In order to communicate securely with a mail server using STARTTLS IBM i must be able to verify the certificate proffered by the server during connection. A certificate is verified by comparing the issuer to IBM i's list of trusted CA certificates. This article describes how to determine which CA certificates are needed, how to check if they are installed in IBM i , how to locate copies if they are not installed, and how to import them. Office 365 is used as an example.


Determine the name of the mail server you will be using e.g. mail.office365.com. Identify the certificate chain the mail server is using by running:

i STRQSH CMD('openssl s_client -connect mail.office365.com:25 -starttls smtp')Enter

Page up and locate the "Certificate chain"

depth=1 C = US, O = DigiCert Inc, CN = DigiCert Cloud Services CA-1
verify error:num=20:unable to get local issuer certificate

Certificate chain
0 s:/C=US/ST=WASHINGTON/L=Redmond/O=Microsoft Corporation/CN=outlook.com
i:/C=US/O=DigiCert Inc/CN=DigiCert Cloud Services CA-1
1 s:/C=US/O=DigiCert Inc/CN=DigiCert Cloud Services CA-1
i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA
Server certificate


F3=Exit F4=End of File F6=Print F9=Retrieve F17=Top
F18=Bottom F19=Left F20=Right F21=User Window

IBM i must have certificate(s) denoted by i: (issuer) in the *SYSTEM certificate store. In this example "DigiCert Global Root CA" and "DigiCert Cloud Services CA-1" are the needed certificates.


Use IBM's® Digital Certificate Manager to determine if the need CA certificates are in the *SYSTEM certificate store. If found, check their validity.


If the needed CA certificates are not in the *SYSTEM certificate store you must locate a copy to import. In many cases they will be on your PC and you can export copies from there. To see:

If the CA certificates aren't available on your PC, the certificate sent by the mail server during STARTTLS will often have location information for its issuer. Decode the STARTTLS certificate by running:

i STRQSH CMD('openssl s_client -connect mail.office365.com:25 -starttls smtp | openssl x509 -inform PEM -text')Enter

Page up looking for issuer information. In this example "Authority Information Access" gives the location of the issuer's certificate (i.e. http://cacerts.digicert.com/DigiCertCloudServicesCA-1.crt)

                   Full Name:                                                   

Full Name:

X509v3 Certificate Policies:
Policy: 2.16.840.1.114412.1.1
CPS: https://www.digicert.com/CPS

Authority Information Access:
OCSP - URI:http://ocspx.digicert.com
CA Issuers - URI:http://cacerts.digicert.com/DigiCertCloudSer


F3=Exit F4=End of File F6=Print F9=Retrieve F17=Top
F18=Bottom F19=Left F20=Right F21=User Window

For the last CA certificate in the certificate chain a Google search (http://www.google.com/#q=%22DigiCert+Global+Root+CA%22) will often turn up a link (http://www.digicert.com/digicert-root-certificates.htm) to a source (http://www.digicert.com/CACerts/DigiCertGlobalRootCA.crt) for the issuer's certificate:


Once you have copies of certificates for all issuers in the Certificate chain, import them into Digital Certificate Manager starting with the last issuer in the chain (i.e. "DigiCert Global Root CA") and working up the chain.