Activesync to iphone / WinMo still working after SSL certificate revokation and renewal..

So i've got activesync working to iphones and winmo clients in testing - all
is good, however when I come to remove the cert from IIS on the exch box (2003), revoke the cert at the CA level and then create a new cert / renew at IIS again, all cleints can still connect without having to renew their installed certificates.

Surely this is wrong? they should fail, right, as I havent re-imported the new cert into them..

Do they continue to work becuase activesync seems to only work with a ROOT
level cert installed on the device ie a cert that says 'anything from this
domain is good'? certainly when i look at the certs on my winmo device it appears as a  ROOT, and when i delete this from the device and create an 'intermediate' certificate in IIS - something which appears to only provide validation for the particular server in question, and then import into device, activesync no longer works..

Someone point me in the right direction please? - im at the limits of my knowledge with this, and I cant beleive that MS would design the paradigm that effectively only activesync can work with a non-revokable certificate. Unless they designed it such that only user / client certificates can be revoked to disable access - a feature that apples implementation doesnt support..


Cheers

Alastair
IndiciumSolutionsAsked:
Who is Participating?
 
JohnGerhardtConnect With a Mentor Commented:
The latest version of iPhone firmware does support client certificates...
I think there is some confusion about what a server certificate will do... All the server certificate will do is identify active sync as being a trusted source to the phone.
Before you removethe certificate you will ahve choosen to trust it on the iPhone, this tells the iPhone that anything coming from your CA is trustable, (your CA is then added the trsuted root of the phone. When you are removing the certificate active sync must be falling back on to one that has the same root, therefore the iPhone trusts it straight.
Main idea: A server certificate is identification of the server not the client, when you remove any certificate from active sync it will fall back to another one to identify itself, in thsio case this is still trusted by the iPhone. That said even if it wasn't then trsuted all you would ahve to do is click "Accept" once and that cert root would become trusted...
I hope I am making sense...
0
 
kyodaiCommented:
Well based on the info given my first guess was "Is "require SSL" checked at all? Did you check they really synchronized with active synch? (sniffing, putting new mails in a test folder and so on)? I'm asking because active Synch is not really a debug-level application. I want to say it may not display all errors it encounters.
0
 
IndiciumSolutionsAuthor Commented:
yeah - it syncs fine and "require SSL" is on on the relavnt folders I am sure. SSL is definitely being used by the devices and server for the comms (if i remove the working root level cert from winmo the comms drops and if i remove the cert from iphone.........sometimes it drops because you DONT SEEM TO BE ABLE TO PROPERLY DELETE SSL ROOT CERTS FROM IPHONE DESPITE HAVING REMOVED THE PROFILE!!!! - anyway....thats another rant...)

yes. SSL is being used.
0
SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

 
JohnGerhardtCommented:
Ok just a couple of things so I undertand.
You are issuing certificates from your root CA (which wont be trsuted by the iPhone)
When you remove the cert from IIS then what certificate does it revert to?
Maybe I have mis-understood, if so then please correct me...
 
0
 
aletjollyCommented:
Hello,

As per your question with Certificates I belive when you renew your Certificate it shouldn't harm the client connectivity as the thumbprint of the Certificate is already there with the Client (in your case mobile phone) it's only the date (issue / expiry) gets modified.

Hope the above address's your concern.
<>
0
 
IndiciumSolutionsAuthor Commented:
JohnGerhardt:

yes - I am issuing certs from the CA on my domain which I then import into the iphone / winmo client.

When I remove the cert from IIS it reverts to NO CERT until I create a new one and assign back to IIS.

aletjolly:

But that would mean that - on the iphone implementation of activesync atleast - you CANT restrict access to a an iphone client by revoking the cert and renewing on IIS. is this correct?
0
 
JohnGerhardtCommented:
Ok, are you talking about a server certifcate or a client certificate?
0
 
aletjollyCommented:
Hello, i am getting a bit confused here, kindly let me know what exactly are you looking for?
I mean is it..
If we renew a certificate, will it harm the mobile device sync with Exchange?
Restrict mobile device to sync with Exchange?
0
 
IndiciumSolutionsAuthor Commented:
apologies

i want the mobile devices - iphone and winmo clients -  to STOP being able to connect if i revoke and renew the cert on IIS WITHOUT importing that new cert onto the mobile devices.

thats it.
0
 
IndiciumSolutionsAuthor Commented:
JohnGerhardt:

We are talking about a server certificate - or atleast we are NOT talking about a client certificate as Iphone doesnt support them.

apologies all for being confusing at times - i am learning about the finer details os SSL / IIS as I go along here..
0
 
aletjollyCommented:
If thats the case revoke and renew of Certificates won't restrict the mobile sync.
You can try the following to restrict mobile sync:
* You can disable the OMA feature for the user you wish to restrict using Active Directory Users and Computers?
* You can create a new internal Certificate all togethger and won't install on the mobile device which you don't want to sync?
0
 
IndiciumSolutionsAuthor Commented:
aletjolly:

Can you please explain WHY activesync wont be affected? - surely the cryptographics guts of the cert on the device will NOT MATCH the crypto guts of the NEW CERT freshly installed on the IIS box?
0
 
aletjollyCommented:
When the Certificate is renewed, all other details of the Certificate stays and only the date of expiry changes and this update is automatically synchronized in by Client.

But in case a new Certificate is installed on to Server, client won't be able to get this update and in case of Mobile device it won't be able to sync over an SSL channel.
0
 
IndiciumSolutionsAuthor Commented:
hmmm

to clarify - perhaps I shouldnt have been using the word 'renewed'.

I remove the cert on IIS. I revoke the cert on the CA and then create a new cert on the IIS - i do not 'renew' the old one, i create a new one having - i thought, deactivated (by way of the revokation) - the old one.

just to clarify we are talking M$ Server 2003 and Exchange 2003
0
 
aletjollyCommented:
In this case the mobile device shouldn't sync with Exchange Server over an SSL channel as there is a certificate mismatch.
Are you sure that the mobile device aren't configured for activesync over a non-ssl channel?
0
 
IndiciumSolutionsAuthor Commented:
positive - apart from anything else im only allowing 443 in through my firewall..
0
 
aletjollyConnect With a Mentor Commented:
Try using the web connectivity tool "www.testexchangeconnectivity.com" for a test user and tell me what was the result.

0
 
IndiciumSolutionsAuthor Commented:
right

ill get to this next week - weds as im out of the office until then (as im working today...)

thanks for your efforts so far
0
 
IndiciumSolutionsAuthor Commented:
im now trying client certs on winmo, and pretty much exactly the same thing is happening.....but im going to open another thread on it and close this one off...

YO ADMIN! how do I split points? JohnGerhardt provided the most help but aletjolly took the time to help me...
0
 
JohnGerhardtCommented:
IndiciumSolutions,
Have a read of http://www.experts-exchange.com/help.jsp?hi=407, you can happily select multiple solutions to the question.
Glad it worked out..
0
 
IndiciumSolutionsAuthor Commented:
it KINDA worked out as in uim now stuck in a different place!

thanks for the help...
0
All Courses

From novice to tech pro — start learning today.