Introducing the SslChainSaver


Say hello to the SslChainSaver tool. This is a tool that I wrote internally to troubleshoot SSL connections and I'm finally able to offer it publically. Use this tool when you want to to add new root or intermediate certificates to a device for an SSL connection.

Features:

  • - makes CertificateStore XML out of the entire certificate chain
  • - saves all the certificates out to disk for further inspection
  • - identifies servers that are not sending down the entire certificate chain
  • - can optionally connect to ports other than 443

 

The XML from this tool will allow the device to connect to servers that aren't sending down the entire chain. (because the XML contains all the intermediate certificates)

Usage is simple:

> sslchainsaver mail.company.com

This will create a directory called mail.company.com which contains all the certificates from the SSL chain. It will also create a file called mail.company.com.xml which can be pushed over rapiconfig or put in a CAB file for installation on devices.

 


update 5/18/2008: Version 2 is now released

Comments (62)

  1. Jay says:

    Thanks Scott, this is great!

  2. Tukker Tom says:

    Unfortunate I have no trouble with adding a SSL certificate for Exchange Server synchronization. I do have a problem with the following, maybe you can also shine your light on this:

    I have a E-mail certificate that authenticates my E-mail adres. When I use this certificate on an Outlook client all works well. When using this certificate on my Qtek 9100 device it doesn’t…. Can you give a hint/tip ?

    In my Outlook client I did the following:

    Tools>Options>Security Tab>Get A digital ID button

    This links to the following page

    http://office.microsoft.com/en-us/marketplace/EY010504841033.aspx

    There is a certificate authority which gives free personal usage

    certificates to sign messages :

    http://www.comodogroup.com/products/certificate_services/email_certif

    I got on of those certificates and used it in my Outlook 2003 client. It

    works OK! Now I want to sue that same certificate on my Windows Mobile 5

    device.

    Windows Mobile 5 I do the following:

    Messages>New>Enter a e-mail adres sin the to field

    I press Menu and choose Message Options

    I enable Sign Message

    I eneter a Subject and a Body

    I press Send

    ERROR : "The message cannot be signed because you do not have a certificate

    for sending signed e-mail. Insert a smart card with the certificate."

    Well I tried to import the certificate, this doesn’t work.

    Please Advise? Anybody luck with installing free certificates to sign you

    E-mail message?

    Best Regards Tom from Holland

  3. Simon Jackson says:

    The tool sounds great. Can it help me discover why my user certificate is erased from the device sometimes when I am running EAS via ISA server with constrained delegation?

    I have been told that this a known bug? Why would my legit cert get erased from my device?

    Thanks,

    Sam.

  4. Chris Lakey says:

    Perhaps I am trying to run the program incorrectly?

    If I extract the compressed downloaded file, there is the /bin/ directory. If I open a command window, navigate to this directory and run ‘sslchainsaver webmail.mydomain.com.au’ I get the following Error:

    The application failed to initialize properly (0xc0000135). Click OK to terminate the application.

    I get the same error if I supply no arguments to sslchainsaver.

    I am running this from my workstation XP Pro SP2..

    (Am I meant to run from mailserver??)

    Thanks.

  5. scyost says:

    Chris – it does require the .NET Framework 2.0. Do you have that installed on the workstation?

  6. Justin Millner says:

    Great bit of code, works a treat.  Justin – Thanks

  7. Jonathan says:

    What is rapiconfig and how does it work?

  8. Christian Bachtrögl says:

    finally i manged to sync wm5 with exchange2003 over ssl!

    Great App!

  9. Charles Miller says:

    Thank you so much. I have two Verizon Treo 700w that I needed to get setup and have spent three full days researching how to get our self-signed certs to install. Once I found and installed your tool, the problem was fixed in minutes. Nice job and thank you once agin.

  10. Craig Shaffer says:

    I am unsuccessfuly trying to get an intermediate certificate on the Motorola Q.

    I have created the XML file now and have made a CAB file from it, but when I try to run the CAB on my Motorola Q, I get

    "Installatoin of xxxxxx.cab was unccessful. The installation file is not intended for this device"

    Anyone else had this problem?  Shed some light to the blind?

    Please email cshaffer1 at hines dot com with any love…

  11. Brad says:

    Can you give me a step by step procedure of how to use this tool? I am confused. I have downloaded it and when i try tunning the SSL Chain Server program (i installed netframework 2.0) nothing happens. What am i not doing?

  12. Brad says:

    Okay. So i figured this out on my own. Great tool. Worked really well but for a novice, this is more difficult than running a program. For anyone else that finds this page, this tool should correct your syncing problems with an exchange server without problem!!

    Follow these directions

    Besides this software you will need the following:

    -Windows Mobile 5.0 Smartphone SDK (downloadable through MSDN)

    -Visual Studio 5.0 or higher (MSDN had a free trial as of 11/4/2006)

    – NetFrame Work 2.0 (you should be able to get this from the Visual Studio 5.0 download, if not download it from microsoft)

    Once everything is downloaded and installed you will need to follow these instructions:

    Open the command prompt and navigate to the folder which has the SSLChainsaver. In this example the folder is in the C: drive and named "test"

    C:Testbinrelease by typing cd C:Testbinrelease

    4) Type sslchainsaver mail.yourdomain.com

    5) All the certificates (root and intermediate) are extracted to a folder under C:Testbinrelease named mail.yourdomain.com

    6) Copy all the certificates to your device

    7) Install them one by one on the device by tapping on them in the same order as listed on the actual certificate from File Explorer

  13. scyost says:

    Unfortunately the process is more complicated on some devices – for those devices where certinst won’t work out of the box, you’ll have to use the CAB method linked from the post.

  14. Doug Steinschneider says:

    I’m posting here to explain how this tool worked for me and hopefully to learn more about certificates. I started with SBS 2003 SP1. It came from the Action Pack that shipped just before the October one that included the SBS 2003 R2 DVD. I applied Exchange SP2 and the AKU2 firmware update to my Verizon XV6700. I then ran CEICW and it walked me though creating the cert. I confess that I don’t remember which guide I then followed to get the cert installed on the phone but I got it installed and it worked fine with Direct Push until I upgraded the SBS 2003 to R2. This involved installing the premium technogies cd’s which are essentially SQL 2005 WGE and ISA 2004. I only installed the SQL upgrade and then upgraded my companyweb to ASP.Net 2. I also uninstalled Sharepoint MSDE instance and installed a 3rd instance of SQL 2005 and upgraded SharePoint to that instance. During those steps I somehow invalidated my CA. It was then pretty easy to figure out how to re-run CEICW and get OWA running again with a new cert (removed old one first). At this point I tried copying the sbscert.cer over to the phone and using SpAddCert.exe to import the cert but that didn’t work. I then found this thread and ran sslchainsaver and the resulting root.cer file worked with SpAddCert on the phone and I’m now back online with Direct Push. Many thanks for creating this tool!

  15. scyost says:

    note to self – I’ve found two conditions that will cause a failure to sync that the SSLChainSaver tool won’t detect.

    1) – The hostname you’re connecting to doesn’t match the hostname in the certificate. Activesync won’t ever make a SSL connection in these circumstances.

    2) The server only sends down a partial chain AND doesn’t send the AIA link to get the rest of the chain, so Windows can’t even reconstruct the certificate chain. In this case, the tool won’t have the root cert to put in the output XML. In this case you really have to fix the server, or somehow get a copy of the root certificate out-of-band.

    Both of these can be detected at runtime by the tool, so in the future I’d like to make that improvement.

  16. Get error: "Connection refused:  The target machine active refused it". Mail.domain.com is host name on RHEL AS server. No firewall.

    Any ideas?

    Cheers

    Kirby

  17. Karoly says:

    First I could not install the cab file that SSLChainSaver generated, I got an error message that installation was unsuccesful.

    After some playing around, I changed the "xwri = new XmlTextWriter(filename, Encoding.UTF8);" line to "xwri = new XmlTextWriter(filename, Encoding.ASCII);", recomplied it and now I can install the cab files. I am pretty surprised that nobody had this problem before.

    Also, is there a way to create cab files that can be installed on PPC 2003 as well?

    Thanks

  18. scyost says:

    Hi Karoly,

    Good catch! Are you using this against 2003 devices? WM5 supports UTF8 XML on both platforms so I’d expect it to work on a WM5 device.

    I’m not entirely sure how much XML cab support there was in PPC 2003. What happens if you rename the cab to CPF when you install it on the PPC 2003 device?

  19. Karoly says:

    Scott,

    Thanks for your reply. It was a WM5 device (a T-Mobile MDA) that gave me the error message about unsuccesful installation. So I guess WM5 does not support UTF8 XML…

    My other device, an iPAQ with PPC2003 on it gives a different error message: "rootcert.cab is not a valid Windows CE Setup file". If I rename the cab to CPF and try to install it, it simply gets deleted without having the certificates installed.

  20. scyost says:

    I think the most compatible thing to do here is change the encoding to ASCII. I’ll try to do that in a future update.

  21. Garth says:

    When would the next release coming out? and is there a way to accomplish the same task without it?  I am having the same ASCII problem.

  22. scyost says:

    I have the changes mostly written. I would estimate sometime in the next few weeks. In the meantime, you could either fix it and recompile it, or open the XML that it generates in notepad and resave it as ASCII instead of UTF-8.

  23. I have some proble using it on a Zimbra server… I’ll try again.

  24. EJ says:

    I used the tool to generate the XML and then followed the directions on creating the CAB file from it.  But when I execute this CAB from my Samsung i730 I just get the error message "Installation of rootcert.cab was unsuccessful."  Do you know if this has worked on this model of phone before?

    Thanks!

    Erik

  25. scyost says:

    So I said "a few weeks" above but it’s going to be quite a bit longer. Gotdotnet is going away so I need to find a new home, and there’s a lot of paperwork involved in doing that.

  26. FMF says:

    Awesome tool, thanks.  It worked with wm5 and moto q, ran the sslchain got 2 certs put it on the device and installed. Great work!

  27. James says:

    Tried this and got the error:

    Chain contained 3 certificates

    Needed 2 certs from the server but got 1

    You must install the intermediate certs onto the device.

    I have the root and intermediate certs installed.  Any thoughts?

    Only have one cert installed on this box

  28. Anandh Sharma says:

    Need to convert certificate file to cab to install on WIndows mobile device

  29. dfletch says:

    The link to the source code and binary is broken.

  30. scyost says:

    thanks – I’ve updated the link

  31. Brett says:

    The link to the source code and binary is broken again 🙁 This has been phased out by Micro$oft.

    Would you have another link/source?

  32. scyost says:

    The link is still working for me. Are you still seeing it as broken?

  33. Currey says:

    I get this error message…

    Connect failed: A connection attempt failed because the connected party did not

    properly respond after a period of time, or established connection failed becaus

    e connected host has failed to respond

    What would cause this?

  34. scyost says:

    I’d guess either the site you’re trying to connect to is down, or an outbound firewall on your machine (like OneCare) is blocking the connection outwards.

  35. Jason says:

    Hi,

    You mentioned as one of the conditions the tool doesn’t work is that..

    "2) The server only sends down a partial chain AND doesn’t send the AIA link to get the rest of the chain, so Windows can’t even reconstruct the certificate chain. In this case, the tool won’t have the root cert to put in the output XML. In this case you really have to fix the server, or somehow get a copy of the root certificate out-of-band."

    Is there any easy way of configuring the server to make sure it passes down the full chain? Been looking for that for a while, and its annoying having to install the full chain on the mobiles.

  36. scyost says:

    Good question, Jason.

    I’m not really an expert on web servers. The one thing that I have found to work with IIS is to make sure that the machine that is terminating the connection has each certificate installed on it. Sometimes that machine has only the server cert and not the intermediates and root – in that case it definitely won’t send all the necessary certificates during the handshake.

    Scott

  37. Craig says:

    Any idea where I might be able to get the sslchainsaver tool from today? I’m having a bear of a time for a large enterprise mobile project – but I’m having trouble with the certs. I think the entire chain isn’t getting sent properly – and this tool would be able to help me identify what’s missing

  38. Andrew says:

    The link is down (i.e. gotdotnet is closed for business). I am not sure that this tool is what I am looking for, but I thought I would mention it.

    I set up my HTC Trinity (Dopod D810) to download emails from my company Exchange server (webex.companyname.com), which has been working fine, but recently it stopped, telling me that the server security certificate had expired and  gave me the error 0x80072F05. I vaguely remember having had some issue with certificates when I first set the link up, but I can’t remember what it was. There is no need to answer this posting – I shall be checking with our IT guys tomorrow – but I thought I would mention the issue.

  39. Barry says:

    Can we download sslchainserver from anywhere else?

    thanks!

  40. Charlie says:

    Running the program as a domain administrator returns this error.

    SSLChainSaver>sslchainsaver mail.mycompany.com

    Unexpected failure: Request for the permission of type ‘System.Net.DnsPermission, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089’ failed.

  41. scyost says:

    I haven’t seen that before. Are you running the tool off of a network share by any chance?

  42. Wictor Wilen says:

    Certificate problems with Windows Mobile and Active Sync seems to be a pretty common cause of not being able to synchronize you mobile phone with Microsoft Exchange, but despite the number of web pag…

  43. Evil Craig says:

    The download page has gone. Boo Hoo. Any luck trying to find an alternate download source for this?

  44. Ernesto says:

    please can someone upload this tool again?

  45. Richard says:

    Looking for this file as well please!

  46. Bill says:

    With regard to not getting the entire chain from a server: I have found when publishing an SSL site with ISA Server 2006 that you need to ensure the root cert for your site is in the local computer root store, and that the intermediate is in the intermediate store.  If the certs are not in their proper places then the chain is sometimes not fully exposed.  I am not sure if native IIS has this behavior as well, but it is worth a shot.

  47. scyost says:

    Thanks for the tip, Bill. That matches my experience as well.

  48. Brian says:

    Can someone please tell me where to download this?

    I tried here but it gets to 20% and dies

    http://wiki.zimbra.com/index.php?title=Moble_Device_Setup

    Thanks

  49. Brandon says:

    when i extracted the certs from sslchainsaver it only gave me a root.cer and no intermediate.

    I installed the root.cer on my Samsung SCH-i760 and now I received the error 0x80072F06.

    What else do I need to do?

    I used sslchainsaver from my user login on the network.  Should I be logged in as admin?

    Thanks,

    Brandon

  50. scyost says:

    That error usually means that the site’s name doesn’t match the name on the certificate. Is there an OWA web page that you can connect to via IE or Firefox? See if one of those browsers is able to make a secure connection to the site. If not, then the server might be slightly misconfigured.

  51. Brandon says:

    Scott,

    Thank you for your prompt reply.  I just noticed that our OWA is NOT currently https so I am getting that fixed right now and then I will go from there.

    Thanks,

    Brandon

  52. Two years ago I released the first version of the SSLChainSaver tool. This tool helps you diagnose and

  53. Charles says:

    Hey Scott.. I have a site called

    https://webmail.intelllisyn.com

    self assigned cert… downloaded and installed… I still can’t get ehre.. any ideas?

    step by step ?

    I’ll try and grab the error code

  54. scyost says:

    Hey Charles, I looked at it quickly and it looks okay. The only thing that stuck out is that you have five different CNs in the subject. I’m not sure off the top of my head if that is legal or not.

  55. TKS says:

    Hi sslchainsaver down loaded 2 certificates. It also gave the following error:

    "We were unable to find a self-signed root certificate. The server must send the root certificate during the SSL handshake. Windowsmobile device will not be able to connect through Activesync’.

    I installed the 2 certificates on my blackjack II and now I am able to access the OWA site through IE. But, activesync is still failing with the error ‘The security certificate on the server is not valid’ code: 0x80072F0D. Is there anything else that I need to do?

  56. scyost says:

    Rapiconfig comes in the windows mobile SDK.

  57. Grateful says:

    Thank you so much for this program! You saved my job :o)

  58. Challenged_user says:

    The put in link only shows one how to create a CAB file, not how to install it.

  59. MSDNArchive says:

    Transfer the CAB file to your device and click on it in the File Explorer.  This article may be helpful as well:

    http://www.pocketpccentral.net/help/tutorials/install_cab_file.htm

Skip to main content