SSLChainSaver v2 released

Two years ago I released the first version of the SSLChainSaver tool. This tool helps you diagnose and repair SSL problems on Windows Mobile devices. After a very long delay, Version 2 is now up on the Microsoft download center. I wasn’t able to release the source code this time. The usage instructions are similar to the previous version:

From a command prompt, run the tool.

> sslchainsaver

This will create a directory called which contains all the certificates from the SSL chain. It will also create files called and which can be installed over USB using rapiconfig or put in a CAB file for installation on device.

New features:

  • Creates versions of the XML for Windows Mobile 5 and 6. The WM6 version of the XML should always be able to be installed on WM6 devices – it installs certs to the user store so the security policies on the device should never block it.

  • Tries to diagnose many common SSL problems – no root cert sent by the server, common name mismatch, wildcard certs w/ WM5 devices, etc.

Known Issues:

  • The tool needs to be able to write to the current directory in order to save the files. If you install to \Program Files on Vista and are not running an admin command prompt, it won’t be able to write out the certs. Either install it to a directory where you have write access (like Documents) or run from an elevated command prompt.

  • The tool can detect a common name mismatch on the cert but it doesn’t parse the “SubjectAltNames” extension. If your certificates are using SubjectAltNames, the tool will report a name mismatch but the certs will really work fine.

Let me know here if you have any problems with it. I hope it helps you out.


Comments (24)

  1. Where does this install to?  I have .NET framework 2.0 installed, but when I type sslchainsaver at a command prompt, it comes back as: "’sslchainsaver’ is not recognized as an internal or external command,

    operable program or batch file."

  2. scyost says:

    It’s one of the options you can pick during install. By default I think it will go to "C:Program FilesMicrosoft SSL ChainSaver"

  3. Prashanth says:

    I ran the SSL Chainserver and it created two certificates (a root and a leaf). Now to create a .CAB file do I make use of only the root certificate?


  4. scyost says:

    Hey Prashanth,

    Use the .XML files that are created in the same directory as the tool. That XML file contains all of the certificates for the chain.

  5. Scott_King says:

    I’m trying to use the tool to get the SSL chain from my LCS 2005 Access Proxy to my Motorola Q.  I have a Verisign Public cert at, using TLS on TCP 5061.  I tried the tool at FQDN:5061 and get Connection failed: No such host is known.  I tried it with the defaults and get connection refused, which makes sense since I’m not using 443.

  6. scyost says:

    Hey Scott,

    Make sure you don’t put the colon there between the FQDN and the port. I was able to connect to your server when I put a space there.

  7. Jason_AWS says:

    I’m having problems getting the cert to install on my Verizon XV6800.  I downloaded SSL Chain Saver and used it per your directions.  I took the WM6 file and turned it into a .cab file following the link below  I didn’t change anything in the file I did rename it to include _setup.  I even tried it without the _setup.  Every time I try to install the CAB file I get installation unsuccessful.  The site I’m going to is  Any help you can give me on this would be great.



  8. Conectando con un emulador y configurarlo con Exchange a través de ActiveSync Si configuramos un emulador

  9. victor says:

    hi scott,

    i have downloaded this program and have followed your directions to open at the command prompt. When i enter the information it doesn’t do anything. what am i doing wrong? i installed the program on my desktop, not my server. am running xp pro sp2 and have a HTC 6800 w/ WM6. my main issue is phone is not recognizing self generated certificate and i cannot ative sync remotely. is this the right fix? please help

    thanks victor

  10. scottseely20 says:

    Scott et all,

    I can’t get this website to work on wm 6.1.

    I know it will not load up on IE when you have 3.0 ssl checked under tools/advanced..Any ideas???

    Thanks in advance!


  11. scottseely20 says:


    website is:


  12. Tamarack says:

    Just a little note to anyone who read over the instructions a bit to quickly… (cough cough me)

    When you run the command prompt be sure to change the directory to C:program filesmicrosoft SSL ChainSaver

    Then it will work correctly.

  13. Justin says:

    "This file does not have a program associated with it…" is the error I am receiving when I put what you said into run. I have .NET framework 2.0 installed and put the file in "C:Program FilesMicrosoft SSL ChainSaver."  What is the problem?

  14. Adam says:


    I can’t seem to get this SSL Chainsaver to work..

    I’ve downloaded it, installed it and using the syntax above in the root of the SSL ChainSaver directory i get the following error:

    "chain contained 2 certificates

    Cert 1. Issued to:

    Unexpected failure: Access to the path ‘’ is denied."

    I’m using Windows Vista Ultimate if that makes any difference. Any help appreciated.

  15. scyost says:

    Hey Adam,

    I think your situation is covered in the known issues list in this post. (the first one)

  16. Laura Lewis says:

    I am having difficulty with an Entrust issued Cert with an intermediate Entrust-L1A in the chain. My WM6.1 devices error with an invalid cert on connect. Using SSLChainSaver I’ve tried the WM6.xml in CAB file but the WM6.1 device fails to install. My question, is the WM6.xml supposed to work on a 6.1 device?

  17. Matt says:


    I went through and created the .cab but it uninstalls unsuccessfully. I was abke to download and install the program.  I created the xml files.  i took the one for wm6 and ran the command to make it a cab file.  I installed the cab file on my phone and tried to install it from there but i get "installation of was unsuccessful".  Any ideas on what I missed?  Did wrong?


  18. scyost says:

    @Laura: Yes, it should definitely work w/ a 6.1 device.

    @Matt: It’s just a guess, but it’s possible there was an error during cab creation. The XML file has to be renamed exactly to _setup.xml. (with the underscore and everything) Some people have run into problems when they forgot to rename the XML or didn’t get the name exactly right.

  19. nicholasr347 says:

    I’m in an Exchange environment where out Internal Exchange server address is different to the external exhcnage adress. I tried the above process and completed all the commands successfully but still unable to connect via ActiveSync.

    Is there anything further i can try or do i need to wait for our IT team to fix the SSL certificate error (which is in regards to the incorrect domain name)

  20. scyost says:

    I don’t think you’ll be able to connect if the CN on the cert doesn’t match the server name. I believe SslChainsaver v2 will alert you to that when you run it.

  21. woody0 says:

    When I ran sslchainsaver.exe, it produced the following error:

    Error: We were unable to find a self-signed root certificate. The server must send the root certificate during the SSL handshake. Windows Mobile devices will not be able to connect via ActiveSync.

    The ‘’ folder contained a copy of the leaf certificate (that was produced from a private certificate server), but neither of the xml files contained any thumbprint or certificate information.

    I have tried installing both the root and the leaf certificate manually (as per , and  I can browse to the site in question from the mobile device, but I still get the error: "the certificate was issued by a company you have not chosen to trust".

    Is there something I need to change in IIS to send the root certificate as part of the SSL handshake?

  22. scyost says:

    hey Woody,

    in my experience, you can fix that by installing that whole certificate chain onto the IIS box. discussion @

  23. Daniel Johns says:

    Hi there, really need help with ActiveSync.

    This is the response I get from SSLChainSaver


    C:Program FilesMicrosoft SSL ChainSaver>SSLCHAINSAVER RODNEXCH01.LOWRIBECK.CO.


    Chain contained 1 certificates

    Cert 0. Issued to:

    ERROR: We were unable to find a self-signed root certificate.

    The server must send the root certificate during the SSL handshake.

    Windows Mobile devices will not be able to connect via ActiveSync

    Certificate XML created. Use "rapiconfig RODNEXCH01.LOWRIBECK.CO.UK.wm6.xml" to

    add the certs to a connected device or create a CAB file.


    I am currently using a trial certificate from Thawte. My question is have I done everything correct and this error is as a result of the test certificate? I don’t want to recommend purchasing a certificate if I’m still going to have this problem.

    I really do not understand certification at all and really struggling to get ActiveSync working.

    Any and all help greatly appreciated.