exporting self-signed certificate in SBS 2003 so it can be imported into a Windows Mobile device

Posted on 2006-11-02
Last Modified: 2012-06-27
I have a Windows 2003 SBS server.  It has created its own self-signed certificate.  I'd like to use a Windows Mobile device 5.0 device using Exchange ActiveSync.  There are very good instructions created by Daniel Petri here:

However, I'm missing one small thing.  You create an SSL certificate when running the Internet Connection Wizard.  This is easy.  I have the CER file that it creates.  But I can't import that CER file onto the mobile device.  It says its not a valid certificate.  That goes along with what Daniel says.  He says you need to export the certificate from   http://servername/certsrv.  However, when I go to http://servername/certsrv - there is a certificate I can export, but it is the CA certificate and not the same SBS certificate that you create in the Internet Connection Wizard.  How do I get the SBS certificate to show up in  http://servername/certsrv so that I can export it?  As stupid as this sounds, I think this is the step I am missing.

Question by:dmessman
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 16

Expert Comment

ID: 17859406
Hi dmessman,

what do you mean by "ou create an SSL certificate when running the Internet Connection Wizard"?

Actually the CA certificate is exactly what you need on the mobile phone. Normally you can save the file, copy it over to the desired device via USB and install it there by double clicking the file. I have configured several Windows Mobile devices like that and they all work fine.

The CA certificate is necessary so that the device can verify the certificate that is assigned to the Exchange Virtual SMTP server which will be used when you access OWA through SSL.

Hope this helps.
The Kirschi

Author Comment

ID: 17859599
then perhaps I am missing something.  Let's say my domain is

When you go to Exchange webmail, at - the certificate that comes up is the SBS certificate that was created in the Internet Connection Wizard (a tool in Small Business Server that configures email, the certificate, the firewall, and the server internet access).

However, when I installed the Certificate Services (via add/remove programs and add/remove windows services), it prompted me to create a new enterprise root CA and the same certificate that I see when I go to http://servername/certsrv.  This certificate is different from the certificate I see when I go to

I've imported the certificate I made when adding Certificate Services, but that doesn't work.  I presume I need the same certificate that I see when I'm using webmail.  Sorry, I'm really a newbie with certificates.

Thank you

Author Comment

ID: 17859649
also - the certificate that I see in IIS Manager is the same as the SBS certificate created in the Internet Connection Wizard.  The one I can access via is not what in IIS Manager.

Of course I'm speaking about the certificate you see when you open IIS Manager, right click on the default web site and go to properties, click on the directory security tab and click on view certificate.

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!


Author Comment

ID: 17859958
after doing some additional research, I found this page which has a how-to on deploying Windows Mobile 5.0 devices with Small Business Server 2003.

However, when I get down to the part that I am having trouble with, it references steps that do not work for me:

Copying the Certificate File to the Device
Perform the following steps to copy the certificate file to the mobile device:
1.      Log on to a client computer that has ActiveSync 4.1 installed.
2.      Connect the Windows Mobile device to the computer.
You do not need to establish a partnership; you can simply connect in guest mode.
3.      Open Windows Explorer and navigate to \\WindowsSBSServerName\ClientApps\SBScert.
4.      Right-click the certificate (.cer) file in the SBScert folder and click Copy.

Note: If your Windows SBS Server is running ISA Server, there may be more than one certificate in the folder.  Select the one named ISACert.cer.

5.      Navigate to Mobile Device under My Computer.
By default, the contents of the My Documents folder on the device are displayed.
6.      Right-click the content area and click Paste to copy the certificate file to the device.

It goes on to talk about needed a third party utility in some cases, which I do need and I do have.

The problem is this: SBScert.cer DOES NOT work.  When I use the third party utility to try to install sbscert.cer - it tells me it's not a valid certificate file.  I have been able to get certificates to some import.  For all those certificates that I was able to import, I went to http://servername/certsrv and chose to export the Root Certificate in DER encoded binary X.509 format with a .CER file name extension.

So that's why I think I need to take this SBScert.cer file that was created when running through the SBS Internet Conenction Wizard and import it into Certificate Services so that I can go to http://servername/certsrv  to export it.

Thanks for any advice or help.

Author Comment

ID: 17860240
For those who are interested, I found the solution in that same MS document I referenced earlier:

•      You may receive an error when attempting to install self signed certificates on the device using the instructions in this document.  In that case, you may want to manually try exporting the certificate from a workstation connected to the server instead of using the files in the \\server\clientapps\sbscert directory.  The certificate can be exported from the Trusted Root Certificate Authorities\Certificates folder in the Certificates console which can be opened by running certmgr.msc at a command prompt.

Yes, you do need to put the SBS certificate on the device and you do need to export it.  When I opened up certmgr.msc and then went to Trusted Root Certificate Authorities\Certificates - I saw the SBS certificate and was able to export it as a DER X.509 certificate and then able to import it on the device.  And it's syncing now.
LVL 15

Expert Comment

ID: 17863564
dmessman, don't forget to ask for a PAQ/Refund in the TA for answering your own Q.

I think where you got confused is that the IIS site has a self-signed cert you created based on the root CA from your SBS box. The PPC doesn't implicitly trust your cert, as it's not a member of the domain, and your SBS box isn't a known trusted certificate authority. You don't need the IIS certificate, you need the CA's certificate to match the pair.

What you've done - exporting the ROOT CA - is exactly what you needed, as now you can add that Root CA to any device, and it will trust ANY certificate you issue from your SBS server.

In simple terms - the IIS Cert you create is you saying "I am who I say I am, my Certification Authority has verified this" and the root certificate is there so your device can say "I agree that you are who you say you are, because I trust your Certification Authority because my admin has imported the root CA"

Clear as mud, no?

Accepted Solution

DarthMod earned 0 total points
ID: 17897884
Closed, 500 points refunded.
Community Support Moderator

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This guide is intended for migrating Windows 2003 Standard with Exchange 2003 to Windows Small Business Server 2008. You will need the following: Exchange Best Practice Analyzer:…
Because virtualization becomes more and more common, and, with Microsoft Hyper-V included in Windows Server at no additional costs, and, most server hardware nowadays is more than capable of running a physical Small Business Server (SBS) 2008 or 201…
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…
Do you want to know how to make a graph with Microsoft Access? First, create a query with the data for the chart. Then make a blank form and add a chart control. This video also shows how to change what data is displayed on the graph as well as form…

635 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question