Jaa


Adding SSL Certificates 201

Advanced issues you might run into when trying to add your own SSL certificates to the device for browsing or Exchange ActiveSync. (summary and discussion of the core problem here)

Some servers do not send down the entire certificate chain at the beginning of the SSL session. This is a configuration option on the server. Windows Mobile 5.0 devices do not have the ability to dynamically get the intermediate certificates. (big Windows can do this) A symptom of this is that you have added the root certificate for your site, but the browser on the device still isn't recognizing the certificate. To make this scenario work, you need to grab the intermediate certs (every cert except the first and the last) and add them to the device using the XML method previously discussed on this blog. When creating the XML for the intermediate certs, change the certificate store in the XML from "ROOT" to "CA". Another way to figure out if you have this problem is to check out the site in Firefox. Firefox doesn't chase down the intermediate certs either, so if it complains about the SSL connection then you probably have this problem.

The browser and the sync client use the same underlying APIs for SSL connections, so if the browser can make a secure connection to your site without prompting that the SSL connection is bad, then SSL is not the problem. It's easiest to use this method to isolate any SSL problems - once the browser can connect to your server then move on to troubleshooting the sync connection. (check Exchange server logs, etc.)

 

Scott

 

edit : added bit about firefox

edit 3/28: added links inline to other posts on the topic

Comments

  • Anonymous
    March 03, 2006
    What doesn't help is that you guys forgot to add the ability to view and delete intermediate certificates in  Windows Mobile. The Certificates applet in the Control Panel only shows personal certificates and root certificates.

    Things would have been much easier if users had the option of importing certificates from PKCS#12 files.

  • Anonymous
    March 08, 2006
    Hi Jacco,
    As for having a CA certificate control panel and having easier and better ways to import certs, both of those features are on the radar and my feature team is aware of them. I hope that some of the future changes to these areas will appease your concerns.

  • Anonymous
    March 28, 2006
    you need to link back to your previous post in this post... since you refer to it why not link to it so we dont have to go searching...

  • Anonymous
    March 29, 2006
    thanks for the links!  thanks for this post too... although i did find that just moving the cert over to the device and clicking it was the easiest method of installing it.

  • Anonymous
    March 30, 2006
    The comment has been removed

  • Anonymous
    April 05, 2006
    How can I add root certs to my Windows Mobile 5.0 device?
     
    In WM 5.0, the certchk tool no longer...

  • Anonymous
    April 25, 2006
    Hi,

    I have an Exchange behind ISA Architecture... I can get active sync to sync my taks, contacts and even my calendar over Air Sync (Exchange Active Sync) One thing though, I have never been able to get the mail to sync... any ideas? Just an article will do, ive had a smartphone for almost 2 years now and never been able to be truly mobile with my data...

    Thanks

  • Anonymous
    June 20, 2006
    "Some servers do not send down the entire certificate chain at the beginning of the SSL session. This is a configuration option on the server."

    So, how does one enable this option on IIS and/or Exchange? I'd guess that most people would prefer this option over installing intermediate certificates on each and every client.

  • Anonymous
    June 21, 2006
    The comment has been removed

  • Anonymous
    July 07, 2006
    There's really no excuse here. The XP OS contains dozens of root certs and 5.0 carries six. Why is this issue being skirted and why are the registry's of these new devices locked which is the real underlying problem with all of the remedies that require you install the cert manually.

    With a registry locked it won't happen.

  • Anonymous
    August 11, 2006
    Say hello to the SslChainSaver tool. This is a tool that I wrote internally to troubleshoot SSL connections...

  • Anonymous
    August 22, 2006
    Jacco, I would like to thank you for creating that P12 import tool.  However I own WM5.0 for Smartphone which makes the buttons not correctly work.  I have found a bunch of tools in the Windows folder such as certinst and CertScan.  However, it seems like these programs don't work.  I was also reading some other docs on how to install "root" certificates.  However, I don't care about my root certificates.  I need to know how to install a "personal" certificate for client authentication.  Does anyone know how this would be done?  Thanks a bunch guys.

  • Anonymous
    August 28, 2006
    Hi. I too need to be able to import a pfx certificate onto a PPC2003 device. The p12import utility created by Jacco seems to work on the surface, but something is wrong. The certificate looks like it's installed, but when you select it for use (Aegis client, or Funk Odyssee) it doesn't work. Are there any other utilities out there to import pfx?

  • Anonymous
    September 07, 2006
    I see the same thing that JohnB is seeing.  I did manage to get the certificate to import, I had to give the certificate the same name and locate as in the default value when the program starts up.  Anyway, I got it to import, however it will not decrypt my S/MIME e-mails.  Instead it just says encryption failed.  Then I try to browse to an HTTPS site which requires my certificate, and it asks me which certificate to use and seems to login correctly; however nothing loads.  This could actually be a problem on my end; but they both seem closely related.  Any ideas?

  • Anonymous
    October 08, 2006
    The comment has been removed

  • Anonymous
    October 19, 2006
    On a Symbol MC70 the p12import utility seems to work correctly, but it strips the private key! I solved the problem by using openssl to split the pfx-file into several pem-files, combining two of them into a p7b file and convert the other into a pvk-file. Then use the crtimprt utility. This solution I got from jacco's site: http://www.jacco2.dds.nl/networking/crtimprt-org.html

  • Anonymous
    October 20, 2006
    So: Just to check if I got this right. If you have a firewall (ie ISA) terminating the ssl connection in front of the web server, you would need to install the entire chain of certificates in the local computer trusted root store on the firewall, to resolve the issue that even though the windows mobile HAS the root certificate installed and the intermediate, the browser still see the ssl cert from the server as something I "have not chosen to trust". Correct?

  • Anonymous
    October 21, 2006
    If your cert chain looks like A (root) -> B (intermediate) -> C (server leaf), and the firewall only has C, it will only send C. If the Windows Mobile device only has A, it can't construct the chain between C and A. If you've installed A in the "ROOT" store on the device and B in the "CA" store, then the device will be able to identify the chain. Or if A, B, and C are installed on the firewall, it will send down enough information that the device can verify the chain using only cert A on the device.

  • Anonymous
    October 22, 2006
    Thank you for that explanation. The weird thing is that I have A and B installed on the device, still I get a certificate warning when browsing the site. The certificates where installed by clicking on the .cer files. Today I will add the intermediate cert to the trusted root store on the firewall. I'll let you know how it works out.

  • Anonymous
    October 22, 2006
    I just installed the intermediate with the .cab method. Now it works!

  • Anonymous
    March 22, 2007
    I have Windows Mobile 5.0 and PPC2003 devices that are not syncing wirelessly because the GTE Cyber Trust Root Certicate has expired on the device as of 2/23/06. It is just starting to show up on about 50 devices we have. People cannot sync and get their email. My Exchange Admin tells me that they have updated the cert on the server, but I still cannot sync even if I do a hard reset on the PPC2003 device. It still only has the expired cetificate. How can I fix this problem ASAP ? Thanks in advance for your help....It seems I am not the only one having this issue. I was reading some of the blog. Will my admins have to install more certs on all the Exhange servers running activesync ?

  • Anonymous
    June 04, 2007
    I just spent $ 479.00 on a " smart phone " and know I need to spend another $ 100.00 or so on a cert. Let microsoft buy the cert. Why is there not a disclaimer in the operating/set up instructions that lets us know that we have been taken to the cleaners again by microsoft.

  • Anonymous
    June 11, 2007
    The comment has been removed

  • Anonymous
    June 11, 2007
    Your web site might be sending the cab with the wrong MIME-type. Try copying the cab directly to the device and openining it from there.

  • Anonymous
    June 23, 2007
    I wanted to ask something regarding the following comment: "Windows Mobile 5.0 devices do not have the ability to dynamically get the intermediate certificates." Will Windows Mobile 6.0 have the ability to dynamically get the intermediate certificates? Thanks

  • Anonymous
    June 23, 2007
    Hi Elan, Good question. That's not in WM6. I haven't seen much customer demand for that feature. I think it's more likely that we would make the exchange sync setup experience work better than that we'd port the desktop feature of downloading certificates dynamically. Scott

  • Anonymous
    June 24, 2007
    Well, I was at a client a couple months ago when Verisign decided to start signing their SSL certificates with their intermediate certificate.  Little did I know, that the mobile device would need the intermediate certificate installed on them.  What a pain!  I found out that Verisign will allow you to obtain an SSL certificate signed by the root for situations such as this.  I'd love to see this feature enabled in mobile 6. I'm surprised there is not much customer demand.  With some of the vendors out there signing their SSL certificates with their intermediates, you'd think this would be a feature requested more.  

  • Anonymous
    June 24, 2007
    The server can be configured to always send the intermediate certificates down during the connection. If it is, then the device doesn't need to have the intermediate certificates installed. So you might be better off fixing the client's front-end server in this case - for example, Firefox also won't be able to to verify the connection to the server because it also doesn't chase down the intermediate certificates.

  • Anonymous
    June 24, 2007
    Do you know where this configuration can be found?  I've tried to search for hours on how to configure IIS to send down the intermediate certificate so the mobile devices won't spit out errors even if it doesn't have the intermediate cert.  I've looked at Verisign documentation, looked on firefox forums, google, live search, etc...  All I ever hear is that the web server needs to be configured for this but nobody ever knows how to configure it.  Any help would be much appreciated.

  • Anonymous
    June 24, 2007
    The comment has been removed

  • Anonymous
    July 10, 2007
    I have a non Exchange mail server and using client certidication with IMAP. I have installed personal and root certificate on my Windows Mobile 6 but it is not sending down the cert. Is Windows Mobile only supporting Exchange ore is there a way to solve this?

  • Anonymous
    July 17, 2007
    @jburen: I believe we only support client auth for exchange servers right now.

  • Anonymous
    March 28, 2008
    Any plans to implement the support? This is a backside for the vendors who provides phones with Windows Mobile. Not everyone is using Exchange Servers.

  • Anonymous
    June 02, 2008
    Hi, I'm developing an app, using "HttpOpenRequest()" that attempts to contact a server via SSL.  At this time I'm not interested in having the cert signed and paying big bucks, using the temporary self-generated cert is fine.  When connecting though, I'm getting an an error ERROR_INTERNET_INVALID_CA. Here are the flags currently supported by HttpOpenRequest(): INTERNET_FLAG_IGNORE_CERT_CN_INVALID INTERNET_FLAG_IGNORE_CERT_DATE_INVALID I'm using both of these flags, but I really don't want to worry about the CA. How about a flag to disable CA checking altogether....  INTERNET_FLAG_IGNORE_INVALID_CA Is there already a way to do this? Thanks, DD

  • Anonymous
    March 04, 2009
    Hi ,     Off topic but we are facing a strange problem on windows mobile 5 ,we are able to browse the site using IE using https ,but when the application tries to make a https connection ,the first connection goes through subsequent connections fail for no reason.    On checking the n/w stream we found that the handshake verification message before each request for SSL is not being generated.   Same code works on Windows mobile 6.   Would appreciate any help