Adding SSL Certificates 201

Advanced issues you might run into when trying to add your own SSL certificates to the device for browsing or Exchange ActiveSync. (summary and discussion of the core problem here)

Some servers do not send down the entire certificate chain at the beginning of the SSL session. This is a configuration option on the server. Windows Mobile 5.0 devices do not have the ability to dynamically get the intermediate certificates. (big Windows can do this) A symptom of this is that you have added the root certificate for your site, but the browser on the device still isn't recognizing the certificate. To make this scenario work, you need to grab the intermediate certs (every cert except the first and the last) and add them to the device using the XML method previously discussed on this blog. When creating the XML for the intermediate certs, change the certificate store in the XML from "ROOT" to "CA". Another way to figure out if you have this problem is to check out the site in Firefox. Firefox doesn't chase down the intermediate certs either, so if it complains about the SSL connection then you probably have this problem.

The browser and the sync client use the same underlying APIs for SSL connections, so if the browser can make a secure connection to your site without prompting that the SSL connection is bad, then SSL is not the problem. It's easiest to use this method to isolate any SSL problems - once the browser can connect to your server then move on to troubleshooting the sync connection. (check Exchange server logs, etc.)

 

Scott

 

edit : added bit about firefox

edit 3/28: added links inline to other posts on the topic