SSL Certificate problems on Windows Mobile 5...
I continue to get a not trusted certificate error on a Cingular 8125 - Windows Mobile 5 device when accessing OMA as well as an error when synching through Micrsoft ActiveSync. I have number of Treo 650s and Samsung PCH-i600s which work just fine through ActiveSync with SSL enabled.
The SSL certificate on the Exchange server was issued by InstantSSL/Comodo Group. I have the root and intermediate certificates properly installed on the server (as evidenced by the other devices working). I have installed three root certificates from the InstantSSL website on the Cingular 8125 using instructions from this site. The 8125 works fine with SSL disabled. Also, the certificate error gives green checks to date and server name, only "not chosen to trust" error.
I am completely at a loss here. Any help would be appreciated.
The SSL certificate on the Exchange server was issued by InstantSSL/Comodo Group. I have the root and intermediate certificates properly installed on the server (as evidenced by the other devices working). I have installed three root certificates from the InstantSSL website on the Cingular 8125 using instructions from this site. The 8125 works fine with SSL disabled. Also, the certificate error gives green checks to date and server name, only "not chosen to trust" error.
I am completely at a loss here. Any help would be appreciated.
ASKER
Accessing OWA from a PC browser works fine. No certificate warnings.
The certificate is for the correct host name, and in fact the certificate warning on the Windows Mobile 5 device gives green checks for date and name, but gives warning for "company not chosen to trust".
Further, the Windows Smartphone 2003 devices and the Treo 650s ActiveSync with no warnings or errors (I have never tried OMA from these devices).
Working from InstantSSL support site, I converted to DER and installed on the WM5 device 3 root certificates. This did not resolve the problem either. I agree that this is strange, in that it seems that everything works fine outside the WM5 environment, and with the root certificates installed, the WM5 should work too.
WRK
The certificate is for the correct host name, and in fact the certificate warning on the Windows Mobile 5 device gives green checks for date and name, but gives warning for "company not chosen to trust".
Further, the Windows Smartphone 2003 devices and the Treo 650s ActiveSync with no warnings or errors (I have never tried OMA from these devices).
Working from InstantSSL support site, I converted to DER and installed on the WM5 device 3 root certificates. This did not resolve the problem either. I agree that this is strange, in that it seems that everything works fine outside the WM5 environment, and with the root certificates installed, the WM5 should work too.
WRK
If the certificate is trusted by web browsers then there is no reason why the certificate should be installed on the device. Im wondering if the certificate store on the device has some how got screwed up with there being 2 different copies of the certificate being on there. Have you tried this on a "virgin" mobile 5 device?
Cheers
Dave J
Cheers
Dave J
ASKER
I only have the one WM5 device (it is my new Cellphone, a cingular 8125). However, I did not install the root certificates from Comodo/InstantSSL until AFTER the device was failing, i.e. exhibiting the symptoms described above. I also tried only installing one of the root certificates before actually installing all 3. I can try removing the 3 root certificates and see if that restores service.
WRK
WRK
to be honest id also try that and maybe back up your phone and do a full reset on it, i know it sounds a bit harsh but then at least you will be 100% sure that its something on the server or the device.
Cheers
Dave J
Cheers
Dave J
The fact that is working on a desktop does NOT mean it will work on the handheld.
Installing the root and intermediate certificate on the server will not help the handheld.
SSL certificates from that issuer are not trusted by Windows Mobile devices natively.
Therefore you will need to export both the root and the intermediate certificate in to the correct format and then import them in to the Windows Mobile device.
http://www.amset.info/pocketpc/certificates.asp
You can reset the device as many times as you like, the handheld will never accept the certificate until you have imported the required certificates.
Simon.
Installing the root and intermediate certificate on the server will not help the handheld.
SSL certificates from that issuer are not trusted by Windows Mobile devices natively.
Therefore you will need to export both the root and the intermediate certificate in to the correct format and then import them in to the Windows Mobile device.
http://www.amset.info/pocketpc/certificates.asp
You can reset the device as many times as you like, the handheld will never accept the certificate until you have imported the required certificates.
Simon.
ASKER
I tried installing the certificate issued for my mail server as well as the root certificates from the InstantSSL site using the exact procedure described on that website before I posted on this site. None of that helped or solved the problem. In fact, installing various certificates in various combinations has done nothing to change the symptoms on the WM5 device.
WRK
WRK
Is this a wildcard certificate or a specific host certificate?
Have you seen this blog posting about using intermediate certificates?
http://blogs.msdn.com/windowsmobile/archive/2006/02/27/ssl_certificates_201.aspx
I only use certificates that come off a root direct or are trusted by the device. I have had no problems with RapidSSL certificates on Windows Mobile. I just need to install the root certificate on to the device and then I am done.
Simon.
Have you seen this blog posting about using intermediate certificates?
http://blogs.msdn.com/windowsmobile/archive/2006/02/27/ssl_certificates_201.aspx
I only use certificates that come off a root direct or are trusted by the device. I have had no problems with RapidSSL certificates on Windows Mobile. I just need to install the root certificate on to the device and then I am done.
Simon.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Indeed GTE CyberTrust Global Root is installed on the WM5 device. However, our Comodo cert appears to be issued on the AddTrust External CA Root. I will put in a support request with Comodo.
WRK
WRK
ASKER
The InstantSSL certificate issued by Comodo was issued from the UTN-USERFirst-Hardware root. They reissued a certificate for me from the GTE CyberTrust Global Root CA root, I installed it and everything worked out of the box with no new certificates required on the WM5 device.
Takeway: I am not sure how Comodo Group decides which root to issue a certificate, but you probably want to specify GTE CyberTrust Global root when buying an InstantSSL certificate for use with Windows Mobile 5 devices.
Thanks,
WRK
Takeway: I am not sure how Comodo Group decides which root to issue a certificate, but you probably want to specify GTE CyberTrust Global root when buying an InstantSSL certificate for use with Windows Mobile 5 devices.
Thanks,
WRK
for example we have a certificate for webmail.ourcompany.com, this would not work attached to a website called oma.ourcompany.com
Have you tried connecting over outlook web access to see if you get the same error on a standard web browser?
Cheers
Dave J