In order to communicate securely with a mail server using STARTTLS IBM i must be able to verify the certificate proffered by the server during connection. A certificate is verified by comparing the issuer to IBM i's list of trusted CA certificates. This article describes how to determine which CA certificates are needed, how to check if they are installed in IBM i , how to locate copies if they are not installed, and how to import them. Office 365 is used as an example.
Determine the name of the mail server you will be using e.g. mail.office365.com. Identify the certificate chain the mail server is using by running:
i STRQSH CMD('openssl s_client -connect mail.office365.com:25 -starttls smtp')Enter
Page up and locate the "Certificate chain"
IBM i must have certificate(s) denoted by i: (issuer) in the *SYSTEM certificate store. In this example "DigiCert Global Root CA" and "DigiCert Cloud Services CA-1" are the needed certificates.
Use IBM's® Digital Certificate Manager to determine if the need CA certificates are in the *SYSTEM certificate store. If found, check their validity.
If the needed CA certificates are not in the *SYSTEM certificate store you must locate a copy to import. In many cases they will be on your PC and you can export copies from there. To see:
If the CA certificates aren't available on your PC, the certificate sent by the mail server during STARTTLS will often have location information for its issuer. Decode the STARTTLS certificate by running:
i STRQSH CMD('openssl s_client -connect mail.office365.com:25 -starttls smtp | openssl x509 -inform PEM -text')Enter
Page up looking for issuer information. In this example "Authority Information Access" gives the location of the issuer's certificate (i.e. http://cacerts.digicert.com/DigiCertCloudServicesCA-1.crt)
For the last CA certificate in the certificate chain a Google search (http://www.google.com/#q=%22DigiCert+Global+Root+CA%22) will often turn up a link (http://www.digicert.com/digicert-root-certificates.htm) to a source (http://www.digicert.com/CACerts/DigiCertGlobalRootCA.crt) for the issuer's certificate:
Once you have copies of certificates for all issuers in the Certificate chain, import them into Digital Certificate Manager starting with the last issuer in the chain (i.e. "DigiCert Global Root CA") and working up the chain.