Tom Lauck’s

Push Email with a Non-Recognized SSL Authority


Upon buying a Windows Mobile 5 Smartphone, I was very excited to give push email a try. After all, I had heard great things about it.

Eager to journey into push email bliss, I entered my Microsoft Exchange server information in ActiveSync on my device. To my dismay, I ActiveSync failed to connect to Exchange. To add further frustration ActiveSync gave me this incredibly helpful message:

The security certificate on the server is invalid. Contact your Exchange Server administrator or ISP to install a valid certificate on the server.

Support code : 0x 80072F0D.

Although I had no idea what the implications of this were, as my “Exhange Server Administrator” was sitting right next to me, I thought Google might lend it’s hand. I should note the fact that we do not use a Microsoft Windows Mobile 5 “Recognized SSL Authority,” but a SSL from a Free SSL Authority.

Even more frustration resulted from Google searches. As it turns out, there is a lot of bad information on this subject. And I mean A LOT! Instructions talked about editing the registry, unlocking the phone, creating custom registry entries, and even custom XML/CAB files containing the cert. All of those instructions were an attempt to stop the operating system (WM5) from checking/requiring a SSL from a recognized or trusted authority (Microsoft does have a list of trusted authorities). THIS HACK IS NOT POSSIBLE IN WM5, period. The only solution is to install the WHOLE CERTIFICATE CHAIN (3 certs in a parent/child relationship). In my case, the certificate chain was as follows: Free SSL Authority Cert > StartCom SSL Cert > Mail.OurCompany.Com Cert

So for the real instructions on how to use a Free SSL Authority on a WM5 device are as follows (use a computer running Windows):

  1. Install the Certificate Authority (in my case the Free SSL Cert) onto a computer so that you are not getting the Certificate trust warning when logging onto the website
  2. Navigate in your browser that you installed the cert from to the site you have enabled the certificate on (in my case and double click the padlock to bring up the details
  3. Click on the details tab > and select “Copy to File” > Next > Select PKCS#7 and check the box below that says “Include all Certificates in the certification path if possible”
  4. Give the file a name and save it somewhere, then click finish.
  5. Find the file and double click on it so that it loads an mmc, expand the selections until you can see 3 certs in the right hand pane. IF THERE ARE NOT 3 CERTs VISIBLE, then you have not installed the cert properly in your browser, see number 1. You can usually download this top level cert from your SSL Authority Web site.
  6. Right click all of these certs individually and export them as DER Encoded Binary (*.cer). Once all are saved just copy them to your WM5 device via ActiveSync and then run each of them on the mobile device via the file manager in the start menu.
  7. You can check to see that all 3 certs are installed by going to your WM5 device Settings > Security > Certificates > Root

If you have a certificate from a trusted authority you should have none of the issues that myself and many others had. However, in my case, I had a week or more of frustration. Moral of the story, don’t hack the phone, just give permission for WM5 to access your “untrusted” secure mail server by installing the correct certifactes (3 in total).

And there was great rejoicing……


Mobile Devices Tested On:
• T-Mobile SDA II / iMate SP5m / HTC Tornado
• T-Mobile Dash

Jan 13 2007