Activesync to iphone / WinMo still working after SSL certificate revokation and renewal..
So i've got activesync working to iphones and winmo clients in testing - all
is good, however when I come to remove the cert from IIS on the exch box (2003), revoke the cert at the CA level and then create a new cert / renew at IIS again, all cleints can still connect without having to renew their installed certificates.
Surely this is wrong? they should fail, right, as I havent re-imported the new cert into them..
Do they continue to work becuase activesync seems to only work with a ROOT
level cert installed on the device ie a cert that says 'anything from this
domain is good'? certainly when i look at the certs on my winmo device it appears as a ROOT, and when i delete this from the device and create an 'intermediate' certificate in IIS - something which appears to only provide validation for the particular server in question, and then import into device, activesync no longer works..
Someone point me in the right direction please? - im at the limits of my knowledge with this, and I cant beleive that MS would design the paradigm that effectively only activesync can work with a non-revokable certificate. Unless they designed it such that only user / client certificates can be revoked to disable access - a feature that apples implementation doesnt support..
Cheers
Alastair
is good, however when I come to remove the cert from IIS on the exch box (2003), revoke the cert at the CA level and then create a new cert / renew at IIS again, all cleints can still connect without having to renew their installed certificates.
Surely this is wrong? they should fail, right, as I havent re-imported the new cert into them..
Do they continue to work becuase activesync seems to only work with a ROOT
level cert installed on the device ie a cert that says 'anything from this
domain is good'? certainly when i look at the certs on my winmo device it appears as a ROOT, and when i delete this from the device and create an 'intermediate' certificate in IIS - something which appears to only provide validation for the particular server in question, and then import into device, activesync no longer works..
Someone point me in the right direction please? - im at the limits of my knowledge with this, and I cant beleive that MS would design the paradigm that effectively only activesync can work with a non-revokable certificate. Unless they designed it such that only user / client certificates can be revoked to disable access - a feature that apples implementation doesnt support..
Cheers
Alastair
Well based on the info given my first guess was "Is "require SSL" checked at all? Did you check they really synchronized with active synch? (sniffing, putting new mails in a test folder and so on)? I'm asking because active Synch is not really a debug-level application. I want to say it may not display all errors it encounters.
ASKER
yeah - it syncs fine and "require SSL" is on on the relavnt folders I am sure. SSL is definitely being used by the devices and server for the comms (if i remove the working root level cert from winmo the comms drops and if i remove the cert from iphone.........sometimes it drops because you DONT SEEM TO BE ABLE TO PROPERLY DELETE SSL ROOT CERTS FROM IPHONE DESPITE HAVING REMOVED THE PROFILE!!!! - anyway....thats another rant...)
yes. SSL is being used.
yes. SSL is being used.
Ok just a couple of things so I undertand.
You are issuing certificates from your root CA (which wont be trsuted by the iPhone)
When you remove the cert from IIS then what certificate does it revert to?
Maybe I have mis-understood, if so then please correct me...
You are issuing certificates from your root CA (which wont be trsuted by the iPhone)
When you remove the cert from IIS then what certificate does it revert to?
Maybe I have mis-understood, if so then please correct me...
Hello,
As per your question with Certificates I belive when you renew your Certificate it shouldn't harm the client connectivity as the thumbprint of the Certificate is already there with the Client (in your case mobile phone) it's only the date (issue / expiry) gets modified.
Hope the above address's your concern.
<>
As per your question with Certificates I belive when you renew your Certificate it shouldn't harm the client connectivity as the thumbprint of the Certificate is already there with the Client (in your case mobile phone) it's only the date (issue / expiry) gets modified.
Hope the above address's your concern.
<>
ASKER
JohnGerhardt:
yes - I am issuing certs from the CA on my domain which I then import into the iphone / winmo client.
When I remove the cert from IIS it reverts to NO CERT until I create a new one and assign back to IIS.
aletjolly:
But that would mean that - on the iphone implementation of activesync atleast - you CANT restrict access to a an iphone client by revoking the cert and renewing on IIS. is this correct?
yes - I am issuing certs from the CA on my domain which I then import into the iphone / winmo client.
When I remove the cert from IIS it reverts to NO CERT until I create a new one and assign back to IIS.
aletjolly:
But that would mean that - on the iphone implementation of activesync atleast - you CANT restrict access to a an iphone client by revoking the cert and renewing on IIS. is this correct?
Ok, are you talking about a server certifcate or a client certificate?
Hello, i am getting a bit confused here, kindly let me know what exactly are you looking for?
I mean is it..
If we renew a certificate, will it harm the mobile device sync with Exchange?
Restrict mobile device to sync with Exchange?
I mean is it..
If we renew a certificate, will it harm the mobile device sync with Exchange?
Restrict mobile device to sync with Exchange?
ASKER
apologies
i want the mobile devices - iphone and winmo clients - to STOP being able to connect if i revoke and renew the cert on IIS WITHOUT importing that new cert onto the mobile devices.
thats it.
i want the mobile devices - iphone and winmo clients - to STOP being able to connect if i revoke and renew the cert on IIS WITHOUT importing that new cert onto the mobile devices.
thats it.
ASKER
JohnGerhardt:
We are talking about a server certificate - or atleast we are NOT talking about a client certificate as Iphone doesnt support them.
apologies all for being confusing at times - i am learning about the finer details os SSL / IIS as I go along here..
We are talking about a server certificate - or atleast we are NOT talking about a client certificate as Iphone doesnt support them.
apologies all for being confusing at times - i am learning about the finer details os SSL / IIS as I go along here..
If thats the case revoke and renew of Certificates won't restrict the mobile sync.
You can try the following to restrict mobile sync:
* You can disable the OMA feature for the user you wish to restrict using Active Directory Users and Computers?
* You can create a new internal Certificate all togethger and won't install on the mobile device which you don't want to sync?
You can try the following to restrict mobile sync:
* You can disable the OMA feature for the user you wish to restrict using Active Directory Users and Computers?
* You can create a new internal Certificate all togethger and won't install on the mobile device which you don't want to sync?
ASKER
aletjolly:
Can you please explain WHY activesync wont be affected? - surely the cryptographics guts of the cert on the device will NOT MATCH the crypto guts of the NEW CERT freshly installed on the IIS box?
Can you please explain WHY activesync wont be affected? - surely the cryptographics guts of the cert on the device will NOT MATCH the crypto guts of the NEW CERT freshly installed on the IIS box?
When the Certificate is renewed, all other details of the Certificate stays and only the date of expiry changes and this update is automatically synchronized in by Client.
But in case a new Certificate is installed on to Server, client won't be able to get this update and in case of Mobile device it won't be able to sync over an SSL channel.
But in case a new Certificate is installed on to Server, client won't be able to get this update and in case of Mobile device it won't be able to sync over an SSL channel.
ASKER
hmmm
to clarify - perhaps I shouldnt have been using the word 'renewed'.
I remove the cert on IIS. I revoke the cert on the CA and then create a new cert on the IIS - i do not 'renew' the old one, i create a new one having - i thought, deactivated (by way of the revokation) - the old one.
just to clarify we are talking M$ Server 2003 and Exchange 2003
to clarify - perhaps I shouldnt have been using the word 'renewed'.
I remove the cert on IIS. I revoke the cert on the CA and then create a new cert on the IIS - i do not 'renew' the old one, i create a new one having - i thought, deactivated (by way of the revokation) - the old one.
just to clarify we are talking M$ Server 2003 and Exchange 2003
In this case the mobile device shouldn't sync with Exchange Server over an SSL channel as there is a certificate mismatch.
Are you sure that the mobile device aren't configured for activesync over a non-ssl channel?
Are you sure that the mobile device aren't configured for activesync over a non-ssl channel?
ASKER
positive - apart from anything else im only allowing 443 in through my firewall..
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
right
ill get to this next week - weds as im out of the office until then (as im working today...)
thanks for your efforts so far
ill get to this next week - weds as im out of the office until then (as im working today...)
thanks for your efforts so far
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
im now trying client certs on winmo, and pretty much exactly the same thing is happening.....but im going to open another thread on it and close this one off...
YO ADMIN! how do I split points? JohnGerhardt provided the most help but aletjolly took the time to help me...
YO ADMIN! how do I split points? JohnGerhardt provided the most help but aletjolly took the time to help me...
IndiciumSolutions,
Have a read of http://www.experts-exchang
Glad it worked out..
Have a read of http://www.experts-exchang
Glad it worked out..
ASKER
it KINDA worked out as in uim now stuck in a different place!
thanks for the help...
thanks for the help...