Overview

In order to communicate securely with a mail server using STARTTLS IBM i must be able to verify the certificate proffered by the server during connection. A certificate is verified by comparing the issuer to IBM i's list of trusted CA certificates. This article describes how to determine which CA certificates are needed, how to check if they are installed in IBM i , how to locate copies if they are not installed, and how to import them. Office 365 is used as an example.

Identify

Determine the name of the mail server you will be using e.g. mail.office365.com. Identify the certificate chain the mail server is using by running:

i STRQSH CMD('openssl s_client -connect mail.office365.com:25 -starttls smtp')Enter

Page up and locate the "Certificate chain"

   CONNECTED(00000003)                                                          
depth=1 C = US, O = DigiCert Inc, CN = DigiCert Cloud Services CA-1
verify error:num=20:unable to get local issuer certificate
---

Certificate chain
0 s:/C=US/ST=WASHINGTON/L=Redmond/O=Microsoft Corporation/CN=outlook.com
i:/C=US/O=DigiCert Inc/CN=DigiCert Cloud Services CA-1
1 s:/C=US/O=DigiCert Inc/CN=DigiCert Cloud Services CA-1
i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGKDCCBRCgAwIBAgIQDzMzs7xGVulbI0qZMRNoezANBgkqhkiG9w0BAQsFADBL
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMSUwIwYDVQQDExxE
aWdpQ2VydCBDbG91ZCBTZXJ2aWNlcyBDQS0xMB4XDTE2MTExNzAwMDAwMFoXDTE3
MTExNzEyMDAwMFowajELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldBU0hJTkdUT04x
EDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlv
bjEUMBIGA1UEAxMLb3V0bG9vay5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw

===>

F3=Exit F4=End of File F6=Print F9=Retrieve F17=Top
F18=Bottom F19=Left F20=Right F21=User Window

IBM i must have certificate(s) denoted by i: (issuer) in the *SYSTEM certificate store. In this example "DigiCert Global Root CA" and "DigiCert Cloud Services CA-1" are the needed certificates.

Check

Use IBM's® Digital Certificate Manager to determine if the need CA certificates are in the *SYSTEM certificate store. If found, check their validity.

Locate

If the needed CA certificates are not in the *SYSTEM certificate store you must locate a copy to import. In many cases they will be on your PC and you can export copies from there. To see:

If the CA certificates aren't available on your PC, the certificate sent by the mail server during STARTTLS will often have location information for its issuer. Decode the STARTTLS certificate by running:

i STRQSH CMD('openssl s_client -connect mail.office365.com:25 -starttls smtp | openssl x509 -inform PEM -text')Enter

Page up looking for issuer information. In this example "Authority Information Access" gives the location of the issuer's certificate (i.e. http://cacerts.digicert.com/DigiCertCloudServicesCA-1.crt)

                   Full Name:                                                   
URI:http://crl3.digicert.com/DigiCertCloudServicesCA-1-g1.c
rl

Full Name:
URI:http://crl4.digicert.com/DigiCertCloudServicesCA-1-g1.c
rl

X509v3 Certificate Policies:
Policy: 2.16.840.1.114412.1.1
CPS: https://www.digicert.com/CPS
Policy: 2.23.140.1.2.2

Authority Information Access:
OCSP - URI:http://ocspx.digicert.com
CA Issuers - URI:http://cacerts.digicert.com/DigiCertCloudSer
vicesCA-1.crt


===>

F3=Exit F4=End of File F6=Print F9=Retrieve F17=Top
F18=Bottom F19=Left F20=Right F21=User Window

For the last CA certificate in the certificate chain a Google search (http://www.google.com/#q=%22DigiCert+Global+Root+CA%22) will often turn up a link (http://www.digicert.com/digicert-root-certificates.htm) to a source (http://www.digicert.com/CACerts/DigiCertGlobalRootCA.crt) for the issuer's certificate:

Import

Once you have copies of certificates for all issuers in the Certificate chain, import them into Digital Certificate Manager starting with the last issuer in the chain (i.e. "DigiCert Global Root CA") and working up the chain.