SSLChainSaver v2 released

Two years ago I released the first version of the SSLChainSaver tool. This tool helps you diagnose and repair SSL problems on Windows Mobile devices. After a very long delay, Version 2 is now up on the Microsoft download center. I wasn't able to release the source code this time. The usage instructions are similar to the previous version:

From a command prompt, run the tool.

> sslchainsaver mail.company.com

This will create a directory called mail.company.com which contains all the certificates from the SSL chain. It will also create files called mail.company.com.wm5.xml and mail.company.com.wm6.xml which can be installed over USB using rapiconfig or put in a CAB file for installation on device.

New features:

• Creates versions of the XML for Windows Mobile 5 and 6. The WM6 version of the XML should always be able to be installed on WM6 devices - it installs certs to the user store so the security policies on the device should never block it.
• Tries to diagnose many common SSL problems - no root cert sent by the server, common name mismatch, wildcard certs w/ WM5 devices, etc.

Known Issues:

• The tool needs to be able to write to the current directory in order to save the files. If you install to \Program Files on Vista and are not running an admin command prompt, it won't be able to write out the certs. Either install it to a directory where you have write access (like Documents) or run from an elevated command prompt.
• The tool can detect a common name mismatch on the cert but it doesn't parse the "SubjectAltNames" extension. If your certificates are using SubjectAltNames, the tool will report a name mismatch but the certs will really work fine.

Let me know here if you have any problems with it. I hope it helps you out.

Scott

Comments

• Anonymous
  May 18, 2008
  PingBack from http://blogs.msdn.com/windowsmobile/archive/2006/08/11/sslchainsaver.aspx

• Anonymous
  May 30, 2008
  Where does this install to?  I have .NET framework 2.0 installed, but when I type sslchainsaver at a command prompt, it comes back as: "'sslchainsaver' is not recognized as an internal or external command, operable program or batch file."

• Anonymous
  May 30, 2008
  It's one of the options you can pick during install. By default I think it will go to "C:Program FilesMicrosoft SSL ChainSaver"

• Anonymous
  June 15, 2008
  I ran the SSL Chainserver and it created two certificates (a root and a leaf). Now to create a .CAB file do I make use of only the root certificate? Thanks

• Anonymous
  June 15, 2008
  Hey Prashanth, Use the .XML files that are created in the same directory as the tool. That XML file contains all of the certificates for the chain.

• Anonymous
  June 24, 2008
  I'm trying to use the tool to get the SSL chain from my LCS 2005 Access Proxy to my Motorola Q.  I have a Verisign Public cert at improxy.kindermorgan.com, using TLS on TCP 5061.  I tried the tool at FQDN:5061 and get Connection failed: No such host is known.  I tried it with the defaults and get connection refused, which makes sense since I'm not using 443.

• Anonymous
  June 24, 2008
  Hey Scott, Make sure you don't put the colon there between the FQDN and the port. I was able to connect to your server when I put a space there.

• Anonymous
  July 14, 2008
  I'm having problems getting the cert to install on my Verizon XV6800.  I downloaded SSL Chain Saver and used it per your directions.  I took the WM6 file and turned it into a .cab file following the link below http://blogs.msdn.com/windowsmobile/archive/2006/01/28/making_a_root_cert_cab_file.aspx.  I didn't change anything in the file I did rename it to include _setup.  I even tried it without the _setup.  Every time I try to install the CAB file I get installation unsuccessful.  The site I'm going to is exchange.aws.com.  Any help you can give me on this would be great. Thanks, Jason

• Anonymous
  July 16, 2008
  Conectando con un emulador y configurarlo con Exchange a través de ActiveSync Si configuramos un emulador

• Anonymous
  August 05, 2008
  hi scott, i have downloaded this program and have followed your directions to open at the command prompt. When i enter the information it doesn't do anything. what am i doing wrong? i installed the program on my desktop, not my server. am running xp pro sp2 and have a HTC 6800 w/ WM6. my main issue is phone is not recognizing self generated certificate and i cannot ative sync remotely. is this the right fix? please help thanks victor

• Anonymous
  August 08, 2008
  Scott et all, I can't get this website to work on wm 6.1. I know it will not load up on IE when you have 3.0 ssl checked under tools/advanced..Any ideas??? Thanks in advance! Scott

• Anonymous
  August 08, 2008
  Sorry!! website is: https://epic.comair.com Thanks!!

• Anonymous
  September 12, 2008
  Just a little note to anyone who read over the instructions a bit to quickly... (cough cough me) When you run the command prompt be sure to change the directory to C:program filesmicrosoft SSL ChainSaver Then it will work correctly.

• Anonymous
  September 29, 2008
  "This file does not have a program associated with it..." is the error I am receiving when I put what you said into run. I have .NET framework 2.0 installed and put the file in "C:Program FilesMicrosoft SSL ChainSaver."  What is the problem?

• Anonymous
  October 23, 2008
  The comment has been removed

• Anonymous
  October 25, 2008
  Hey Adam, I think your situation is covered in the known issues list in this post. (the first one)

• Anonymous
  November 07, 2008
  The comment has been removed

• Anonymous
  November 12, 2008
  Hi, I went through and created the .cab but it uninstalls unsuccessfully. I was abke to download and install the program.  I created the xml files.  i took the one for wm6 and ran the command to make it a cab file.  I installed the cab file on my phone and tried to install it from there but i get "installation of rootcert.cab was unsuccessful".  Any ideas on what I missed?  Did wrong? Thanks

• Anonymous
  November 23, 2008
  @Laura: Yes, it should definitely work w/ a 6.1 device. @Matt: It's just a guess, but it's possible there was an error during cab creation. The XML file has to be renamed exactly to _setup.xml. (with the underscore and everything) Some people have run into problems when they forgot to rename the XML or didn't get the name exactly right.

• Anonymous
  February 11, 2009
  I'm in an Exchange environment where out Internal Exchange server address is different to the external exhcnage adress. I tried the above process and completed all the commands successfully but still unable to connect via ActiveSync. Is there anything further i can try or do i need to wait for our IT team to fix the SSL certificate error (which is in regards to the incorrect domain name)

• Anonymous
  February 11, 2009
  I don't think you'll be able to connect if the CN on the cert doesn't match the server name. I believe SslChainsaver v2 will alert you to that when you run it.

• Anonymous
  April 29, 2009
  When I ran sslchainsaver.exe, it produced the following error: Error: We were unable to find a self-signed root certificate. The server must send the root certificate during the SSL handshake. Windows Mobile devices will not be able to connect via ActiveSync. The 'mail.company.com' folder contained a copy of the leaf certificate (that was produced from a private certificate server), but neither of the xml files contained any thumbprint or certificate information. I have tried installing both the root and the leaf certificate manually (as per http://blogs.msdn.com/windowsmobile/archive/2006/01/28/making_a_root_cert_cab_file.aspx) , and  I can browse to the site in question from the mobile device, but I still get the error: "the certificate was issued by a company you have not chosen to trust". Is there something I need to change in IIS to send the root certificate as part of the SSL handshake?

• Anonymous
  May 05, 2009
  The comment has been removed

• Anonymous
  July 01, 2009
  The comment has been removed