Tom Lauck’s Deseloper.org

Push Email with a Non-Recognized SSL Authority

author:

Upon buying a Windows Mobile 5 Smartphone, I was very excited to give push email a try. After all, I had heard great things about it.

Eager to journey into push email bliss, I entered my Microsoft Exchange server information in ActiveSync on my device. To my dismay, I ActiveSync failed to connect to Exchange. To add further frustration ActiveSync gave me this incredibly helpful message:

The security certificate on the server is invalid. Contact your Exchange Server administrator or ISP to install a valid certificate on the server.

Support code : 0x 80072F0D.

Although I had no idea what the implications of this were, as my “Exhange Server Administrator” was sitting right next to me, I thought Google might lend it’s hand. I should note the fact that we do not use a Microsoft Windows Mobile 5 “Recognized SSL Authority,” but a SSL from a Free SSL Authority.

Even more frustration resulted from Google searches. As it turns out, there is a lot of bad information on this subject. And I mean A LOT! Instructions talked about editing the registry, unlocking the phone, creating custom registry entries, and even custom XML/CAB files containing the cert. All of those instructions were an attempt to stop the operating system (WM5) from checking/requiring a SSL from a recognized or trusted authority (Microsoft does have a list of trusted authorities). THIS HACK IS NOT POSSIBLE IN WM5, period. The only solution is to install the WHOLE CERTIFICATE CHAIN (3 certs in a parent/child relationship). In my case, the certificate chain was as follows: Free SSL Authority Cert > StartCom SSL Cert > Mail.OurCompany.Com Cert

So for the real instructions on how to use a Free SSL Authority on a WM5 device are as follows (use a computer running Windows):

  1. Install the Certificate Authority (in my case the Free SSL Cert) onto a computer so that you are not getting the Certificate trust warning when logging onto the website
  2. Navigate in your browser that you installed the cert from to the site you have enabled the certificate on (in my case mail.ourcompany.com) and double click the padlock to bring up the details
  3. Click on the details tab > and select “Copy to File” > Next > Select PKCS#7 and check the box below that says “Include all Certificates in the certification path if possible”
  4. Give the file a name and save it somewhere, then click finish.
  5. Find the file and double click on it so that it loads an mmc, expand the selections until you can see 3 certs in the right hand pane. IF THERE ARE NOT 3 CERTs VISIBLE, then you have not installed the cert properly in your browser, see number 1. You can usually download this top level cert from your SSL Authority Web site.
  6. Right click all of these certs individually and export them as DER Encoded Binary (*.cer). Once all are saved just copy them to your WM5 device via ActiveSync and then run each of them on the mobile device via the file manager in the start menu.
  7. You can check to see that all 3 certs are installed by going to your WM5 device Settings > Security > Certificates > Root

If you have a certificate from a trusted authority you should have none of the issues that myself and many others had. However, in my case, I had a week or more of frustration. Moral of the story, don’t hack the phone, just give permission for WM5 to access your “untrusted” secure mail server by installing the correct certifactes (3 in total).

And there was great rejoicing……

yaaaay.

—————————–
Mobile Devices Tested On:
• T-Mobile SDA II / iMate SP5m / HTC Tornado
• T-Mobile Dash

7 Responses

date: November 5th, 2008

Thanks for the info!

spoken by: Timur

date: July 15th, 2009

Useful info. We have a Verisign certificate, but our T-mobile Dash’s with WM6 would not trust the cert. By downloading the Root and Intermediate Certs to the phones, we were able to sync with Exchange. Thanks for the assistance.

spoken by: Alan

date: December 22nd, 2009

I am smitten by the way you addressed this topic. It is not often I come across a web site with amusing articles like yours. I will bookmark your feed to stay up to date with your hereafter updates.Just brilliant and do preserve up the complete work.

spoken by: Eustolia Macinnis

date: May 24th, 2010

I consider that your case is rather serious with an assorted range of great info. Anyhow, was curious whether you would willing to interchange web links with my web site, as I am searching to establish links to further enlarge and reach better audience for my web site. I don’t really mind you positioning my contacts at the main page, just accepting this web links on this page is more than adequate. By the way, would you please be kind enough to contact me at my web site if you are interested in the link exchange, I would really value that. Best wishes from me and hopefully to hear from you as soon as possible!

spoken by: Panda Internet Security 2010

date: June 10th, 2010

very good and cool,thank you for your sharing.

spoken by: help stop drinking

date: November 25th, 2011

I like the helpful info you provide in your articles. I’ll bookmark your blog and check again here frequently. I am quite sure I will learn lots of new stuff right here! Good luck for the next!

spoken by: Blanca

date: January 20th, 2012

Its such as you read my thoughts! You appear to understand so much approximately this, such as you wrote the e-book in it or something. I feel that you simply could do with a few % to pressure the message home a little bit, however other than that, this is excellent blog. An excellent read. I will definitely be back.

spoken by: Ha Lavine

Leave a Reply

Jan 13 2007