Replacing the default FortiMail certificate


In this recipe, you will learn how to replace the default certificate used by your FortiMail for secure connections.

All FortiMail units have a self-signed certificate installed on them by default. It is recommended to replace this certificate with valid digital certificate for the protected domains, to keep the contents of your email secure.

1. Generating a certificate request

If you already have a signed certificate, you can proceed to step 2.

On your FortiMail, go to System > Certificate > Local Certificate and select Generate.

Set the information in the Generate Certificate Signing Request as required.


The request will appear in the certificate list, with its status shown as Pending. Select the request, then select Download.

Send the certificate request file (.csr) to a certificate authority (CA) for signing.


2. Importing the signed certificate

When you have a signed certificate, go to System > Certificate > Local Certificate and select Import.

Set Type to Local Certificate and choose the certificate file (.cer).

In the certificate list, select the certificate, then select Set status to set the certificate as the default.  

3. Results

Go to System > Certificate > Local Certificate. The imported certificate is shown as Default in the Status column.

Because this certificate is set as the default, the FortiMail will automatically use it for making secure connections.