Solved

exporting self-signed certificate in SBS 2003 so it can be imported into a Windows Mobile device

Posted on 2006-11-02
9
13,649 Views
Last Modified: 2012-06-27
I have a Windows 2003 SBS server.  It has created its own self-signed certificate.  I'd like to use a Windows Mobile device 5.0 device using Exchange ActiveSync.  There are very good instructions created by Daniel Petri here:

http://www.petri.co.il/adding_root_certificates_to_windows_mobile_2003_ppc.htm

However, I'm missing one small thing.  You create an SSL certificate when running the Internet Connection Wizard.  This is easy.  I have the CER file that it creates.  But I can't import that CER file onto the mobile device.  It says its not a valid certificate.  That goes along with what Daniel says.  He says you need to export the certificate from   http://servername/certsrv.  However, when I go to http://servername/certsrv - there is a certificate I can export, but it is the CA certificate and not the same SBS certificate that you create in the Internet Connection Wizard.  How do I get the SBS certificate to show up in  http://servername/certsrv so that I can export it?  As stupid as this sounds, I think this is the step I am missing.

Thanks
0
Comment
Question by:dmessman
9 Comments
 
LVL 16

Expert Comment

by:The_Kirschi
ID: 17859406
Hi dmessman,

what do you mean by "ou create an SSL certificate when running the Internet Connection Wizard"?

Actually the CA certificate is exactly what you need on the mobile phone. Normally you can save the file, copy it over to the desired device via USB and install it there by double clicking the file. I have configured several Windows Mobile devices like that and they all work fine.

The CA certificate is necessary so that the device can verify the certificate that is assigned to the Exchange Virtual SMTP server which will be used when you access OWA through SSL.

Hope this helps.
The Kirschi
0
 
LVL 9

Author Comment

by:dmessman
ID: 17859599
then perhaps I am missing something.  Let's say my domain is whatever.com

When you go to Exchange webmail, at mail.whatever.com/exchange - the certificate that comes up is the SBS certificate that was created in the Internet Connection Wizard (a tool in Small Business Server that configures email, the certificate, the firewall, and the server internet access).

However, when I installed the Certificate Services (via add/remove programs and add/remove windows services), it prompted me to create a new enterprise root CA and the same certificate that I see when I go to http://servername/certsrv.  This certificate is different from the certificate I see when I go to mail.whatever.com/exchange.

I've imported the certificate I made when adding Certificate Services, but that doesn't work.  I presume I need the same certificate that I see when I'm using webmail.  Sorry, I'm really a newbie with certificates.

Thank you
0
 
LVL 9

Author Comment

by:dmessman
ID: 17859649
also - the certificate that I see in IIS Manager is the same as the SBS certificate created in the Internet Connection Wizard.  The one I can access via mail.whatever.com/exchange is not what in IIS Manager.

Of course I'm speaking about the certificate you see when you open IIS Manager, right click on the default web site and go to properties, click on the directory security tab and click on view certificate.

Thanks
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 
LVL 9

Author Comment

by:dmessman
ID: 17859958
after doing some additional research, I found this page which has a how-to on deploying Windows Mobile 5.0 devices with Small Business Server 2003.  

http://www.microsoft.com/downloads/details.aspx?FamilyID=8be70d72-1e5a-4128-a30c-dafeeb43544d&displaylang=en

However, when I get down to the part that I am having trouble with, it references steps that do not work for me:

Copying the Certificate File to the Device
Perform the following steps to copy the certificate file to the mobile device:
1.      Log on to a client computer that has ActiveSync 4.1 installed.
2.      Connect the Windows Mobile device to the computer.
You do not need to establish a partnership; you can simply connect in guest mode.
3.      Open Windows Explorer and navigate to \\WindowsSBSServerName\ClientApps\SBScert.
4.      Right-click the certificate (.cer) file in the SBScert folder and click Copy.

Note: If your Windows SBS Server is running ISA Server, there may be more than one certificate in the folder.  Select the one named ISACert.cer.

5.      Navigate to Mobile Device under My Computer.
By default, the contents of the My Documents folder on the device are displayed.
6.      Right-click the content area and click Paste to copy the certificate file to the device.

It goes on to talk about needed a third party utility in some cases, which I do need and I do have.

The problem is this: SBScert.cer DOES NOT work.  When I use the third party utility to try to install sbscert.cer - it tells me it's not a valid certificate file.  I have been able to get certificates to some import.  For all those certificates that I was able to import, I went to http://servername/certsrv and chose to export the Root Certificate in DER encoded binary X.509 format with a .CER file name extension.

So that's why I think I need to take this SBScert.cer file that was created when running through the SBS Internet Conenction Wizard and import it into Certificate Services so that I can go to http://servername/certsrv  to export it.

Thanks for any advice or help.
0
 
LVL 9

Author Comment

by:dmessman
ID: 17860240
For those who are interested, I found the solution in that same MS document I referenced earlier:

•      You may receive an error when attempting to install self signed certificates on the device using the instructions in this document.  In that case, you may want to manually try exporting the certificate from a workstation connected to the server instead of using the files in the \\server\clientapps\sbscert directory.  The certificate can be exported from the Trusted Root Certificate Authorities\Certificates folder in the Certificates console which can be opened by running certmgr.msc at a command prompt.


Yes, you do need to put the SBS certificate on the device and you do need to export it.  When I opened up certmgr.msc and then went to Trusted Root Certificate Authorities\Certificates - I saw the SBS certificate and was able to export it as a DER X.509 certificate and then able to import it on the device.  And it's syncing now.
0
 
LVL 15

Expert Comment

by:harleyjd
ID: 17863564
dmessman, don't forget to ask for a PAQ/Refund in the http://www.experts-exchange.com/Community_Support/ TA for answering your own Q.

I think where you got confused is that the IIS site has a self-signed cert you created based on the root CA from your SBS box. The PPC doesn't implicitly trust your cert, as it's not a member of the domain, and your SBS box isn't a known trusted certificate authority. You don't need the IIS certificate, you need the CA's certificate to match the pair.

What you've done - exporting the ROOT CA - is exactly what you needed, as now you can add that Root CA to any device, and it will trust ANY certificate you issue from your SBS server.

In simple terms - the IIS Cert you create is you saying "I am who I say I am, my Certification Authority has verified this" and the root certificate is there so your device can say "I agree that you are who you say you are, because I trust your Certification Authority because my admin has imported the root CA"

Clear as mud, no?
0
 
LVL 1

Accepted Solution

by:
DarthMod earned 0 total points
ID: 17897884
Closed, 500 points refunded.
DarthMod
Community Support Moderator
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

I’m often asked about newer and larger USB drives connected to SBS2008 and 2011 failing Windows Server Backup vs the older USB drives not failing. As disk space continues to grow and drive technology change SBS2008 and some SBS2011 end up with the f…
If you are a user of the discontinued Microsoft Office Accounting 2008 (MSOA) and have to move to a new computer running Windows 8, you will be unhappy to discover that it won't install.  In particular, Microsoft SQL Server 2005 Express Edition (SSE…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now