Partager via

Introducing the SslChainSaver

  • Article

Say hello to the SslChainSaver tool. This is a tool that I wrote internally to troubleshoot SSL connections and I'm finally able to offer it publically. Use this tool when you want to to add new root or intermediate certificates to a device for an SSL connection.

Features:

  • - makes CertificateStore XML out of the entire certificate chain
  • - saves all the certificates out to disk for further inspection
  • - identifies servers that are not sending down the entire certificate chain
  • - can optionally connect to ports other than 443

 

The XML from this tool will allow the device to connect to servers that aren't sending down the entire chain. (because the XML contains all the intermediate certificates)

Usage is simple:

> sslchainsaver mail.company.com

This will create a directory called mail.company.com which contains all the certificates from the SSL chain. It will also create a file called mail.company.com.xml which can be pushed over rapiconfig or put in a CAB file for installation on devices.

 

update 5/18/2008: Version 2 is now released

Comments

  • Anonymous
    August 11, 2006
    PingBack from http://blogs.msdn.com/windowsmobile/archive/2006/01/28/making_a_root_cert_cab_file.aspx

  • Anonymous
    August 16, 2006
    Thanks Scott, this is great!

  • Anonymous
    August 24, 2006
    The comment has been removed

  • Anonymous
    August 24, 2006
    The tool sounds great. Can it help me discover why my user certificate is erased from the device sometimes when I am running EAS via ISA server with constrained delegation?

    I have been told that this a known bug? Why would my legit cert get erased from my device?

    Thanks,
    Sam.


  • Anonymous
    August 30, 2006
    Nice tool. Thanks!

  • Anonymous
    September 04, 2006
    Perhaps I am trying to run the program incorrectly?

    If I extract the compressed downloaded file, there is the /bin/ directory. If I open a command window, navigate to this directory and run 'sslchainsaver webmail.mydomain.com.au' I get the following Error:
    The application failed to initialize properly (0xc0000135). Click OK to terminate the application.

    I get the same error if I supply no arguments to sslchainsaver.

    I am running this from my workstation XP Pro SP2..
    (Am I meant to run from mailserver??)

    Thanks.

  • Anonymous
    September 04, 2006
    Chris - it does require the .NET Framework 2.0. Do you have that installed on the workstation?

  • Anonymous
    September 10, 2006
    Great bit of code, works a treat.  Justin - Thanks

  • Anonymous
    September 12, 2006
    What is rapiconfig and how does it work?

  • Anonymous
    October 08, 2006
    finally i manged to sync wm5 with exchange2003 over ssl! Great App!

  • Anonymous
    October 10, 2006
    Thank you so much. I have two Verizon Treo 700w that I needed to get setup and have spent three full days researching how to get our self-signed certs to install. Once I found and installed your tool, the problem was fixed in minutes. Nice job and thank you once agin.

  • Anonymous
    October 16, 2006
    The comment has been removed

  • Anonymous
    November 02, 2006
    Can you give me a step by step procedure of how to use this tool? I am confused. I have downloaded it and when i try tunning the SSL Chain Server program (i installed netframework 2.0) nothing happens. What am i not doing?

  • Anonymous
    November 04, 2006
    Okay. So i figured this out on my own. Great tool. Worked really well but for a novice, this is more difficult than running a program. For anyone else that finds this page, this tool should correct your syncing problems with an exchange server without problem!! Follow these directions Besides this software you will need the following: -Windows Mobile 5.0 Smartphone SDK (downloadable through MSDN) -Visual Studio 5.0 or higher (MSDN had a free trial as of 11/4/2006)

  • NetFrame Work 2.0 (you should be able to get this from the Visual Studio 5.0 download, if not download it from microsoft) Once everything is downloaded and installed you will need to follow these instructions: Open the command prompt and navigate to the folder which has the SSLChainsaver. In this example the folder is in the C: drive and named "test" C:Testbinrelease by typing cd C:Testbinrelease
  1. Type sslchainsaver mail.yourdomain.com
  2. All the certificates (root and intermediate) are extracted to a folder under C:Testbinrelease named mail.yourdomain.com
  3. Copy all the certificates to your device
  4. Install them one by one on the device by tapping on them in the same order as listed on the actual certificate from File Explorer

  • Anonymous
    November 05, 2006
    The comment has been removed

  • Anonymous
    November 21, 2006
    I'm posting here to explain how this tool worked for me and hopefully to learn more about certificates. I started with SBS 2003 SP1. It came from the Action Pack that shipped just before the October one that included the SBS 2003 R2 DVD. I applied Exchange SP2 and the AKU2 firmware update to my Verizon XV6700. I then ran CEICW and it walked me though creating the cert. I confess that I don't remember which guide I then followed to get the cert installed on the phone but I got it installed and it worked fine with Direct Push until I upgraded the SBS 2003 to R2. This involved installing the premium technogies cd's which are essentially SQL 2005 WGE and ISA 2004. I only installed the SQL upgrade and then upgraded my companyweb to ASP.Net 2. I also uninstalled Sharepoint MSDE instance and installed a 3rd instance of SQL 2005 and upgraded SharePoint to that instance. During those steps I somehow invalidated my CA. It was then pretty easy to figure out how to re-run CEICW and get OWA running again with a new cert (removed old one first). At this point I tried copying the sbscert.cer over to the phone and using SpAddCert.exe to import the cert but that didn't work. I then found this thread and ran sslchainsaver and the resulting root.cer file worked with SpAddCert on the phone and I'm now back online with Direct Push. Many thanks for creating this tool!

  • Anonymous
    November 21, 2006
    note to self - I've found two conditions that will cause a failure to sync that the SSLChainSaver tool won't detect.

    • The hostname you're connecting to doesn't match the hostname in the certificate. Activesync won't ever make a SSL connection in these circumstances.
  2. The server only sends down a partial chain AND doesn't send the AIA link to get the rest of the chain, so Windows can't even reconstruct the certificate chain. In this case, the tool won't have the root cert to put in the output XML. In this case you really have to fix the server, or somehow get a copy of the root certificate out-of-band. Both of these can be detected at runtime by the tool, so in the future I'd like to make that improvement.

  • Anonymous
    November 29, 2006
    Get error: "Connection refused:  The target machine active refused it". Mail.domain.com is host name on RHEL AS server. No firewall. Any ideas? Cheers Kirby

  • Anonymous
    January 12, 2007
    The comment has been removed

  • Anonymous
    January 13, 2007
    Hi Karoly, Good catch! Are you using this against 2003 devices? WM5 supports UTF8 XML on both platforms so I'd expect it to work on a WM5 device. I'm not entirely sure how much XML cab support there was in PPC 2003. What happens if you rename the cab to CPF when you install it on the PPC 2003 device?

  • Anonymous
    January 16, 2007
    Scott, Thanks for your reply. It was a WM5 device (a T-Mobile MDA) that gave me the error message about unsuccesful installation. So I guess WM5 does not support UTF8 XML... My other device, an iPAQ with PPC2003 on it gives a different error message: "rootcert.cab is not a valid Windows CE Setup file". If I rename the cab to CPF and try to install it, it simply gets deleted without having the certificates installed.

  • Anonymous
    February 01, 2007
    I think the most compatible thing to do here is change the encoding to ASCII. I'll try to do that in a future update.

  • Anonymous
    February 08, 2007
    When would the next release coming out? and is there a way to accomplish the same task without it?  I am having the same ASCII problem.

  • Anonymous
    February 08, 2007
    I have the changes mostly written. I would estimate sometime in the next few weeks. In the meantime, you could either fix it and recompile it, or open the XML that it generates in notepad and resave it as ASCII instead of UTF-8.

  • Anonymous
    March 22, 2007
    I have some proble using it on a Zimbra server... I'll try again.

  • Anonymous
    April 04, 2007
    The comment has been removed

  • Anonymous
    April 09, 2007
    So I said "a few weeks" above but it's going to be quite a bit longer. Gotdotnet is going away so I need to find a new home, and there's a lot of paperwork involved in doing that.

  • Anonymous
    April 16, 2007
    Awesome tool, thanks.  It worked with wm5 and moto q, ran the sslchain got 2 certs put it on the device and installed. Great work!

  • Anonymous
    April 16, 2007
    The comment has been removed

  • Anonymous
    April 29, 2007
    Need to convert certificate file to cab to install on WIndows mobile device

  • Anonymous
    May 09, 2007
    The link to the source code and binary is broken.

  • Anonymous
    May 09, 2007
    thanks - I've updated the link

  • Anonymous
    May 18, 2007
    The link to the source code and binary is broken again :( This has been phased out by Micro$oft. Would you have another link/source?

  • Anonymous
    May 19, 2007
    The link is still working for me. Are you still seeing it as broken?

  • Anonymous
    May 24, 2007
    I get this error message... Connect failed: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed becaus e connected host has failed to respond What would cause this?

  • Anonymous
    May 24, 2007
    I'd guess either the site you're trying to connect to is down, or an outbound firewall on your machine (like OneCare) is blocking the connection outwards.

  • Anonymous
    May 25, 2007
    Hi, You mentioned as one of the conditions the tool doesn't work is that.. "2) The server only sends down a partial chain AND doesn't send the AIA link to get the rest of the chain, so Windows can't even reconstruct the certificate chain. In this case, the tool won't have the root cert to put in the output XML. In this case you really have to fix the server, or somehow get a copy of the root certificate out-of-band." Is there any easy way of configuring the server to make sure it passes down the full chain? Been looking for that for a while, and its annoying having to install the full chain on the mobiles.

  • Anonymous
    May 26, 2007
    Good question, Jason. I'm not really an expert on web servers. The one thing that I have found to work with IIS is to make sure that the machine that is terminating the connection has each certificate installed on it. Sometimes that machine has only the server cert and not the intermediates and root - in that case it definitely won't send all the necessary certificates during the handshake. Scott

  • Anonymous
    July 30, 2007
    Any idea where I might be able to get the sslchainsaver tool from today? I'm having a bear of a time for a large enterprise mobile project - but I'm having trouble with the certs. I think the entire chain isn't getting sent properly - and this tool would be able to help me identify what's missing

  • Anonymous
    August 16, 2007
    The link is down (i.e. gotdotnet is closed for business). I am not sure that this tool is what I am looking for, but I thought I would mention it. I set up my HTC Trinity (Dopod D810) to download emails from my company Exchange server (webex.companyname.com), which has been working fine, but recently it stopped, telling me that the server security certificate had expired and  gave me the error 0x80072F05. I vaguely remember having had some issue with certificates when I first set the link up, but I can't remember what it was. There is no need to answer this posting - I shall be checking with our IT guys tomorrow - but I thought I would mention the issue.

  • Anonymous
    August 19, 2007
    Can we download sslchainserver from anywhere else? thanks!

  • Anonymous
    August 25, 2007
    I found it here: http://files.zimbra.com/downloads/SslChainSaver.exe

  • Anonymous
    October 03, 2007
    Running the program as a domain administrator returns this error. SSLChainSaver>sslchainsaver mail.mycompany.com Unexpected failure: Request for the permission of type 'System.Net.DnsPermission, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' failed.

  • Anonymous
    October 03, 2007
    I haven't seen that before. Are you running the tool off of a network share by any chance?

  • Anonymous
    October 08, 2007
    Certificate problems with Windows Mobile and Active Sync seems to be a pretty common cause of not being able to synchronize you mobile phone with Microsoft Exchange, but despite the number of web pag...

  • Anonymous
    October 29, 2007
    The download page has gone. Boo Hoo. Any luck trying to find an alternate download source for this?

  • Anonymous
    November 14, 2007
    please can someone upload this tool again?

  • Anonymous
    November 26, 2007
    Looking for this file as well please!

  • Anonymous
    December 19, 2007
    With regard to not getting the entire chain from a server: I have found when publishing an SSL site with ISA Server 2006 that you need to ensure the root cert for your site is in the local computer root store, and that the intermediate is in the intermediate store.  If the certs are not in their proper places then the chain is sometimes not fully exposed.  I am not sure if native IIS has this behavior as well, but it is worth a shot.

  • Anonymous
    December 19, 2007
    Thanks for the tip, Bill. That matches my experience as well.

  • Anonymous
    December 28, 2007
    Can someone please tell me where to download this? I tried here but it gets to 20% and dies http://wiki.zimbra.com/index.php?title=Moble_Device_Setup Thanks

  • Anonymous
    February 14, 2008
    when i extracted the certs from sslchainsaver it only gave me a root.cer and no intermediate. I installed the root.cer on my Samsung SCH-i760 and now I received the error 0x80072F06. What else do I need to do? I used sslchainsaver from my user login on the network.  Should I be logged in as admin? Thanks, Brandon

  • Anonymous
    February 14, 2008
    That error usually means that the site's name doesn't match the name on the certificate. Is there an OWA web page that you can connect to via IE or Firefox? See if one of those browsers is able to make a secure connection to the site. If not, then the server might be slightly misconfigured.

  • Anonymous
    February 14, 2008
    Scott, Thank you for your prompt reply.  I just noticed that our OWA is NOT currently https so I am getting that fixed right now and then I will go from there. Thanks, Brandon

  • Anonymous
    May 18, 2008
    Two years ago I released the first version of the SSLChainSaver tool. This tool helps you diagnose and

  • Anonymous
    June 03, 2008
    Hey Scott.. I have a site called https://webmail.intelllisyn.com self assigned cert... downloaded and installed... I still can't get ehre.. any ideas? step by step ? I'll try and grab the error code

  • Anonymous
    June 03, 2008
    The comment has been removed

  • Anonymous
    June 11, 2008
    The comment has been removed

  • Anonymous
    August 01, 2008
    Rapiconfig comes in the windows mobile SDK.

  • Anonymous
    September 23, 2008
    Thank you so much for this program! You saved my job :o)

  • Anonymous
    March 12, 2009
    The put in link only shows one how to create a CAB file, not how to install it.

  • Anonymous
    March 13, 2009
    Transfer the CAB file to your device and click on it in the File Explorer.  This article may be helpful as well: http://www.pocketpccentral.net/help/tutorials/install_cab_file.htm