Tuesday, February 03, 2009

SSL Certs and Windows Mobile

I was just consulting on this exact topic and felt that I should post this information up here since there seems to be so many other places posting half working solutions. (Hhmmm, if I post two half-working solutions, does that make it a full solution?) OK. So here's a *working* solution!

Are you getting tired of working out how to get an SSL certificate installed on your WM devices so they can connect and download mail using ActiveSync and Exchange Push (sic)? Over trying to fight IE to get the certificate and trying to remember which format you need the cert in?

Well, there's two ways to achieve your goals. The first way needs to to go to OWA on a computer (as a user with local administrator rights), accept and install the certificate and when doing so, place it in the following store: Trusted Root Certification Authorities (Registry) which is *only* enabled if you check the "Show physical stores" box. Now this certificate is installed on this computer. Next, still as a local administrator, in IE go to Tools\Internet Options\Content\Certificates\Export and choose the binary encoded DER format. Copy the .cer file that is generated to the Windows Mobile PDA, run it, the certificate will be installed and you can now sync to your Exchange Server.

Now for the simple way. Have a read of Scott Yost's blog entry here and then download and install his SSLChainSaver utility from the Microsoft Download Center. Once installed, you'll need to run the tool from a location where you have write permissions and it will extract all of the certificates from the SSL chain into a subdirectory. You then copy the .cer file that is generated to the Windows Mobile PDA, run it, the certificate will be installed and you can now sync to your Exchange Server.

Regards,

The Outspoken Wookie

3 comments:

Jazza said...

The real questions is what's the easiest way to push these certificates out to say 25+ mobile devices?

Trying to explain to Sales people how to download a certificate from IE will be difficult, and sending SSL certs to them interstate is also no fun!

Hilton Travis said...

G'day Jazza,

With SSLChainSaver there's no need to try and talk salespeople through using IE to export a cert - you can do it *easily* on your machine and save the cert to a network share.

Now, as for distributing it to 25 mobile devices, well, if your old certificate is still valid you can email them all the new cert. If the old cert has expired, then you could place the new cert on a web page and have them download it using Internet Explorer Mobile, save it locally, then run it and Bob's your ex-Prime Minister! :)

Chris Knight said...

Hilton,

Nice find on the SSLChainSaver, hadn't seen that before.

Might have to try that on a wildcard cert (GeoTrust) to see if it fixes the Certificate Import Wizard in SBS 2008.