Windows Mobile ActiveSync and New Exchange Certificates December 14, 2009
Posted by williamhatter in Microsoft Exchange.Tags: ActiveSync, Certificates, Exchange, Microsoft, OWA, SSL
trackback
Last week our company ran into a problem with upgrading our Exchange VeriSign security certificate and the Windows Mobile phones from Verizon that some of our users were carrying. Unfortunately, after many calls to VeriSign, Verizon and Samsung, we were still unable to get ActiveSync to replicate any changes from Exchange to the user’s phones without disabling SSL.
As any security concious administrator knows, you NEVER want to disable SSL, especially when sending/receiving delicate company information.
The problem was that the phone’s root certificates didn’t include VeriSign(really Samsung…that’s a plainly major oversight), and the phone’s wouldn’t download the new certificate properly without having a trusted root authority. Thankfully, the solution is petty straightforward, and relatively simple. The following instructions will work for both third-party certificates, or your own certifcates.
If you’re a small business and want to avoid the not insignificant cost of purchasing a certificate every year, you should start by looking SSL-enabling OWA 2003 using your own certificate authority at MSExchange.org.
Before we’re able to export the required certificates, we need to make sure that the one(s) we are looking for are actually installed. We do this by browsing to the site that has the certificate we need, and make sure to install certificate when prompted.
After we have the appropriate certificate installed on our computer, we have to export the current third-party certificate installed locally. If you are running XP, Vista, or Win7, open Start->Run->MMC
After the Management Console opens, we need to add the Certificates Snap-in by going to File->Add/Remove Snap-in where we will select the Certificates snap-in and add it to the console. We want to select “Computer Account” for the management style. Once the console has been added in, we need to expand the Trusted Root Certificates branch, and then select Certificates.
You should now be looking at a list of all the installed root certificates that are on your computer. We need to select our certificate that we wish to export, and right click on it, and select All Tasks->Export. When given the export options, we need to make sure to select Base-64 style for the export. I usually create a C:\CABS location where I’m going to be doing all my work. Save the file with whatever name you desire (I usuall put it as cert.cer) making sure to use a .CER extension.
Once the file is saved, we need to create the following within Notepad (I use Programmer’s Notepad for all my text work):
<wap-provisioningdoc>
<characteristic type=”CertificateStore”>
<characteristic type=”ROOT” >
<characteristic type=”CERTIFICATE THUMBPRINT“>
<parm name=”EncodedCertificate” value=”CERTIFICATE TEXT“/>
</characteristic>
</characteristic>
</characteristic>
</wap-provisioningdoc>
After we have the basic XML created, we want to save it as _setup.xml in our C:\CABS directory.
Before we close our MMC Console, we want to double-click on the certificate we want to export. Next, click on the Details tab, and scroll down until you find the Thumbprint.
Click on Thumbprint, and copy the algorithim into your text editor. Remove all spaces from the thumbprint that you copied, and add it to _setup.xml as demonstrated below.
<wap-provisioningdoc>
<characteristic type=”CertificateStore”>
<characteristic type=”ROOT” >
<characteristic type=”85371ca6e550143dce2803471bde3a09e8fxxxxx”>
<parm name=”EncodedCertificate” value=”CERTIFICATE TEXT“/>
</characteristic>
</characteristic>
</characteristic>
</wap-provisioningdoc>
Now,we need to open the CER file that we exported earler. The text will look something like this:
—–BEGIN CERTIFICATE—–
MIIDAjCCAmsCEH3Z/gfPqB63EHln+6eJNMYwDQYJKoZIhvcNAQEFBQAwgcExCzAJ
BgNVBAYTAlVTMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE8MDoGA1UECxMzQ2xh
c3MgMyBQdWJsaWMgUHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAtIEcy
MTowOAYDVQQLEzEoYykgMTk5OCBWZXJpU2lnbiwgSW5jLiAtIEZvciBhdXRob3Jp
emVkIHVzZSBvbmx5MR8wHQYDVQQLExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMB4X
DTk4MDUxODAwMDAwMFoXDTI4MDgwMTIzNTk1OVowgcExCzAJBgNVBAYTAlVTMRcw
FQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE8MDoGA1UECxMzQ2xhc3MgMyBQdWJsaWMg
UHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAtIEcyMTowOAYDVQQLEzEo
YykgMTk5OCBWZXJpU2lnbiwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5
MR8wHQYDVQQLExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMIGfMA0GCSqGSIb3DQEB
AQUAA4GNADCBiQKBgQDMXtERXVxp0KvTuWpMmR9ZmDCOFoUgRm1HP9SFIIThbbP4
pO0M8RcPO/mn+SXXwc+EY/J8Y8+iR/LGWzOOZEAEaMGAuWQcRXfH2G71lSk8UOg0
13gfqLptQ5GVj0VXXn7F+8qkBOvqlzdUMG+7AUcyM83cV5tkaWH4mx0ciU9cZwID
AQABMA0GCSqGSIb3DQEBBQUAA4GBAFFNzb5cy5gZnBWyATl4Lk0PZ3BwmcYQWpSk
U01UbSuvDV1Ai2TT1+7eVmGSX6bEHRBhNtMsJzzoKQm5EWR0zLVznxxIqbxhAe7i
F6YM40AoiuIIO897UYrxaZLvcRTDOaxxp5EJb+RxBrO6WVcmeQD2+A2iMzAo1KpY
oJ2daZH9
—–END CERTIFICATE—–
We need to remove the BEGIN CERTIFICATE and END CERTIFICATE portions of this text. After we have done that, we should remove all line breaks, making a single continuous stream of data. After we have done this, we need to put the single string of text into the appropriate location in our _setup.xml file. Your finished file should look similar to the following:
<wap-provisioningdoc>
<characteristic type=”CertificateStore”>
<characteristic type=”ROOT” >
<characteristic type=”85371ca6e550143dce2803471bde3a09e8fxxxxx”>
<parm name=”EncodedCertificate” value=”MIIDAjCCAmsCEH3Z/gfPqB63EHln+6eJNMYwDQYJKoZIhvcNAQEFBQAwgcExCzAJBgNVBAYTAlVTMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE8MDoGA1UECxMzQ2xhc3MgMyBQdWJsaWMgUHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAtIEcyMTowOAYDVQQLEzEoYykgMTk5OCBWZXJpU2lnbiwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MR8wHQYDVQQLExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMB4XDTk4MDUxODAwMDAwMFoXDTI4MDgwMTIzNTk1OVowgcExCzAJBgNVBAYTAlVTMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE8MDoGA1UECxMzQ2xhc3MgMyBQdWJsaWMgUHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAtIEcyMTowOAYDVQQLEzEoYykgMTk5OCBWZXJpU2lnbiwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MR8wHQYDVQQLExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDMXtERXVxp0KvTuWpMmR9ZmDCOFoUgRm1HP9SFIIThbbP4pO0M8RcPO/mn+SXXwc+EY/J8Y8+iR/LGWzOOZEAEaMGAuWQcRXfH2G71lSk8UOg013gfqLptQ5GVj0VXXn7F+8qkBOvqlzdUMG+7AUcyM83cV5tkaWH4mx0ciU9cZwIDAQABMA0GCSqGSIb3DQEBBQUAA4GBAFFNzb5cy5gZnBWyATl4Lk0PZ3BwmcYQWpSkU01UbSuvDV1Ai2TT1+7eVmGSX6bEHRBhNtMsJzzoKQm5EWR0zLVznxxIqbxhAe7iF6YM40AoiuIIO897UYrxaZLvcRTDOaxxp5EJb+RxBrO6WVcmeQD2+A2iMzAo1KpYoJ2daZH9“/>
</characteristic>
</characteristic>
</characteristic>
</wap-provisioningdoc>
Simple so far isn’ it? It’s a little bit of tediousness to gather the data we need, but trust me, the end efforts will make it all worthwile.
After we’ve saved our finished _setup.xml file, we need to open a command prompt, and navigate to our C:\CABS directory. Once there simply type in: MAKECAB _setup.xml <yourcertnamehere>.cab
Now that we have a CAB file, simply transfer it to the offending phone, and open it up. You should be prompted to add the certificate, which of course you want to do.
After you have installed all necessary certificates (I had to install 2 for VeriSign), just open your ActiveSync configuration, make sure SSL encryption is enabled, save the configuration, and then attempt to synchronize.
If you followed the steps above properly, and imported the appropriate certificates, you should now be able to synchronize with your Exchange server without any problems.
Comments»
No comments yet — be the first.