How to install certificate on iPhone 3G?

Thanks, but setting up IMAP e-mail isn't the problem, I can do that just fine.

The problem is that I can't get the exchange mail setup so I can get my contacts, calendar, mail, etc. pushed to my iphone.

Keep in mind that this is for the 3G iPhone with exchange support, not the old iphone mail setup.

I need to know the same thing - you would think Apple would of released something for this by now.

Also looking for this... anyone have any insights?

I just successfully connected an iphone to my exchange 2003 environment.  The only thing that might be different for me is that I have a purchased (trusted) certificate installed on my OWA site.  When configuring the iphone i put down the owa site as the server and it connected fine.  We do need to know what your Exchange environment is like though.  Do you have a front end/back end server scenario or are you just running one Exchange server that hosts the mailboxes and OWA?  

My suggestion is to buy a trusted cert from a public CA like Network Solutions (There are other cheaper ones out there); but there are other considerations to take into account depending on whether or not you're running 1 or 2 servers, so let us know.  

I have a trusted cert from verisign, my question is, do you enable SSL on the microsoft-active-sync virtual directory in IIS or do you enable SSL on the OMA virtual directory? You cannot enable it on the exchange virtual directory because microsoft active sync has to communicate with the exchange virtual directory over port 80, 443 will not work. I installed the cert on my iphone, I just added my personal yahoo e-mail address, then e-mailed the cert to myself and installed it that way.

j_crow1/slarge:  single server or front end/back end, and are you also using forms based authentication?  

this thread might also help everyone.  

http://www.experts-exchange.com/Apple/Hardware/iPhone/Q_23560049.html

wv-rog,

We run just a single exchange server. We are also using an untrusted certificate that I believe the consulting group that helps with IT support originally setup. How much does it cost to get a trusted cert from Network Solutions? (They house all of our domains as it is anyways)

I figured out how to get the certificate installed, but still no luck. (For those that don't know, you just need to install the cert on a PC. Then open up MMC and add the certificates snap-in. Do a search for the certificate and then export it to your desktop. E-mail it to yourself and install it that way)

The problem I am having now is that I have the certificate installed and it shows up when I go to Settings on my iPhone.

What happens now is when I browse to OWA using Safari it tells me the certificate is invalid and when I try to sync the mail it tells me it cannot verify the certificate. I have removed the Exchange account on the phone and removed the cert and reinstalled/reconfigured multiple times with the same result.

Also as a tidbit, I can browse to OWA, it tells me the certificate is invalid, but I just hit accept and I can still login and browse my mail through OWA, which is strange.

Also, when you say forms based authentication, what does that mean?

OK,

Another update. I tested sending a message using my current setup and I can send outgoing e-mail using the Exchange setup on the iphone, it's just not syncing anything to the phone.

Any thoughts on what might be causing this?

You have to turn on contacts and calendars sync in mail setup.  Otherwise it'll just sync mail.

Here is where you can turn them on.  "Settings", "Mail, Contacts, Calendars", select the exchange account you created.  Turn on both contacts and calendars and it'll start sync your phone numbers and appointments.

single server... OK.  I'm also assuming you're all patched and service packed on your Exchange server.  If not, do that.  

SSL cert from netsol is about $89/year for just your owa site which is probably sufficient. Compare that with the time you've already spent on this.  I'm not saying it will completely solve your problems but will help a great deal.  You actually won't have to deal w/ getting the cert on the iphone at all after that becuase it's trusted already.  I highly recommend it, also folks won't have to click "proceed to site" when they get that untrusted cert error, which won't happen anymore.  

Forms based auth:  When you go to your owa site, does it prompt you to log in via a dialog box (pop up) or does it go to a login page.  you can also find out if you have it enabled here: rt click the exchange virtual server in ESM (admin group - servers - your server - protocols - http) and see the settings tab.  See this link for details also: http://www.petri.co.il/configuring_forms_based_authentication_in_exchange_2003.htm

Single server WITH FBA turned on, presents a couple other challenges (this is how I have it set up) but it definitely can be done.  This link is how you'd set it up, it refers only to activesync but that's what we're doing on the iphone 3gs.  (Usual caveats/warnings: backup registry, backup system, be careful, don't drink and edit registry, look both ways before crossing, etc. etc.)

http://www.petri.co.il/problems_with_forms_based_authentication_and_ssl_in_activesync.htm

In your scenario, I really think getting that public cert will save you a headache and a ton of time and effort.

It looks like slarge's cert problem is resolved.  I am using a server generated cert (free, not commercial) with iPhone.  No problem with sending, receiving, calanders and contacts.

You wrote that you succeeded to install the certificate on the iphone but it is claimed to be invalid. Did you really install the CA Root Certificate or did you wrongly install the SSL certificate on the iphone?

There is a manual available that explains about installing root certificates.
http://manuals.info.apple.com/en_US/Enterprise_Deployment_Guide.pdf

ExecTWI,

What is the difference between the two? The certificate that I installed was the same certificate that I am prompted to accept/install when I browse to OWA.<INSERTCOMPANY>.COM.

I installed it just how the manual states, by sending it to myself via e-mail.

wv-rog,

We do not use form based authentication. I'll look into possibly purchasing the cert, but it sounds like others have been able to do it with a self-signed cert. So I still want to stick down this route until I'm completely stumped.

Hmm,

I dunno, it seems odd to me that I can send e-mail out using the exchange account but I cannot see any. I would think that if the certificate was the issue then I wouldn't be able to send e-mail either.

Just want to confirm again that I am able to use a self-signed CA cert using my own Certificate Server with iPhone.

Just to save myself some time and narrow down the possible problems, I went ahead and ordered a signed SSL cert from Network Solutions. I'm just awaiting on verification from them, then once I have that setup and installed, I will post an update on where I am at.

Thanks for the help so far everyone.

Ok, looks like we can close this now.

I gave my iPhone to the consulting company that does a lot of the behind the scenes server work and originally setup our Exchange server. Apparently there was a few missing pieces in IIS for OMA, that needed to be changed.

Once that was completed, it's syncing properly with a self-signed cert! Woo hoo. :)

Hi slarge,
I'm still battling with this.. can you please elucidate for my and others sake what exactly was "missing" in your setup? Would be very helpful..

I posted another query along trhese lines and have had no responses.. So I'm glad I fell upon this thread.. !!

Still not sure how one would set the timeout on a Cisco pix 501 (for SSL) I only find SSH ..  Any clues?

Thanks to all for useful info.

slarge,

Please post what those missing pieces were that fixed your issue. Thanks.

isn't it funny how many times you come across a forum thread from any site that discusses your exact problem but is missing part or all of the solution?

Ok, not funny but frustrating!

Yeah I gotta agree with the last 2 posts... what's the point of telling everyone it's working now without telling us what you did to fix it.  I've been reading this site and tons of others on the internet trying to get this to work and it just refuses too.  What things were "missing" and how did you fix it?

Hello again,

I think this certificate stuff is a bit of a red herring!  I have a test server with my nephew playing with it.. it is SBS 2003 SP2 and the push works perfectly for me on that one!  When it says certificate is not valid, I just say ok.. and it connects anyway!  No problems

There is SOMETHING on my 2003 server (NOT SBS) which is blocking this.. We have a Cisco Pix 501, but OWA works fine with SSL ..

I'm damned if I can figure out what the hell is going on here!

I'm just not having any luck with this, I just installed my SSL cert on my iphone and it still doesn't work.  Server is showing it's trying to connect, but event logs just fill up with ID#3005.  I've done everything I can find for that error on the server and no luck.  I'll probably open up my own question

I'm sorry that I cannot get into specific details as to what was missing, because I had handed it off to the consulting group that handles our mail server and had him look into it. According to him, there was some ActiveSync settings on the server relating to IIS that were missing.

So it wasn't an issue with the self-signed cert, rather it was just some missing ActiveSync settings. If you have a Windows Mobile device with ActiveSync, then try and connect using that phone. If you cannot connect then you know whether it is an issue on the server or something related to the iPhone specifically.

Try googling ActiveSync settings and I'm sure there are plenty of available guides on how to set it up, then just go off of that to confirm that you have everything setup properly server-side.

There are so few things t set server side with active sync.. the only thing that comes to mind is did you set up the moble carrier? someting like @mobile.o2.co.uk (in my case)

I'm sorry, I don't understand what you mean by mobile carrier?  First mention of that I've seen in any thread anywhere.

In Exchange manager.. Global settings -->mobile services .. In the right hand pane right click add new mobile carrier.. that is where you put your mobile provider O2 Vodafone etc in the format @mobile service (ask your provider what that sgould be!)

Server Side:
On the server side it ist important NOT to require SSL or forms based authentication (at least not in a single server environment). See MS KB 817379. In our environment we had required SSL, and  ActiveSync did not work until I unchecked the corresponding checkbox for the Exchange virtual directory in IIS.
Actually we DO use SSL to connect to OWA and to ActiveSync. The point is that it must be allowed NOT TO USE SSL, since internally ActiveSync wants to access the Exchange Virtual Directory without SSL.
I did not configure a mobile carrier. (don't know what this is)

Client Side:
On the iPhone I installed the CA root certificate of our internal self-signed certificate server. I could do this through the certificate server's web interface  (http://<certificate server>/certsrv). There is a link "Download a CA certificate..." and the installation worked on the iPhone.
When configuring the exchange server on the iPhone, it is important to specify the fully qualified external name (as defined in the SSL certificate of the Exchange virtual directory). I first tried the internal name since I was connected to the intranet, but I received a certificate error because of the mismatch of the used name and the issued name of the certificate. After correcting the name, everything worked perfectly.
 

Thanks for the info exexTWI, i'll go over this in a bit in my situation.  I have an open question here, http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/Q_23605965.html  , if you could have a look at it and see if anything catches your eye as a glaring reason why this isn't working for me i'd appreciate it.  Thanks.