Confused Amused

Recently I ran into a situation where we had purchased an Exchange certificate from a fairly common certificate authority (GeoTrust) and everything worked well with browsers automatically trusting the certificate… and then we picked up a Windows Mobile 6.0 device from Verizon. For whatever reason, Verizon or Microsoft has decided this particular CA was not trustworthy and isn’t in the default list, so ActiveSync fails to connect to the Exchange server. Fortunately, we can force the device to trust the certificate.

Windows Mobile 6.0 brought a change in how to install certificates. Users cannot install a certificate into the root certificates store on a phone unless the certificate is self-signed. This ensures that only true root certificates exist in the root store.

The pain here is that when you try installing a certificate such as the one used to secure Outlook Web Access it gets dumped in the personal store, and ActiveSync won’t connect because it can’t verify the certificate authority associated with the certificate. The solution is to get the certificate authority’s self-signed certificate into the root store. We can do this with the following steps:

1. Open Internet Explorer and navigate to the site securing OWA. Click the lock next to the address bar.

2. Click the View Certificates link.

3. Click the Certification Path tab at the top.

4. Click the top certificate name first (the root CA) and then click View Certificate.

5. Click the Details tab.

6. Click the Copy to File… button.

7. Click Next to start the Certificate Export Wizard.

8. Click Next to export the certificate as a DER encoded binary X.509 (.CER)

9. Browse to a location where you’d like to save the certificate and give it a name.

10. Click Finish to complete the Certificate Export Wizard.

11. You should see a dialog that the export was successful.

12. Now copy that .cer file you created to the device in some way. Via a storage card, USB cable, Bluetooth, whatever. Just get the .cer in the file structure of the phone somehow.

13. Power up the phone and click Start.

14. Find and open File Explorer.

15. Locate the .cer file you copied to the phone. I called mine root.cer.

16. Press Menu and then Install.

17. You should see a dialog that the install was successful. I’ve seen it fail on the first attempt before, so try a few times if you get an error. Press OK.

18. Navigate to the phone’s Settings option.

19. Click on Security and press OK.

20. Click on Certificates and press OK.

21. Click on Root and press OK.

22. Scroll to the end of the certificates list or keep pressing More. You should see the certificate you installed listed at the very end of the list. If it’s not there, try starting over and making sure you’re exporting the certificate authority’s certificate, and not yours.

You can now test ActiveSync and it should be able to connect to the Exchange server without ever needing to install your OWA certificate. It’s automatically trusted because the certificate authority now exists in your root certificates store.

This entry was posted on Tuesday, October 9th, 2007 at 5:23 pm and is filed under Exchange Server 2007. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.