?
Solved

SSL Certificate problems on Windows Mobile 5...

Posted on 2006-05-18
11
Medium Priority
?
1,773 Views
Last Modified: 2007-12-19
I continue to get a not trusted certificate error on a Cingular 8125 - Windows Mobile 5 device when accessing OMA as well as an error when synching through Micrsoft ActiveSync.  I have number of Treo 650s and Samsung PCH-i600s which work just fine through ActiveSync with SSL enabled.

The SSL certificate on the Exchange server was issued by InstantSSL/Comodo Group.  I have the root and intermediate certificates properly installed on the server (as evidenced by the other devices working).  I have installed three root certificates from the InstantSSL website on the Cingular 8125 using instructions from this site.  The 8125 works fine with SSL disabled.  Also, the certificate error gives green checks to date and server name, only "not chosen to trust" error.

I am completely at a loss here.  Any help would be appreciated.
0
Comment
Question by:kingwr12
  • 5
  • 4
  • 2
11 Comments
 
LVL 8

Expert Comment

by:oldhammbc
ID: 16716473
This sounds a bit strange, you shouldnt really have to install the certificate on the device because comodo certificates are already trusted on mobile 5 devices. If the certificate definatly for the host name you are using?
for example we have a certificate for webmail.ourcompany.com, this would not work attached to a website called oma.ourcompany.com
Have you tried connecting over outlook web access to see if you get the same error on a standard web browser?

Cheers

Dave J
0
 

Author Comment

by:kingwr12
ID: 16717479
Accessing OWA from a PC browser works fine.  No certificate warnings.

The certificate is for the correct host name, and in fact the certificate warning on the Windows Mobile 5 device gives green checks for date and name, but gives warning for "company not chosen to trust".

Further, the Windows Smartphone 2003 devices and the Treo 650s ActiveSync with no warnings or errors (I have never tried OMA from these devices).

Working from InstantSSL support site, I converted to DER and installed on the WM5 device 3 root certificates.  This did not resolve the problem either.  I agree that this is strange, in that it seems that everything works fine outside the WM5 environment, and with the root certificates installed, the WM5 should work too.  

WRK
0
 
LVL 8

Expert Comment

by:oldhammbc
ID: 16718214
If the certificate is trusted by web browsers then there is no reason why the certificate should be installed on the device. Im wondering if the certificate store on the device has some how got screwed up with there being 2 different copies of the certificate being on there. Have you tried this on a "virgin" mobile 5 device?

Cheers
Dave J
0
Granular recovery for Microsoft Exchange

With Veeam Explorer for Microsoft Exchange you can choose the Exchange Servers and restore points you’re interested in, and Veeam Explorer will present the contents of those mailbox stores for browsing, searching and exporting.

 

Author Comment

by:kingwr12
ID: 16718666
I only have the one WM5 device (it is my new Cellphone, a cingular 8125).  However, I did not install the root certificates from Comodo/InstantSSL until AFTER the device was failing, i.e. exhibiting the symptoms described above.  I also tried only installing one of the root certificates before actually installing all 3.  I can try removing the 3 root certificates and see if that restores service.

WRK
0
 
LVL 8

Expert Comment

by:oldhammbc
ID: 16718730
to be honest id also try that and maybe back up your phone and do a full reset on it, i know it sounds a bit harsh but then at least you will be 100% sure that its something on the server or the device.

Cheers

Dave J
0
 
LVL 104

Expert Comment

by:Sembee
ID: 16721924
The fact that is working on a desktop does NOT mean it will work on the handheld.
Installing the root and intermediate certificate on the server will not help the handheld.

SSL certificates from that issuer are not trusted by Windows Mobile devices natively.
Therefore you will need to export both the root and the intermediate certificate in to the correct format and then import them in to the Windows Mobile device.

http://www.amset.info/pocketpc/certificates.asp

You can reset the device as many times as you like, the handheld will never accept the certificate until you have imported the required certificates.

Simon.
0
 

Author Comment

by:kingwr12
ID: 16722008
I tried installing the certificate issued for my mail server as well as the root certificates from the InstantSSL site using the exact procedure described on that website before I posted on this site.  None of that helped or solved the problem.  In fact, installing various certificates in various combinations has done nothing to change the symptoms on the WM5 device.

WRK
0
 
LVL 104

Expert Comment

by:Sembee
ID: 16722613
Is this a wildcard certificate or a specific host certificate?

Have you seen this blog posting about using intermediate certificates?
http://blogs.msdn.com/windowsmobile/archive/2006/02/27/ssl_certificates_201.aspx

I only use certificates that come off a root direct or are trusted by the device. I have had no problems with RapidSSL certificates on Windows Mobile. I just need to install the root certificate on to the device and then I am done.

Simon.
0
 
LVL 8

Accepted Solution

by:
oldhammbc earned 750 total points
ID: 16722654
as far as i know comodo certificates are supported by windows mobile 5 (unless of course my mobile provider has installed it on my device and its not standard)
all comodo certeificates are trusted under the certificate GTE cybertrust global root. Could you look under your root certificates on the device and see if you have GTE cybertrust global root? We have purchased a certificate from a company called trustssl which basicially resells comodo certificates and that works fine with mobile 5.

Not really much help i know, but that certificate should definatly be supported by mobile 5.

Cheers

Dave J
0
 

Author Comment

by:kingwr12
ID: 16723149
Indeed GTE CyberTrust Global Root is installed on the WM5 device.  However, our Comodo cert appears to be issued on the AddTrust External CA Root.  I will put in a support request with Comodo.

WRK
0
 

Author Comment

by:kingwr12
ID: 16724534
The InstantSSL certificate issued by Comodo was issued from the UTN-USERFirst-Hardware root.  They reissued a certificate for me from the GTE CyberTrust Global Root CA root, I installed it and everything worked out of the box with no new certificates required on the WM5 device.

Takeway:  I am not sure how Comodo Group decides which root to issue a certificate, but you probably want to specify GTE CyberTrust Global root when buying an InstantSSL certificate for use with Windows Mobile 5 devices.

Thanks,
WRK
0

Featured Post

Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

As much as Microsoft wants to kill off PST file support, just as they tried to do with public folders, there are still times when it is useful or downright necessary to export Exchange mailboxes to PST files. Thankfully, it is still possible to e…
Mailbox Corruption is a nightmare every Exchange DBA wishes he never has. Recovering from it can be super-hectic if not entirely futile. And though techniques like the New-MailboxRepairRequest cmdlet have been designed to help with fixing minor corr…
In this video we show how to create a mailbox database in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Servers >> Data…
This video shows how to quickly and easily deploy an email signature for all users in Office 365 and prevent it from being added to replies and forwards. (the resulting signature is applied on the server level in Exchange Online) The email signat…
Suggested Courses
Course of the Month13 days, 10 hours left to enroll

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question