exporting self-signed certificate in SBS 2003 so it can be imported into a Windows Mobile device
I have a Windows 2003 SBS server. It has created its own self-signed certificate. I'd like to use a Windows Mobile device 5.0 device using Exchange ActiveSync. There are very good instructions created by Daniel Petri here:
http://www.petri.co.il/adding_root_certificates_to_windows_mobile_2003_ppc.htm
However, I'm missing one small thing. You create an SSL certificate when running the Internet Connection Wizard. This is easy. I have the CER file that it creates. But I can't import that CER file onto the mobile device. It says its not a valid certificate. That goes along with what Daniel says. He says you need to export the certificate from http://servername/certsrv. However, when I go to http://servername/certsrv - there is a certificate I can export, but it is the CA certificate and not the same SBS certificate that you create in the Internet Connection Wizard. How do I get the SBS certificate to show up in http://servername/certsrv so that I can export it? As stupid as this sounds, I think this is the step I am missing.
Thanks
http://www.petri.co.il/adding_root_certificates_to_windows_mobile_2003_ppc.htm
However, I'm missing one small thing. You create an SSL certificate when running the Internet Connection Wizard. This is easy. I have the CER file that it creates. But I can't import that CER file onto the mobile device. It says its not a valid certificate. That goes along with what Daniel says. He says you need to export the certificate from http://servername/certsrv. However, when I go to http://servername/certsrv - there is a certificate I can export, but it is the CA certificate and not the same SBS certificate that you create in the Internet Connection Wizard. How do I get the SBS certificate to show up in http://servername/certsrv so that I can export it? As stupid as this sounds, I think this is the step I am missing.
Thanks
ASKER
then perhaps I am missing something. Let's say my domain is whatever.com
When you go to Exchange webmail, at mail.whatever.com/exchange
However, when I installed the Certificate Services (via add/remove programs and add/remove windows services), it prompted me to create a new enterprise root CA and the same certificate that I see when I go to http://servername/certsrv. This certificate is different from the certificate I see when I go to mail.whatever.com/exchange
I've imported the certificate I made when adding Certificate Services, but that doesn't work. I presume I need the same certificate that I see when I'm using webmail. Sorry, I'm really a newbie with certificates.
Thank you
When you go to Exchange webmail, at mail.whatever.com/exchange
However, when I installed the Certificate Services (via add/remove programs and add/remove windows services), it prompted me to create a new enterprise root CA and the same certificate that I see when I go to http://servername/certsrv. This certificate is different from the certificate I see when I go to mail.whatever.com/exchange
I've imported the certificate I made when adding Certificate Services, but that doesn't work. I presume I need the same certificate that I see when I'm using webmail. Sorry, I'm really a newbie with certificates.
Thank you
ASKER
also - the certificate that I see in IIS Manager is the same as the SBS certificate created in the Internet Connection Wizard. The one I can access via mail.whatever.com/exchange
Of course I'm speaking about the certificate you see when you open IIS Manager, right click on the default web site and go to properties, click on the directory security tab and click on view certificate.
Thanks
Of course I'm speaking about the certificate you see when you open IIS Manager, right click on the default web site and go to properties, click on the directory security tab and click on view certificate.
Thanks
ASKER
after doing some additional research, I found this page which has a how-to on deploying Windows Mobile 5.0 devices with Small Business Server 2003.
http://www.microsoft.com/downloads/details.aspx?FamilyID=8be70d72-1e5a-4128-a30c-dafeeb43544d&displaylang=en
However, when I get down to the part that I am having trouble with, it references steps that do not work for me:
Copying the Certificate File to the Device
Perform the following steps to copy the certificate file to the mobile device:
1. Log on to a client computer that has ActiveSync 4.1 installed.
2. Connect the Windows Mobile device to the computer.
You do not need to establish a partnership; you can simply connect in guest mode.
3. Open Windows Explorer and navigate to \\WindowsSBSServerName\Cli
4. Right-click the certificate (.cer) file in the SBScert folder and click Copy.
Note: If your Windows SBS Server is running ISA Server, there may be more than one certificate in the folder. Select the one named ISACert.cer.
5. Navigate to Mobile Device under My Computer.
By default, the contents of the My Documents folder on the device are displayed.
6. Right-click the content area and click Paste to copy the certificate file to the device.
It goes on to talk about needed a third party utility in some cases, which I do need and I do have.
The problem is this: SBScert.cer DOES NOT work. When I use the third party utility to try to install sbscert.cer - it tells me it's not a valid certificate file. I have been able to get certificates to some import. For all those certificates that I was able to import, I went to http://servername/certsrv and chose to export the Root Certificate in DER encoded binary X.509 format with a .CER file name extension.
So that's why I think I need to take this SBScert.cer file that was created when running through the SBS Internet Conenction Wizard and import it into Certificate Services so that I can go to http://servername/certsrv to export it.
Thanks for any advice or help.
http://www.microsoft.com/downloads/details.aspx?FamilyID=8be70d72-1e5a-4128-a30c-dafeeb43544d&displaylang=en
However, when I get down to the part that I am having trouble with, it references steps that do not work for me:
Copying the Certificate File to the Device
Perform the following steps to copy the certificate file to the mobile device:
1. Log on to a client computer that has ActiveSync 4.1 installed.
2. Connect the Windows Mobile device to the computer.
You do not need to establish a partnership; you can simply connect in guest mode.
3. Open Windows Explorer and navigate to \\WindowsSBSServerName\Cli
4. Right-click the certificate (.cer) file in the SBScert folder and click Copy.
Note: If your Windows SBS Server is running ISA Server, there may be more than one certificate in the folder. Select the one named ISACert.cer.
5. Navigate to Mobile Device under My Computer.
By default, the contents of the My Documents folder on the device are displayed.
6. Right-click the content area and click Paste to copy the certificate file to the device.
It goes on to talk about needed a third party utility in some cases, which I do need and I do have.
The problem is this: SBScert.cer DOES NOT work. When I use the third party utility to try to install sbscert.cer - it tells me it's not a valid certificate file. I have been able to get certificates to some import. For all those certificates that I was able to import, I went to http://servername/certsrv and chose to export the Root Certificate in DER encoded binary X.509 format with a .CER file name extension.
So that's why I think I need to take this SBScert.cer file that was created when running through the SBS Internet Conenction Wizard and import it into Certificate Services so that I can go to http://servername/certsrv to export it.
Thanks for any advice or help.
ASKER
For those who are interested, I found the solution in that same MS document I referenced earlier:
• You may receive an error when attempting to install self signed certificates on the device using the instructions in this document. In that case, you may want to manually try exporting the certificate from a workstation connected to the server instead of using the files in the \\server\clientapps\sbscer
Yes, you do need to put the SBS certificate on the device and you do need to export it. When I opened up certmgr.msc and then went to Trusted Root Certificate Authorities\Certificates - I saw the SBS certificate and was able to export it as a DER X.509 certificate and then able to import it on the device. And it's syncing now.
• You may receive an error when attempting to install self signed certificates on the device using the instructions in this document. In that case, you may want to manually try exporting the certificate from a workstation connected to the server instead of using the files in the \\server\clientapps\sbscer
Yes, you do need to put the SBS certificate on the device and you do need to export it. When I opened up certmgr.msc and then went to Trusted Root Certificate Authorities\Certificates - I saw the SBS certificate and was able to export it as a DER X.509 certificate and then able to import it on the device. And it's syncing now.
dmessman, don't forget to ask for a PAQ/Refund in the https://www.experts-exchange.com/Community_Support/ TA for answering your own Q.
I think where you got confused is that the IIS site has a self-signed cert you created based on the root CA from your SBS box. The PPC doesn't implicitly trust your cert, as it's not a member of the domain, and your SBS box isn't a known trusted certificate authority. You don't need the IIS certificate, you need the CA's certificate to match the pair.
What you've done - exporting the ROOT CA - is exactly what you needed, as now you can add that Root CA to any device, and it will trust ANY certificate you issue from your SBS server.
In simple terms - the IIS Cert you create is you saying "I am who I say I am, my Certification Authority has verified this" and the root certificate is there so your device can say "I agree that you are who you say you are, because I trust your Certification Authority because my admin has imported the root CA"
Clear as mud, no?
I think where you got confused is that the IIS site has a self-signed cert you created based on the root CA from your SBS box. The PPC doesn't implicitly trust your cert, as it's not a member of the domain, and your SBS box isn't a known trusted certificate authority. You don't need the IIS certificate, you need the CA's certificate to match the pair.
What you've done - exporting the ROOT CA - is exactly what you needed, as now you can add that Root CA to any device, and it will trust ANY certificate you issue from your SBS server.
In simple terms - the IIS Cert you create is you saying "I am who I say I am, my Certification Authority has verified this" and the root certificate is there so your device can say "I agree that you are who you say you are, because I trust your Certification Authority because my admin has imported the root CA"
Clear as mud, no?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
what do you mean by "ou create an SSL certificate when running the Internet Connection Wizard"?
Actually the CA certificate is exactly what you need on the mobile phone. Normally you can save the file, copy it over to the desired device via USB and install it there by double clicking the file. I have configured several Windows Mobile devices like that and they all work fine.
The CA certificate is necessary so that the device can verify the certificate that is assigned to the Exchange Virtual SMTP server which will be used when you access OWA through SSL.
Hope this helps.
The Kirschi