Go Premium for a chance to win a PS4. Enter to Win


exporting self-signed certificate in SBS 2003 so it can be imported into a Windows Mobile device

Posted on 2006-11-02
Medium Priority
Last Modified: 2012-06-27
I have a Windows 2003 SBS server.  It has created its own self-signed certificate.  I'd like to use a Windows Mobile device 5.0 device using Exchange ActiveSync.  There are very good instructions created by Daniel Petri here:


However, I'm missing one small thing.  You create an SSL certificate when running the Internet Connection Wizard.  This is easy.  I have the CER file that it creates.  But I can't import that CER file onto the mobile device.  It says its not a valid certificate.  That goes along with what Daniel says.  He says you need to export the certificate from   http://servername/certsrv.  However, when I go to http://servername/certsrv - there is a certificate I can export, but it is the CA certificate and not the same SBS certificate that you create in the Internet Connection Wizard.  How do I get the SBS certificate to show up in  http://servername/certsrv so that I can export it?  As stupid as this sounds, I think this is the step I am missing.

Question by:dmessman
LVL 16

Expert Comment

ID: 17859406
Hi dmessman,

what do you mean by "ou create an SSL certificate when running the Internet Connection Wizard"?

Actually the CA certificate is exactly what you need on the mobile phone. Normally you can save the file, copy it over to the desired device via USB and install it there by double clicking the file. I have configured several Windows Mobile devices like that and they all work fine.

The CA certificate is necessary so that the device can verify the certificate that is assigned to the Exchange Virtual SMTP server which will be used when you access OWA through SSL.

Hope this helps.
The Kirschi

Author Comment

ID: 17859599
then perhaps I am missing something.  Let's say my domain is whatever.com

When you go to Exchange webmail, at mail.whatever.com/exchange - the certificate that comes up is the SBS certificate that was created in the Internet Connection Wizard (a tool in Small Business Server that configures email, the certificate, the firewall, and the server internet access).

However, when I installed the Certificate Services (via add/remove programs and add/remove windows services), it prompted me to create a new enterprise root CA and the same certificate that I see when I go to http://servername/certsrv.  This certificate is different from the certificate I see when I go to mail.whatever.com/exchange.

I've imported the certificate I made when adding Certificate Services, but that doesn't work.  I presume I need the same certificate that I see when I'm using webmail.  Sorry, I'm really a newbie with certificates.

Thank you

Author Comment

ID: 17859649
also - the certificate that I see in IIS Manager is the same as the SBS certificate created in the Internet Connection Wizard.  The one I can access via mail.whatever.com/exchange is not what in IIS Manager.

Of course I'm speaking about the certificate you see when you open IIS Manager, right click on the default web site and go to properties, click on the directory security tab and click on view certificate.


Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.


Author Comment

ID: 17859958
after doing some additional research, I found this page which has a how-to on deploying Windows Mobile 5.0 devices with Small Business Server 2003.  


However, when I get down to the part that I am having trouble with, it references steps that do not work for me:

Copying the Certificate File to the Device
Perform the following steps to copy the certificate file to the mobile device:
1.      Log on to a client computer that has ActiveSync 4.1 installed.
2.      Connect the Windows Mobile device to the computer.
You do not need to establish a partnership; you can simply connect in guest mode.
3.      Open Windows Explorer and navigate to \\WindowsSBSServerName\ClientApps\SBScert.
4.      Right-click the certificate (.cer) file in the SBScert folder and click Copy.

Note: If your Windows SBS Server is running ISA Server, there may be more than one certificate in the folder.  Select the one named ISACert.cer.

5.      Navigate to Mobile Device under My Computer.
By default, the contents of the My Documents folder on the device are displayed.
6.      Right-click the content area and click Paste to copy the certificate file to the device.

It goes on to talk about needed a third party utility in some cases, which I do need and I do have.

The problem is this: SBScert.cer DOES NOT work.  When I use the third party utility to try to install sbscert.cer - it tells me it's not a valid certificate file.  I have been able to get certificates to some import.  For all those certificates that I was able to import, I went to http://servername/certsrv and chose to export the Root Certificate in DER encoded binary X.509 format with a .CER file name extension.

So that's why I think I need to take this SBScert.cer file that was created when running through the SBS Internet Conenction Wizard and import it into Certificate Services so that I can go to http://servername/certsrv  to export it.

Thanks for any advice or help.

Author Comment

ID: 17860240
For those who are interested, I found the solution in that same MS document I referenced earlier:

•      You may receive an error when attempting to install self signed certificates on the device using the instructions in this document.  In that case, you may want to manually try exporting the certificate from a workstation connected to the server instead of using the files in the \\server\clientapps\sbscert directory.  The certificate can be exported from the Trusted Root Certificate Authorities\Certificates folder in the Certificates console which can be opened by running certmgr.msc at a command prompt.

Yes, you do need to put the SBS certificate on the device and you do need to export it.  When I opened up certmgr.msc and then went to Trusted Root Certificate Authorities\Certificates - I saw the SBS certificate and was able to export it as a DER X.509 certificate and then able to import it on the device.  And it's syncing now.
LVL 15

Expert Comment

ID: 17863564
dmessman, don't forget to ask for a PAQ/Refund in the http://www.experts-exchange.com/Community_Support/ TA for answering your own Q.

I think where you got confused is that the IIS site has a self-signed cert you created based on the root CA from your SBS box. The PPC doesn't implicitly trust your cert, as it's not a member of the domain, and your SBS box isn't a known trusted certificate authority. You don't need the IIS certificate, you need the CA's certificate to match the pair.

What you've done - exporting the ROOT CA - is exactly what you needed, as now you can add that Root CA to any device, and it will trust ANY certificate you issue from your SBS server.

In simple terms - the IIS Cert you create is you saying "I am who I say I am, my Certification Authority has verified this" and the root certificate is there so your device can say "I agree that you are who you say you are, because I trust your Certification Authority because my admin has imported the root CA"

Clear as mud, no?

Accepted Solution

DarthMod earned 0 total points
ID: 17897884
Closed, 500 points refunded.
Community Support Moderator

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The SBS 2011 release date (RTM) is supposed to be around Christmas, 2011.  This article is a compilation of my notes -- things I have learned first hand.  The items are in a rather random order, but I think this list covers most of what is new and d…
I've often see, or have been asked, the question about the difference between the Exchange 2010 SP1 version, available as part of Small Business Server (SBS) 2011, and the “normal” Exchange 2010 SP1 Standard. The answer to the question is relativ…
Are you ready to place your question in front of subject-matter experts for more timely responses? With the release of Priority Question, Premium Members, Team Accounts and Qualified Experts can now identify the emergent level of their issue, signal…
This lesson discusses how to use a Mainform + Subforms in Microsoft Access to find and enter data for payments on orders. The sample data comes from a custom shop that builds and sells movable storage structures that are delivered to your property. …
Suggested Courses

972 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question