eM Client does not use AIA (Authority Information Access) to fetch intermediate or root certificates on demand, and this is intentional for security reasons.

On Windows, trusted certificate authorities (CAs) are managed through the system certificate store. Outlook and some other applications can trigger Windows to fetch missing certificates from trusted CAs when needed. eM Client, however, only uses certificates already present in the Windows store. If an intermediate certificate is missing, it does not try to download it via AIA or force Windows to update its trusted root list (which is normally updated periodically through Windows Update).

This behavior is designed to prevent a type of privacy attack: a malicious sender could include a URL in the AIA field of their certificate pointing to their own server. If your mail client automatically contacts that URL to retrieve a certificate, the sender would immediately know you opened their email.

To avoid issues, make sure to import certificates with their complete chain (including intermediate certificates) into the Windows certificate store in advance.