Openssl is useful for troubleshooting and testing TLS/SSL related issues. You can use Openssl to get the certificate of the CA that issued the remote server certificate by typing the following syntax at a command-line prompt:

The following is an example of the Openssl tool output:

Note that the certificate is displayed in Base64 format (PEM) in the output. If the server CA certificate is also displayed in the output, the FortiMail unit should be able to validate the server certificate. However, in many cases the CA certificate is not sent by the remote server. You can just copy the certificate from the command output starting from "----Begin certificate----" and ending with "----end certificate-----" and store it in a file such as server-cert.pem. Then the certificate can be read with Openssl using the following command:

The following is a sample output of this command:

Within the certificate, there is a section called Authority Information Access (AIA) that contains a URL to the CA certificate. Download the certificate from the URL identified and import it into the FortiMail unit. If there is more than one level of CA, you can repeat the process until you get the root CA certificate. Then import all the intermediate CA and root CA certificates into the FortiMail unit.