exporting self-signed certificate in SBS 2003 so it can be imported into a Windows Mobile device

Posted on 2006-11-02
Last Modified: 2012-06-27
I have a Windows 2003 SBS server.  It has created its own self-signed certificate.  I'd like to use a Windows Mobile device 5.0 device using Exchange ActiveSync.  There are very good instructions created by Daniel Petri here:

However, I'm missing one small thing.  You create an SSL certificate when running the Internet Connection Wizard.  This is easy.  I have the CER file that it creates.  But I can't import that CER file onto the mobile device.  It says its not a valid certificate.  That goes along with what Daniel says.  He says you need to export the certificate from   http://servername/certsrv.  However, when I go to http://servername/certsrv - there is a certificate I can export, but it is the CA certificate and not the same SBS certificate that you create in the Internet Connection Wizard.  How do I get the SBS certificate to show up in  http://servername/certsrv so that I can export it?  As stupid as this sounds, I think this is the step I am missing.

Question by:dmessman
LVL 16

Expert Comment

ID: 17859406
Hi dmessman,

what do you mean by "ou create an SSL certificate when running the Internet Connection Wizard"?

Actually the CA certificate is exactly what you need on the mobile phone. Normally you can save the file, copy it over to the desired device via USB and install it there by double clicking the file. I have configured several Windows Mobile devices like that and they all work fine.

The CA certificate is necessary so that the device can verify the certificate that is assigned to the Exchange Virtual SMTP server which will be used when you access OWA through SSL.

Hope this helps.
The Kirschi

Author Comment

ID: 17859599
then perhaps I am missing something.  Let's say my domain is

When you go to Exchange webmail, at - the certificate that comes up is the SBS certificate that was created in the Internet Connection Wizard (a tool in Small Business Server that configures email, the certificate, the firewall, and the server internet access).

However, when I installed the Certificate Services (via add/remove programs and add/remove windows services), it prompted me to create a new enterprise root CA and the same certificate that I see when I go to http://servername/certsrv.  This certificate is different from the certificate I see when I go to

I've imported the certificate I made when adding Certificate Services, but that doesn't work.  I presume I need the same certificate that I see when I'm using webmail.  Sorry, I'm really a newbie with certificates.

Thank you

Author Comment

ID: 17859649
also - the certificate that I see in IIS Manager is the same as the SBS certificate created in the Internet Connection Wizard.  The one I can access via is not what in IIS Manager.

Of course I'm speaking about the certificate you see when you open IIS Manager, right click on the default web site and go to properties, click on the directory security tab and click on view certificate.

Superior storage. Superior surveillance.

WD Purple drives are built for 24/7, always-on, high-definition security systems. With support for up to 8 hard drives and 32 cameras, WD Purple drives are optimized for surveillance.


Author Comment

ID: 17859958
after doing some additional research, I found this page which has a how-to on deploying Windows Mobile 5.0 devices with Small Business Server 2003.

However, when I get down to the part that I am having trouble with, it references steps that do not work for me:

Copying the Certificate File to the Device
Perform the following steps to copy the certificate file to the mobile device:
1.      Log on to a client computer that has ActiveSync 4.1 installed.
2.      Connect the Windows Mobile device to the computer.
You do not need to establish a partnership; you can simply connect in guest mode.
3.      Open Windows Explorer and navigate to \\WindowsSBSServerName\ClientApps\SBScert.
4.      Right-click the certificate (.cer) file in the SBScert folder and click Copy.

Note: If your Windows SBS Server is running ISA Server, there may be more than one certificate in the folder.  Select the one named ISACert.cer.

5.      Navigate to Mobile Device under My Computer.
By default, the contents of the My Documents folder on the device are displayed.
6.      Right-click the content area and click Paste to copy the certificate file to the device.

It goes on to talk about needed a third party utility in some cases, which I do need and I do have.

The problem is this: SBScert.cer DOES NOT work.  When I use the third party utility to try to install sbscert.cer - it tells me it's not a valid certificate file.  I have been able to get certificates to some import.  For all those certificates that I was able to import, I went to http://servername/certsrv and chose to export the Root Certificate in DER encoded binary X.509 format with a .CER file name extension.

So that's why I think I need to take this SBScert.cer file that was created when running through the SBS Internet Conenction Wizard and import it into Certificate Services so that I can go to http://servername/certsrv  to export it.

Thanks for any advice or help.

Author Comment

ID: 17860240
For those who are interested, I found the solution in that same MS document I referenced earlier:

•      You may receive an error when attempting to install self signed certificates on the device using the instructions in this document.  In that case, you may want to manually try exporting the certificate from a workstation connected to the server instead of using the files in the \\server\clientapps\sbscert directory.  The certificate can be exported from the Trusted Root Certificate Authorities\Certificates folder in the Certificates console which can be opened by running certmgr.msc at a command prompt.

Yes, you do need to put the SBS certificate on the device and you do need to export it.  When I opened up certmgr.msc and then went to Trusted Root Certificate Authorities\Certificates - I saw the SBS certificate and was able to export it as a DER X.509 certificate and then able to import it on the device.  And it's syncing now.
LVL 15

Expert Comment

ID: 17863564
dmessman, don't forget to ask for a PAQ/Refund in the TA for answering your own Q.

I think where you got confused is that the IIS site has a self-signed cert you created based on the root CA from your SBS box. The PPC doesn't implicitly trust your cert, as it's not a member of the domain, and your SBS box isn't a known trusted certificate authority. You don't need the IIS certificate, you need the CA's certificate to match the pair.

What you've done - exporting the ROOT CA - is exactly what you needed, as now you can add that Root CA to any device, and it will trust ANY certificate you issue from your SBS server.

In simple terms - the IIS Cert you create is you saying "I am who I say I am, my Certification Authority has verified this" and the root certificate is there so your device can say "I agree that you are who you say you are, because I trust your Certification Authority because my admin has imported the root CA"

Clear as mud, no?

Accepted Solution

DarthMod earned 0 total points
ID: 17897884
Closed, 500 points refunded.
Community Support Moderator

Featured Post

Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The problem of the system drive in SBS 2003 getting full continues to be an issue, even though SBS 2008 and SBS 2011 are both in the market place.  There are several solutions to this, including adding additional drive space or using third party uti…
The articles for turning off the Client firewall policy on the internet are for SBS 2008 and don't really help for SBS 2011. They actually moved the Client firewall policy. In 2011, the client firewall policy has moved to the SBS computers conta…
This tutorial gives a high-level tour of the interface of Marketo (a marketing automation tool to help businesses track and engage prospective customers and drive them to purchase). You will see the main areas including Marketing Activities, Design …
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…

895 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now