Exchange Server 2007 ActiveSync with a Self-Signed Certificate

I was recently helping a customer that was attempting to establish ActiveSync capabilities from their Windows Mobile 6 devices with an Exchange Server 2007 installation.  The customer wanted to use a self-signed certificate (instead of one from a publicly regarded certification authority).  The trick was that ActiveSync has the following considerations from a WM6 device:

1. ActiveSync won't sync over ports (i.e., https://mail.company.com:5009) even though you can access Outlook Web Access and the ActiveSync virtual directory over the port through IE.
2. ActiveSync requires a valid SSL certificate from the server in order to be able to synchronize

This means that you have to have open access on port 443 to the Exchange server and that the certificate applied to the Exchange Server 2007 Default Website needs to be from a certification authority that the device trusts.  The way to do this is as follows:

1. Set up an internal Certification Authority (CA)
   1. Specify the correct common names, etc. (i.e., company.com)
2. From the Exchange Server 2007's Default Website in IIS, request a certificate for the specified public access URL that the devices will access (i.e., https://mail.company.com)
   1. Paste the request into the https://caserver/CertSrv request web page and then download the certificate following admin approval
3. Using the Exchange Command Console, specify the external URL for ActiveSync access
   1. Set-ActiveSyncVirtualDirectory -Identity "ExchangeServerName\Microsoft-Server-ActiveSync (Default Web Site)" -ExternalURL https://mail.company.com/
   2. If everything is working from an accessibility standpoint, you should be able to visit https://mail.company.com/Microsoft-Server-ActiveSync and get a 501/505 error (this is OK and is expected)
4. Apply the certificate to the Exchange Server 2007's Default Website
5. Ensure that the Windows Mobile 6 devices trust the same root authority that issued the certificate to the Exchange Server 2007 by placing the root certificate from the CA into the Trusted Root of the WM6 devices
   1. Open the downloaded certificate that was applied to the Exchange Server's Default Website and view the certification path
   2. Find the highest level in the certification path and click "View Certificate" (this will be the root CA that the devices must trust)
   3. Export ("Copy to File") the root CA
   4. Place the root CA certificate on the WM6 device (via hard connection to Windows Mobile Device Center 6.1)
   5. On the device, open the .cer file that corresponds to the root CA
   6. Check to see whether the certificate is in the Trusted store on the device (i.e., the one with VeriSign, GoDaddy, etc.)
6. Specify the Exchange Server connection information and conduct the ActiveSync
   1. A soft reset may be needed on the device, so it can properly resolve the DNS of the ActiveSync specified Exchange Server since the WM6 OS caches the connected machine's DNS entries (this is only a problem if resolution of the Exchange Server publicly is different from an internal machine)

Synchronization should begin and complete successfully and no warnings about an invalid certificate should be displayed.  The important thing here is that the WM6 device must trust the root authority certificate that gave the Exchange Server its certificate and not the issued certificate to Exchange.