Fortinet 3.0 MR4 user pki

set user pki

FortiMail™ Secure Messaging Platform Version 3.0 MR4 CLI Reference

06-30004-0420-20080814 347

user pki

Use this command to configure PKI authentication for users.

Syntax

set user pki name <name_str> ca <cert_str>

set user pki name <name_str> domain <domain_str>

set user pki name <name_str> ldapfield {subject alternative | cn}

set user pki name <name_str> ldapprofile <profile_str>

set user pki name <name_str> ldapquery {enable | disable}

set user pki name <name_str> ocspaction {revoke | ignore}

set user pki name <name_str> ocspca <url>

set user pki name <name_str> ocspverify {enable | disable}

set user pki name <name_str> subject <subject_str>

History

Commands Description Default

<name_str> <name_str> is the PKI user name.

ca <cert_str> Enter the name of the CA certificate used when validating the

CA’s signature of the client certificate.

domain <domain_str> Enter the protected domain to which the PKI user is assigned. If

Domain is System, the PKI user belongs to all domains

configured on the FortiMail unit.

ldapfield

{subject alternative |

cn}

Enter the name of the field in the client certificate (either CN or

Subject Alternative) which contains the email address of the

PKI user.

ldapprofile

<profile_str> Enter the LDAP profile to use when querying the LDAP server.

ldapquery {enable |

disable} Enable to query an LDAP directory, such as Microsoft

ActiveDirectory, to determine the existence of the PKI user who

is attempting to authenticate, then also configure LDAP Profile

and Query Field.

ocspaction {revoke |

ignore} Enter the action to take if the OCSP server is unavailable. If set

to ignore, the FortiMail unit allows the user to authenticate. If

set to revoke, the Fortimail unit behaves as if the certificate is

currently revoked, and authentication fails.

ocspca <url> The URL of the OCSP server.

ocspverify {enable |

disable} Enable to use an Online Certificate Status Protocol (OCSP)

server to query whether the client certificate has been revoked.

subject <subject_str> Enter the value which must match the “subject” field of the

client certificate. If empty, matching values are not considered

when validating the client certificate presented by the PKI

user’s web browser.

FortiMail v3.0 MR4 New.