
316
0 Kudos
CL1
Contributor
In response to AEK

Created on ‎03-05-2025 01:39 AM

Hello AEK,

 

That's exactly what I'm trying to figure out, how to assign the certificate exclusively for internal use without applying it to public connections. Cause if you go to system > certificat > local certificat, you can only upload the certificate, you can't assign it to a specific use, or can you ? (There is a free Fortimail demo provided by fortinet, but you have "read only" privilege)

 

Best regards,

CL
CL
307
0 Kudos
AEK
SuperUser
SuperUser
In response to CL1

Created on ‎03-05-2025 01:49 AM

Hi Cl1

This doc shows that you can do so.

https://docs.fortinet.com/document/fortimail/7.4.4/administration-guide/383706

 

Server certificates

FortiMail must present its server certificate when a client requests a secure connection for the:

  • GUI (HTTPS connections only)
  • webmail (HTTPS connections only)
  • secure email, such as SMTPS, IMAPS, and POP3S

For details, see Managing local certificates.

 

I'll try to test it.

AEK
AEK
294
CL1
Contributor
In response to AEK

Created on ‎03-05-2025 02:09 AM

Hello AEK,

 

Thank you for your answer, I'll try it and see

 

Kind regards,

CL
CL
278
0 Kudos
AEK
SuperUser
SuperUser
In response to CL1

Created on ‎03-05-2025 02:34 AM

I managed to find a lab but I just can't find a solution for your request.

I think opening a ticket will clarify more.

AEK
AEK
267
CL1
Contributor
In response to AEK

Created on ‎03-05-2025 04:29 AM

I will try judgeddic solution, and see if it works, if it doesn't I will follow your advice.

Thank you for your usual help

 

Kind regards,

CL
CL
207
0 Kudos
judgeddic
New Contributor

Created on ‎03-05-2025 01:51 AM

Yes, you can generate and create a certificate on FortiMail for internal use, such as for administrators accessing an internal domain (e.g., internal.example.net). Below is a step-by-step guide to achieving this:

Steps to Generate and Create a Certificate on FortiMail for Internal Use:

1. Generate a Certificate Signing Request (CSR)

  1. Log in to the FortiMail Web UI as an administrator.
  2. Go to System > Certificates.
  3. Click on Generate to create a new certificate.
  4. Fill in the required details:
    • Common Name (CN): internal.example.net
    • Organization (O): Your company name
    • Organizational Unit (OU): IT/Admin department
    • Country (C): Your country code (e.g., US)
    • State/Province (ST): Your state
    • City (L): Your city
  5. Click OK to generate the CSR.

2. Self-Sign or Use an Internal CA

You have two options:

  • Self-sign the certificate (for internal use only)
  • Use an internal Certificate Authority (CA) to sign the CSR
A. Self-Signed Certificate
  1. After generating the CSR, select it and click Self-Sign.
  2. The system will generate a certificate that you can now use.
B. Sign with an Internal CA
  1. Download the CSR file.
  2. Sign it using your internal CA (e.g., Microsoft Active Directory Certificate Services).
  3. Upload the signed certificate back to FortiMail.

3. Apply the Certificate

  1. Navigate to System > Certificates.
  2. Select the newly created certificate and assign it to the appropriate service (e.g., Web UI, SMTP over TLS).
  3. Save and apply changes.
291
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.