1 Windows Mobile SSL Certificates Configuring Security Enhanced Communication on Exchange Server 2003 SP2 or 2007 with Windows Mobile Powered Devices White Paper Published: May 2007 For the latest information, please see Abstract This paper describes how trust is established on the Web through Certificate Authorities, how Digital Certificates help establish that trust, and how Secure Sockets Layer (SSL) relies on certificates to function. Windows Mobile powered devices use SSL to enhance communication security. The whitepaper will then refocus on how to setup security enhanced communications between Exchange and mobile devices by obtaining and installing digital certificates. The whitepaper covers both Exchange Server 2003 SP2 and Exchange Server 2007, and includes both Windows Mobile 5.0 and Windows Mobile 6 powered devices.
2 The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication. This white paper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in, or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property Microsoft Corporation. All rights reserved. The example companies, organizations, products, domain names, addresses, logos, people, places, and events depicted herein are fictitious. No association with any real company, organization, product, domain name, address, logo, person, place, or event is intended or should be inferred. Microsoft, Active Sync, Outlook, Windows, Windows Mobile, Windows Server, and the Windows logo are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
3 Table of Contents Overview... 4 Secure Certificates and Certificate Authorities... 4 What is SSL?... 4 How does SSL work?... 4 What is a Certificate Authority?... 6 Root, Intermediate and Self-Signed Certificates... 8 Exchange Server 2007 and 2003 Communication with Mobile Clients Installing SSL with Exchange ActiveSync Step 1 - Obtaining and Installing certificates on the Exchange Server Step 2 - Obtaining and Installing Certificates on Windows Mobile devices Summary Appendix A - Examining pre-installed certificate authorities on Windows Mobile Devices Appendix B Exporting Root Certificate Appendix C Root Certificate Installation on Specific Devices and Mobile Operators Appendix D Common Troubleshooting Scenarios... 23
4 Overview Mobile Devices provide an important way to access corporate messaging services such as Microsoft Exchange while the users are on-the-go. Since most of the information that passes through the Exchange Server , calendar, and contacts is sensitive, it is important to secure communications between the mobile clients and the server. This is accomplished through Secure Sockets Layer (SSL) technology. SSL relies on Digital Certificates to encrypt the communications channel between the Exchange Server and the mobile device. In this whitepaper, you will first get an overview on how trust is established on the Web through Certificate Authorities, how Digital Certificates help establish that trust, and how Secure Sockets Layer relies on certificates to function. With that as background, we will then switch gears and look at how to setup security enhanced communications between Exchange and mobile devices by obtaining and installing digital certificates. The whitepaper covers both Exchange Server 2003 SP2 and Exchange Server 2007, and the discussion will include both Windows Mobile 5.0 and Windows Mobile 6 powered devices. Secure Certificates and Certificate Authorities What is SSL? SSL stands for Secure Sockets Layer, and it refers to technology that helps secure communication over the internet. When an internet browser connects to a merchant over SSL, after verifying the merchant s identity, all information sent between the customer and the merchant is encrypted. Encryption scrambles the message into unintelligible form that is only understood by the server; any malicious attacker cannot read it. SSL Technology is the de-facto standard used to provide online banking and other security enhanced communications. Most banks use SSL to protect sensitive communications with their clients; some examples can be found here and here. SSL works by using certificates to generate the encryption. SSL certificates have two roles: 1. To verify the identity of the server to prevent spoofing, or faking the server s identity. In this role, digital certificates are analogous to an identification document or digital signature, as we will see below. 2. Once identity is validated, SSL helps secure communications between two parties by generating a key necessary to encrypt the communication. When communication with a website is secured with SSL, the browser provides some indication that SSL is in place. Most browsers display a closed padlock icon to indicate an active SSL link. Additionally, the website name will show the prefix. How does SSL work? The SSL security process works using a process similar to special type of lock that has two keys. If an open lock is closed using key A, only key B can unlock it. Alternatively, if the lock is locked with key B,
5 only key A unlocks it. One of the keys is called a Public Key, and another Private Key. The public key can be given out to anybody, but the private key is known only to one person. Let s examine the two roles played by SSL Certificates and how this lock models them. 1. Verify Identity of Server. Suppose we have two parties, Bob, a banking customer, and Matilda, an online bank. Bob visits Matilda s bank and wants to check his balance. However, before entering his account password, Bob wants to make sure he is in fact communicating with Matilda s bank. Matilda likewise is afraid that somebody else might spoof her bank and compromise her clients. Matilda can use the private / public key system to prove that she is in fact the online bank (see Figure 1). She will create a message (e.g. a page asking to enter the password), put it into a chest with the special lock, and lock it with her own private key (key B). Anybody who gets access to the chest can open it using Matilda s public key (key A) they know for a fact that Matilda was the sender, since she is the only one that has the private key to lock it. Nobody else can fake a message from Matilda, since spoofing it would require knowing her private key. Bob now knows that he is in fact communicating with Matilda. Open Matilda Closes Lock with Her Private Key Closed Bob Opens Lock With Matilda s Public Key Open Figure 1 Verify Identity 2. Secure Communications. Now, let s say that Bob requests his account balance. In this case, Matilda wants to secure the communications channel, and guarantee that only Bob can read the account balance. Matilda would then put the message into a chest with the special lock, and close it with Bob s public key, which many people have, including Matilda. Now, if somebody intercepts the chest, they cannot open it, since they don t have the private key for the lock. Only Bob has ability to open the lock, since he alone has the private key. The communications channel is thus secured (see Figure 2 below).
6 Open Matilda Closes Lock With Bob s Public Key Closed Bob Opens Lock with His Private Key Open Figure 2 Secure Communications SSL security works very similarly to the special lock described above. When a certificate is created, a public and private key pair is generated. The keys are stored as very long numbers that are difficult to duplicate. One key is given to the entity requesting the certificate (private key), is encrypted and stored locally, and another is published for all to see (public key). Encryption algorithms use those numbers to create an equivalent of the special lock, and thus helping secure communications between people. What is a Certificate Authority? Using public / private key pairs we can validate that only the entity that we are communicating with could have authored the information we receive from them. However, what assurances do we have that if an entity claims to be our bank, that they are in fact our bank? How do we know that the public key actually belongs to our bank? We have two choices: Simply trust their claim. This approach is potentially problematic since a malicious person can provide a public key claiming that they are our bank, and get sensitive information. The communication would be encrypted, but the user is trusting the wrong source. Verify that the key really does belong to the bank. If the key were a signature on a document, we would want the services of a Notary Public or other impartial witness who can verify the identity of the person making the signature. Verification of keys is where Certificate Authorities come into play. A Certificate Authority (CA) is a trusted third party that issues digital certificates. CAs typically verify that the party that requests a digital certificate for a resource does in fact own or manage that resource. In real life, this is analogous to being issued a driver s license. The jurisdiction that issues a license to an individual has procedures in place to validate that person s identity. After the license is issued by a trusted source, the person can use the issued license for identification. The license is backed up by the trust of the local government agency that issued the license, which acts as the Certificate Authority.
7 When a business needs an SSL certificate, it goes to one of the Certificate Authorities, and asks for an SSL certificate to be created. The Certificate Authorities have procedures in place to make sure that the person making the request is in fact a true representative of that company. After this validation process is completed, the certificate is issued. A SSL Certificate can contain the following information: o o o o o o The certificate holder s name Certificate serial number Expiration date after which the certificate is no longer valid Copy of certificate holder s public key Digital signature of the issuing certificate authority Location of CA s Certificate Revocation List (CRL), allows checking if a certificate has been recalled by the Certificate Authority The certificate is signed with CA s private key. Using CA s public key, the business, or their clients, can verify that the certificate really did come from the Certificate Authority, and that no one else could have created the certificate. However, in order for somebody to trust the authority, that person typically needs to know of existence of that authority. Nobody would accept a passport from a country called Contoso, for example, because such a country does not exist. Similarly, in order for a computer entity to trust a specific Certificate Authority, the entity needs to be told that the Certificate Authority is a valid authority. This is done by placing the root certificate (see below) of the CA into trusted root certificate store on the client.
8 Certificate Authority Trust Relationship Because Root CA Installed Trust Relationship Because Root CA Installed CA s Root Cert Client Client Trusts SSL Certificate Because it Trusts CA SSL Certificate, Signed By CA Server CA s Root Cert Figure 1 Establishing Trust using CA as Trusted Third Party To illustrate the concept further, let s examine the example in Figure 3. We have a server and a client that both need to trust each other. That means they both need to recognize the Certificate Authority. That is accomplished by installing CA s Root certificate into both the Client and Server Root Certificate Stores. A Root Certificate Store is special place that holds the CAs that computer knows about and trusts. Placing a certificate into respective root stores of the client and the server establishes two trust relationships one between Client and the CA, and another between the Server and the CA. When the CA issues a certificate, signs it using its private key, and the certificate is installed on the Server, the client can verify that it was in fact signed by the CA using the Root certificate s public key. This way, the client then knows it can trust the claims being made by the certificate. In practice, Windows Server 2003 comes with most common Root CA s pre-installed, so most of the time installing the Root CA on the Server is not necessary. Root, Intermediate and Self-Signed Certificates To stretch our analogy somewhat, in real world we use a chain of trust. The reason we trust a particular state is either because we know it well ourselves, or because somebody else we trust (i.e. the federal government) certifies the state is trustworthy. We therefore trust the local government, because it is
9 certified by the state government, which in turn is certified by the federal government. When accepting a license issued by the local government, we are ultimately relying on the authority of the federal government, since our trust chains back to it. On the web, this is called certificate chaining. The Root CA is like the federal government, and the CAs in the middle are called intermediate Certificate Authorities. They are the CAs in between a server certificate and a trusted Root Certificate Authority, allowing the chain of trust to be established between a certificate and the root CA. Figure 4 below illustrates this. The Exchange Server communicates with the device using its SSL certificate, signed by the Intermediate CA, which is in turn signed by the Root CA. The Root CA is self-signed. The Windows Mobile Device needs to have both the Root Certificate and the Intermediate Certificate installed in order to trust the Exchange certificate, or alternatively needs a way to request the intermediate certificate to make sure it s certified by a Root CA it trusts. ROOT CA Root Cert Chaining Intermediate CA Exchange Server Enrolled Cert Windows Mobile Device Root Cert Figure 2 Certificate Chaining Certificate Authorities issue their own root certificates. Root certificates are a crucial component of trust in the internet. When a user goes to a SSL-secured website (e.g. a shopping cart in an online store) the server sends its certificate. The client deems the server trustworthy if the server certificate chains back to a root certificate that is in the trusted root certificate store of the client s computer. If that is not the case then the user sees the This site is not trusted. Do you want to proceed (yes/no)? dialog. The root certificates are owned by CA vendors like VeriSign, Thawte and Valicert (used by GoDaddy.com).
10 The business model of the CA s is to make money by issuing certificates chained to their root. It is crucial to their business that their roots are present in as many OS platforms as possible. Hence they see OS vendors like Microsoft as valuable partners. As an operating systems vendor Microsoft ensures that only trustworthy root certificates are added to the platform out-of-the-box. The decision making process we follow to determine the list of eligible root certificates is fair, objective and unbiased. Windows has had a root certificate program in place for some time. In addition to businesses that issue certificates, companies can themselves become Certificate Authorities by using special software that allows them to issue certificates, for example, Microsoft Certificate Services. In that case, the company has to provide a root certificate that it itself signs, or a Self-Signed Certificate. This way, the company is asking other entities to trust the certificates that the company issues. However, to make this happen, the self-signed certificate has to be made trusted by adding it to the root certificate stores of the clients that will be communicating with servers using certificates issued by the company. In most cases, self-signed certificates are used for internal company applications rather than public facing applications. Another configuration that some companies use is setting up their own issuing Intermediate Certificate Authorities that are certified by one of the major certificate vendors and thus chain back to them. This allows them to decrease costs while still relying on a well-known CA. Some well known Certificate Authorities have their root certificates included with Windows Mobile 5.0 with Messaging and Security Feature Pack (MSFP) and Windows Mobile 6 Operating Systems and are thus supported out-of-the-box (See Table below). Therefore, the mobile devices running those operating systems will automatically trust digital certificates signed by those providers. Exchange Server 2007 and 2003 Communication with Mobile Clients Exchange 2003 Front-End Servers and the equivalent Client Access Servers in Exchange 2007 use Internet Information Server (IIS) for communicating with the clients over HTTPS (port 443). In order to make this communication more secure, the IIS server must have a valid SSL certificate. All Exchange services reside on the same IIS site, and thus can use the same certificate. If the IIS site already uses a certificate for one of the other Exchange services, the certificate can also be reused for Exchange ActiveSync. There are four services that can be secured over SSL, and each is accessible through a different URL (virtual directory) on the Exchange server: 1. Exchange ActiveSync (/Microsoft-Server-ActiveSync virtual directory in IIS) the primary protocol for connecting mobile devices to Exchange; it supports Direct Push. Allows the Outlook client on a mobile device to connect to Exchange over the air, or through Desktop ActiveSync connection.
11 2. Outlook Mobile Access (/OMA virtual directory in IIS) allows for mobile devices to access the exchange information through a browser. Similar to Outlook Web Access, but for mobile devices. Outlook Mobile Access is no longer available in Exchange Server Outlook Web Access (/Exchange virtual directory in IIS) allows users to get access to their and other information through a web browser. 4. RPC over HTTPS (/RPC virtual directory in IIS) allows Outlook clients to connect to Exchange from anywhere on the internet. Exchange ActiveSync is the primary communication technology with mobile clients in both versions of Exchange. In order for the communications to work, the mobile device needs to be able to trust the certificates found on the server. This trust between the mobile device and Exchange server is established through the mobile client recognizing the Certificate Authority that signed the Exchange Server s certificate. If the certificate used by the server is issued by a Certificate Authority that is included with Windows Mobile, the device will trust it. However, if the certificate is from another Certificate Authority, or is self-signed (meaning that the company is acting as its own Root Certificate Authority), then the device needs to add that the certificate of the CA into its trusted root store (see instructions below). Wildcard certificates allow issuing a certificate on domain level, meaning the same certificate can be used for both mail.yourdomain.com and Windows Mobile 5.0 devices do not support wildcard certificates, so in deployments using Windows Mobile Devices 5.0 with multiple frontend Exchange servers, separate SSL certificates need to be obtained for each server if you are planning to use Windows Mobile 5.0 devices. Windows Mobile 6 supports wildcard certificates, so the same wildcard certificate can be used on multiple front-end servers. Note: While non-security enabled communication is possible using HTTP (port 80), Microsoft strongly recommends using SSL for secure communication between mobile devices and Exchange Server. Installing SSL with Exchange ActiveSync In order to get SSL working, there are two general steps: 1. Obtain and install all necessary certificates on the Exchange Server 2. Install any necessary root certificates on Windows Mobile Devices. (Optional only needed if one of the out-of-the-box Certificate Authorities is NOT used to obtain certificate in step 1). Step 1 - Obtaining and Installing certificates on the Exchange Server
12 Step 1A Selecting a Certificate Authority There are many options for certificate authorities. Their service fees can range from less than thirty to a few thousand dollars per year, depending on level of service you require. Windows Mobile devices include a number of trusted Certificate Authority root certificates out-of-the-box (see Table 1). The included CA s root certificates are pre-installed into the root certificate store on the devices, and thus trust certificates signed by those CAs. You may want to consider obtaining a new certificate from one of the CAs in the table below as that will eliminate the need to install a new root certificate on each device. Table 1 Root certificates pre-installed on a Windows Mobile 5.0 and 6-based devices Windows Mobile 5.0 X Windows Mobile 6 X Class 2 Public Primary Certificate Authority (VeriSign, Inc.) Class 3 Public Primary Certificate Authority X X (VeriSign, Inc.) Entrust.net Certificate Authority (2048) X X Entrust.net Secure Server Certificate Authority X X Equifax Secure Certificate Authority X X GlobalSign Root CA X X GTE CyberTrust Global Root X X GTE CyberTrust Root X Secure Server Certificate Authority (RSA) X X Thawte Premium Server CA X X Thawte Server CA X X (used by GoDaddy.com) X * X Starfield Class 2 Certificate Authority Go Daddy Class 2 Certificate Authority GeoTrust Global CA Baltimore CyberTrust Root AddTrust External CA Root AAA Certificate Services X X X X X X *Windows Mobile 5.0 with Messaging and Security Feature Pack (MSFP). Note: Some device manufacturers may add or remove the provided certificates for particular Windows Mobile installations. See Appendix A for instructions on how to check the out-of-the-box certificates provided by your manufacturer.
13 If you are already using a SSL certificate on your front-end Exchange 2003 Server (Client Access Server in 2007), you can reuse the certificate for Exchange ActiveSync. As explained above, if the certificate you are using has been issued by one of the out-of-the-box CAs, your mobile devices already trust the Certificate Authority that signed the certificate. You don t need to install any additional certificates on your mobile devices and should now be able to test Exchange ActiveSync connectivity and can skip the following steps. If you are not using one of the out-of-the-box providers, and the number of devices that you are managing is large, you may want to consider obtaining a new certificate from one of the CAs on the list as that will eliminate the need to touch each device. Windows Mobile 5.0 and 6 support any certificate authority provided its root certificate is installed on the mobile device. However, some device manufacturers or mobile operators restrict the ability to add root certificates to Windows Mobile devices in order to provide an additional layer of security. Adding root certificates may require a special application. The application runs using the manager role, which allows writing to the registry and other restricted operations. For the devices that do restrict ability to install new certificates, a tool signed by the device manufacturer or mobile operator is required. Some manufacturers do not allow installing root certificates at all in that case only out-of-the-box CAs are trusted by the devices. If you decide to use a CA not supported out-of-the-box, check that the devices you are planning to use allow installing root certificates. Please see Appendix C for more information. Step 1B - Certificate Enrollment Once you select your Certificate Authority, you will need to enroll for a certificate. Enrolling means that you will submit a request from your web server to a CA to get approved and signed, so a SSL certificate can be issued. This request will include the server name you are planning to use, and a public key. The enrollment process associates your public key with a digital certificate that will allow users to validate your identity. This is similar to providing your address to a motor vehicles agency; you are making claims about where you live, which will later be verified before an identification document is issued. The enrollment process starts with generating a request from your web server (step 1 in Figure 5), which will include its identifying information. The IIS server will generate a file, called a Certificate Signing Request (CSR) that will be used when obtaining the SSL certificate from CA. When the CSR is generated, the server creates a pair of private-public keys, and stores the private key on the server. The CSR includes the public key. When it is submitted to the Certificate Authority, the CA uses the CSR to generate the SSL certificate, and signs the certificate with the CA s own private key. The Certificate Authority is responsible for validating the request and issuing a certificate. As part of the validation process, the CA may request supporting documentation to prove that you are authorized to make requests on behalf of your company and your domain name (Step 2 in Figure 5).
14 2. CA Performs Verification, Enrolls Certificate 1. Server Generates CSR Certificate Authority 3. Install Enrolled Certificate on Server 4. CA Root Certificate Installed on Device Server, has CA s Root Certificate Client Figure 3 Enrollment Process and Establishing Trust on Mobile Device For instructions on how to create the Certificate Request in IIS, please see the section Obtaining and Installing a Server Certificate in the Step-by-Step Guide to Deploying Windows Mobile-based Devices with Microsoft Exchange Server 2003 SP2. This procedure is the same for both Exchange Server 2003 or 2007 version. The link above uses Microsoft Certification Service to obtain a SSL certificate, but other Certificate Authorities use a similar process. Note: The name that you use to register your server under MUST match the server name that the clients will use, so remember to register a Fully Qualified Domain Name (i.e. mail.contoso.com). Step 1C - Installing SSL Certificate on the Exchange server After validating the certificate request, the Certificate Authority will issue the digital certificate as a file. You will need to import that file into the IIS Web Site that Exchange runs under. This will connect the newly issued certificate to the private key that was generated by IIS when CSR was created (Step 3 in Figure 5). For instructions on how to install the certificate on Exchange 2003 front-end server or Exchange 2007 Client Access Server, please see the section To install the certificate in the Step-by-Step Guide to Deploying Windows Mobile-based Devices with Microsoft Exchange Server 2003 SP2.
15 Note: If your certificate provider uses an intermediate CA, you will need to install the intermediate CA s certificate on the Exchange Server to allow for certificate chaining. For instructions for installing intermediate certificates please see appendix D. From the out-of-the-box CAs, GoDaddy.com requires intermediate CAs. Step 2 - Obtaining and Installing Certificates on Windows Mobile devices Windows Mobile will work with any Certificate Authority, both public and privately self-signed. If you used a SSL certificate issued by the Certificate Authority supported out-of-the-box by the OS, you do not need to perform this step, as your device should already trust the CA that issued Exchange Server s digital certificate. However, if your SSL certificate is not from one of the providers supported out-of-thebox, you will need to deploy the root certificate of your CA on each of the Windows Mobile devices you are planning to use with Exchange ActiveSync. This process will make each device trust the Certificate Authority that issued your certificate, and thus trust their certificates. Step 2A - Export the Certificate from the Exchange Server First, you need to export the root certificate corresponding to the Certificate Authority you used. Please see Appendix B for detailed instructions. You will obtain a.cer file, which contains the digital certificate and the public key of the Certificate Authority. This relates to the discussion about private and public keys above. In order to ascertain that a certificate was issued (signed) by a CA, we need to be able to decrypt a message encrypted with CA s private key. We can do that using CA s public key. The.CER file contains that public key we are about to distribute that public key to our mobile devices. Step 2B Adding a Root CA to a Windows Mobile 5.0 or Windows Mobile 6 devices Now that you have the certificate file, you need to install it on each device (Step 4 in Figure 5). The.CER file is safe to around to give to your users. 1. Copy.CER file to the Windows Mobile device. The certificate files can be delivered to the device via Desktop ActiveSync, removable storage card, or Mobile Internet Explorer file download. Windows Mobile 6 Professional devices also allow download from a file share. The File Explorer can connect to the file share and copy the certificate to your device. 2. On the Windows Mobile device, Open File Explorer 3. Locate the.cer file and open it 4. If you are prompted that you are about to install a certificate, select Yes to continue At this point, you should be able synchronize your Windows Mobile devices with Exchange ActiveSync. Note: For Windows Mobile 5.0 PocketPC Devices: If you receive the alert Security permission was insufficient to update your device., please contact your device manufacturer. Note: For Windows Mobile 5.0 Smartphone Devices: If you receive the alert Security permission was insufficient to update your device., you will need to follow additional steps to install the root certificate on your device, if your device supports it. Please see appendix C for additional instructions.
16 Note: For Windows Mobile 5.0 devices - If you or your certificate vendor are using an Intermediate CA, please follow this link for instructions on how to install the Intermediate CAs. Windows Mobile 6 supports Intermediate certificate out of the box, so the procedure for installing them is the same as for root certificates. For more information please see How to Install root certificates on a Windows Mobile-based device. Summary This whitepaper examined the fundamental concepts underlying all of digital security protocols. You learned how digital certificates and SSL are used to validate identity and secure communication channel. The text discussed the role of trust and how trust is established between Exchange Server and Mobile Devices through the use of trusted third parties (Certificate Authorities). Installing SSL certificates and establishing trust between the mobile devices, the Exchange Server and Certificate Authority is an important step in making the connection more secure. You should now have the background you need to enable your mobile users to use corporate messaging services.
17 Appendix A - Examining pre-installed certificate authorities on Windows Mobile Devices. To find out which certificates are pre-installed on your mobile device, follow these steps: 1. On your mobile device, go to Start Menu -> Settings. 2. Select System tab, and Click on Certificates. 3. Click Root tab, and browse through the root certificates installed on your device. You can also examine any intermediate certificates by clicking the Intermediate Tab (Windows Mobile 6 only).
18 4. To view more details about a certificate, click on the certificate in the list.
19 Appendix B Exporting Root Certificate To export the Root Certificate, follow the following procedure on the front-end Exchange 2003 server or Exchange 2007 Client Access Server. You need to open Certificate Manager, a program that allows you to view and manage certificates installed on your computer. Follow the instructions below to add Certificate Manager to Microsoft Management Console : 1. Click Start, click Run, type mmc, and then click OK. 2. In the File menu, click Add/Remove Snap-in. 3. In the Add/Remove Snap-in box, click Add. 4. In the Available Standalone Snap-ins list, click Certificates, and then click Add.
20 5. Click Computer Account, and then click Next. 6. Click the Local computer (the computer this console is running on) option, and then click Finish. 7. Click Close, and then click OK. To export a certificate 8. Open the Certificates (Local Computer) folder, then Trusted Root Certificate Authorities folder, then select Certificates.
21 9. In the results pane, find the root certificate of your Certificate Authority and right-click it. Click All Task, and then select Export. The Certificate Export Wizard will open. 10. On the Welcome page, click Next. 11. On the Export File Format page, select DER encoded binary X.509 (.CER), and then click Next. 12. On the File to Export page, enter the path and file name where you want to save the exported certificate, and then click Next.
22 13. On the Finish page, verify the settings and then click Finish. Appendix C Root Certificate Installation on Specific Devices and Mobile Operators If your provider or device is not listed here, and you are having problems installing root certificates on your device, please contact your mobile operator for instructions on how to install root certificates on your device. Check the latest status on root certificate installation with your operator as it may change. 1. Sprint Download the correct utility for your type of phone the links are provided in the knowledge base article below Verizon Wireless Microsoft has worked with Verizon Wireless to create a signed version of the SPAddCert.exe utility to run on VerizonWireless Windows Mobile Smartphones. To download the VZW_SPAddCert.exe file, visit the following Microsoft Web site: 442AED8F47AE&displaylang=en 3. Motorola Q with Verizon Wireless FIMuuti&p_lva=&p_sp=cF9zcmNoPTEmcF9zb3J0X2J5PSZwX2dyaWRzb3J0PSZwX3Jvd19jbnQ9Mz AyJnBfcHJvZHM9MjMsODg4JnBfY2F0cz0mcF9wdj0yLjg4OCZwX2N2PSZwX3BhZ2U9MQ**&p_li= &p_topview=1 4. Telus 5. imate SP5 series of phones
23 Appendix D Common Troubleshooting Scenarios Issue No certificate on Front-end Server This happens if you try to use Exchange ActiveSync security enhanced communications without installing the SSL certificate on the IIS website of the front-end server. Alternatively, if the IIS server has multiple websites installed, make sure you installed the certificate on the web site that is servicing Exchange. Issue Non-trusted Certificate Authority Windows Mobile ships with many of the popular certificate authorities trusted by default, see Table 1 above. However, if your server certificate was obtained from a Certificate Authority that is not trusted, you will need to add that CA to the trusted CA s on the device or you may want to consider obtaining a new certificate from one of the trusted sources. Option 1 Add the CA to the list of trusted root CA s on the Windows Mobile device. above. See instructions Option 2 Obtain a new server certificate from one of the trusted CA s. See instructions in section Step 1 - Obtaining and Installing Certificates on the Exchange Server. Issue - Mismatched Server Names In addition to securing the channel, the mobile device also ensures that they are connecting to the proper Exchange Server (i.e. avoiding spoofing) by comparing the server name that is configured on the device in the ActiveSync setup (i.e. mail.company.com) with the server name to which the certificate was issued. If the two of these do not match, the device will give a certificate error. For example, a Windows Mobile device connects to mail.company.com, but the certificate on the Front-end Server was registered under the name fe1.company.com. NOTE: Windows Mobile 5.0 does not support wildcard certificates, so again, the name must match. Windows Mobile 6 does support wildcard certificates, so if the certificate is issued to *.company.com, mail.company.com should work. Resolution: Option 1: Device side change On the device you can change the name of the server to match the name on the certificate. In the example above, you would change the server name on the client to fe1.company.com from mail.company.com. At this point the name the device is connecting to match the name on the certificate so all is well and connection is made. Option 2: Server-side change - Reissue the certificate using the name you want your devices to connect to. This will involve more work and possibly additional cost depending upon how you have obtained the certificate. This is done when the name on the certificate is either incomplete (i.e. it isn t a Fully Qualified Domain Name) and therefore inaccessible from the Internet or when the name of the server is not user friendly (i.e. BobtheFrontendServer company.com). Once this change is made, no changes would be needed on the device and the connection will be made.
24 Issue Certificate chaining Windows Mobile 5.0 does not support Certificate chaining. It is possible that there is an intermediate CA involved. For example, Go Daddy requires an intermediate certificate to be installed on the Frontend Server. Windows Mobile 6 does support certificate chaining and intermediate certificates. Installing Intermediate Certificate on the IIS Server Once you have downloaded the intermediate certificate, please follow the instructions below to install it: 1. Follow instructions 1 through 7 from Appendix B to open the Certificate Manager application. 2. If necessary, click the "+" icon to expand the "Certificates" folder so that the Intermediate Certificate Authorities folder is visible. 3. Right-click on "Intermediate Certificate Authorities" and choose "All Tasks"; then click "Import." 4. Follow the wizard prompts to complete the installation procedure. Additional Troubleshooting Resources: Windows Mobile Sync Error Code Exchange ActiveSync / OMA Troubleshooting Exchange ActiveSync Errors and Solutions
Secure IIS Web Server with SSL EventTracker v7.x Publication Date: Sep 30, 2014 EventTracker 8815 Centre Park Drive Columbia MD 21045 www.eventtracker.com Abstract The purpose of this document is to help
Setting Up SSL on IIS6 for MEGA Advisor Revised: July 5, 2012 Created: February 1, 2008 Author: Melinda BODROGI CONTENTS Contents... 2 Principle... 3 Requirements... 4 Install the certification authority
Deploying Remote Desktop IP Virtualization Step-by-Step Guide Microsoft Corporation Updated: April 2010 Published: July 2009 Abstract Remote Desktop IP Virtualization provides administrators the ability
c623242f-20f0-40fe-b5c1-8412a094fdc7 Deploying Personal Virtual Desktops by Using RemoteApp and Desktop Connection Step-by-Step Guide Microsoft Corporation Published: June 2009 Updated: April 2010 Abstract
12/15/2012 WALISYSTEMSINC.COM SETUP SSL IN SHAREPOINT 2013 (USING SELF-SIGNED CERTIFICATE) Setup SSL in SharePoint 2013 In the last article (link below), you learned how to setup SSL in SharePoint 2013
S/MIME on Good for Enterprise MS Online Certificate Status Protocol Installation and Configuration Notes Updated: October 08, 2014 Installing the Online Responder service... 1 Preparing the environment...
ADFS Integration Guidelines Version 1.6 updated March 13 th 2014 Table of contents About This Guide 3 Requirements 3 Part 1 Configure Marcombox in the ADFS Environment 4 Part 2 Add Relying Party in ADFS
Xerox Multifunction Devices Customer Tips June 5, 2007 This document applies to these Xerox products: X WC Pro 232/238/245/ 255/265/275 for the user Xerox Network Scanning HTTP/HTTPS Configuration using
TS Gateway Step-By-Step Guide Microsoft Corporation Published: December 2007 Modified: July 2008 Abstract Terminal Services Gateway (TS Gateway) is a new role service available to users of the Microsoft
CA NetQoS Performance Center Install and Configure SSL for Windows Server 2008 Release 6.1 (and service packs) This Documentation, which includes embedded help systems and electronically distributed materials,
Customizing Remote Desktop Web Access by Using Windows SharePoint Services Stepby-Step Guide Microsoft Corporation Published: July 2009 Updated: September 2009 Abstract Remote Desktop Web Access (RD Web
Avaya one X Portal 1.1.3 Lightweight Directory Access Protocol (LDAP) over Secure Socket Layer (SSL) Configuration This document provides configuration steps for Avaya one X Portal s 1.1.3 communication
Deploying Remote Desktop Web Access with Remote Desktop Connection Broker Step-by- Step Guide Microsoft Corporation Updated: April 2010 Published: May 2009 Abstract RemoteApp and Desktop Connection provides
DIGIPASS KEY series and smart card series for Juniper SSL VPN Authentication Certificate Based 2010 Integration VASCO Data Security. Guideline All rights reserved. Page 1 of 31 Disclaimer Disclaimer of
Symantec Managed PKI Integration Guide for ActiveSync ii Symantec Managed PKI Integration Guide for ActiveSync The software described in this book is furnished under a license agreement and may be used
Using Self Certified SSL Certificates Paul Fisher Systems Consultant email@example.com Quest Software Desktop Virtualisation Group Quest Software (UK) Limited Ascot House Maidenhead Office Park Westacott
Technical Certificates Overview Version 8.2 Mobile Service Manager Legal Notice This document, as well as all accompanying documents for this product, is published by Good Technology Corporation ( Good
Outlook Web Access Guide to Installing Root Certificates, Generating CSR and Installing SSL Certificate Copyright. All rights reserved. Trustis Limited Building 273 New Greenham Park Greenham Common Thatcham
Wavecrest InstallationGuide Wavecrest Certificate www.wavecrest.net Copyright Copyright 1996-2015, Wavecrest Computing, Inc. All rights reserved. Use of this product and this manual is subject to license.
Operating System File and Printer Sharing with Microsoft Windows Microsoft Corporation Published: November 2003 Abstract File and printer sharing in Microsoft Windows allows you to share the contents of
Encrypting Your Email Using the free COMODO Secure Email Certificate These instructions will guide you through the process of getting a free Secure Email Certificate Issued by COMODO. This document will
Microsoft Dynamics GP Workflow Installation Guide Release 10.0 Copyright Copyright 2008 Microsoft Corporation. All rights reserved. Complying with all applicable copyright laws is the responsibility of
SafeNet Authentication Service Installation Guide Technical Manual Template Release 1.0, PN: 000-000000-000, Rev. A, March 2013, Copyright 2013 SafeNet, Inc. All rights reserved. 1 Document Information
WS_FTP Pro Addendum to User s Guide Software Version 6.6 Ipswitch, Inc. Ipswitch, Inc. Phone: 781-676-5700 81 Hartwell Ave Fax: 781-676-5710 Lexington, MA 02421-3127 Web: http://www.ipswitch.com The information
www.novell.com/documentation Generating an Apple Push Notification Service Certificate ZENworks Mobile Management 2.6.x January 2013 Legal Notices Novell, Inc., makes no representations or warranties with
Technical Brief for Windows Home Server Remote Access Microsoft Corporation Published: October, 2008 Version: 1.1 Abstract This Technical Brief provides an in-depth look at the features and functionality
Installing Windows Rights Management Services with Service Pack 2 Step-by- Step Guide Microsoft Corporation Published: October 2006 Author: Brian Lich Editor: Carolyn Eller Abstract This step-by-step guide
MicrosoftDynam ics GP 2015 TenantServices Installation and Adm inistration Guide Copyright Copyright 2014 Microsoft Corporation. All rights reserved. Limitation of liability This document is provided as-is.
Creating and Deploying Active Directory Rights Management Services Templates Step-by-Step Guide Microsoft Corporation Published: January 2008 Author: Brian Lich Editor: Carolyn Eller Abstract This step-by-step
The 2007 R2 Version of Microsoft Office Communicator Mobile for Windows Mobile: Frequently Asked Questions Published: December 2008 Information in this document, including URL and other Internet Web site
Operating System Troubleshooting File and Printer Sharing in Microsoft Windows XP Microsoft Corporation Published: November 2003 Updated: August 2004 Abstract File and printer sharing for Microsoft Windows
Entrust Managed Services PKI Auto-enrollment Server 7.0 Installation and Configuration Guide Document issue: 1.0 Date of Issue: July 2009 Copyright 2009 Entrust. All rights reserved. Entrust is a trademark
Contents AD RMS Microsoft Federation Gateway Support Installation and Configuration Guide... 3 About this guide... 3 Microsoft Federation Gateway Support Overview... 4 Deploying and Configuring Microsoft
Setting Up Email on Your Palm Treo 700wx Smartphone Intellectual property notices 2006 Palm, Inc. All rights reserved. Trademark, copyright, patent, and other intellectual property notices are set forth
AD RMS Step-by-Step Guide Microsoft Corporation Published: March 2008 Author: Brian Lich Editor: Carolyn Eller Abstract This step-by-step guide provides instructions for setting up a test environment to
Tenrox Single Sign-On (SSO) Setup Guide January, 2012 2012 Tenrox. All rights reserved. About this Guide This guide provides a high-level technical overview of the Tenrox Single Sign-On (SSO) architecture,
MadCap Software Upgrading Guide Pulse Copyright 2014 MadCap Software. All rights reserved. Information in this document is subject to change without notice. The software described in this document is furnished
Author: Martijn Brinkers Table of Contents...1 Introduction...3 Quick setup...4 Create a CA...4 Fill in the form:...5 Add certificates for internal users...5 Add certificates for external recipients...7
Windows Server Update Services 3.0 SP2 Step By Step Guide Microsoft Corporation Author: Anita Taylor Editor: Theresa Haynie Abstract This guide provides detailed instructions for installing Windows Server
etoken Enterprise For: SSL SSL with etoken System Requirements Windows 2000 Internet Explorer 5.0 and above Netscape 4.6 and above etoken R2 or Pro key Install etoken RTE Certificates from: (click on the
Dell SupportAssist Version 2.0 for Dell OpenManage Essentials Quick Start Guide Notes, Cautions, and Warnings NOTE: A NOTE indicates important information that helps you make better use of your computer.
Websense Content Gateway HTTPS Configuration web security data security email security Support Webinars 2010 Websense, Inc. All rights reserved. Webinar Presenter Title: Sr. Tech Support Specialist Cisco
SSL Guide From MyKemp Wiki The world of Secure Sockets Layer (SSL) certificates can be a bit confusing, so this document was assembled to help guide users of LoadMasters through the various processes involving
Certificate Request Generation and Certificate Installation Instructions for IIS 5 April 14, 2006 1 1. Generating the Certificate Request In this procedure, you will use the Internet Information Services
Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the companies, organizations, products, domain names, e-mail
How to Install SSL Certificates on Microsoft Servers Ch apter 3: Using SSL Certificates in Microsoft Internet Information Server... 36 Ins talling SSL Certificates in IIS with IIS Manager... 37 Requesting
Step By Step Guide: Demonstrate DirectAccess in a Test Lab Microsoft Corporation Published: May 2009 Updated: October 2009 Abstract DirectAccess is a new feature in the Windows 7 and Windows Server 2008
www.novell.com/documentation Server Installation ZENworks Mobile Management 2.7.x August 2013 Legal Notices Novell, Inc., makes no representations or warranties with respect to the contents or use of this
www.novell.com/documentation Certificate Management ZENworks Mobile Management 3.1.x August 2015 Legal Notices Novell, Inc., makes no representations or warranties with respect to the contents or use of
Installing and Configuring vcenter Multi-Hypervisor Manager vcenter Server 5.1 vcenter Multi-Hypervisor Manager 1.1 This document supports the version of each product listed and supports all subsequent
CA Nimsoft Unified Management Portal HTTPS Implementation Guide 7.6 Document Revision History Document Version Date Changes 1.0 June 2014 Initial version for UMP 7.6. CA Nimsoft Monitor Copyright Notice
Step-by-Step Guide for Creating and Testing Connection Manager Profiles in a Test Lab Microsoft Corporation Published: May, 2005 Author: Microsoft Corporation Abstract This guide describes how to create
Managing the SSL Certificate for the ESRS HTTPS Listener Service Technical Notes P/N 300-011-843 REV A01 January 14, 2011 This document contains information on these topics: Introduction... 2 Terminology...
Introduction Technical Brief ActiveSync Configuration for WatchGuard SSL 100 October 2009 With ActiveSync, users get push functionality to keep email, calendar, tasks, and contacts up to date on a mobile
How to Configure a Secure Connection to Microsoft SQL Server 1993-2015 Informatica Corporation. No part of this document may be reproduced or transmitted in any form, by any means (electronic, photocopying,
END USER S GUIDE VeriSign PKI Client Government Edition v 1.5 End User s Guide VeriSign PKI Client Government Version 1.5 Administrator s Guide VeriSign PKI Client VeriSign, Inc. Government Copyright 2010
SAP Mobile Secure: SAP Afaria 7 SP5 September 2014 English Afaria Network Configuration (X87) Building Block Configuration Guide SAP SE Dietmar-Hopp-Allee 16 69190 Walldorf Germany Copyright 2014 SAP SE
DIGIPASS Authentication for Microsoft ISA 2006 Single Sign-On for Outlook Web Access With IDENTIKEY Server / Axsguard IDENTIFIER Integration Guidelines Disclaimer Disclaimer of Warranties and Limitations
Shavlik Patch for Microsoft System Center User s Guide For use with Microsoft System Center Configuration Manager 2012 Copyright and Trademarks Copyright Copyright 2014 Shavlik. All rights reserved. This
Windows SharePoint Services Installation Guide Michael@SchmittDotNet.com www.schmittdotnet.com Version 1.4 10/11/2010 Copyright and Disclaimers This guide is for informational purposes only. THE AUTHOR
Contents SSL-Based Services: HTTPS and FTPS 2 Generating A Certificate 2 Creating A Self-Signed Certificate 3 Obtaining A Signed Certificate 4 Enabling Secure Services 5 A Note About Ports 5 Connecting
Administration & Setup 05 Pipelinersales Inc. www.pipelinersales.com Administration & Setup Learn how to manage your sales team with Pipeliner Sales CRM Application. CONTENT. Managing Pipeliner s Users
Exchange 2010 PKI Configuration Guide Overview 1. Summary 2. Environment 3. Configuration a) Active Directory Configuration b) CA Configuration c) Exchange Server IIS Configuration d) Exchange Configuration
By Jan De Clercq Understanding and Leveraging SSL-TLS for Secure Communications ii Contents Chapter 2: Leveraging SSL/TLS for Secure Web Communications....... 21 Setting Up SSL/TLS on a Web Server..................................
Version 9.2 SSL Enhancements Copyright 1996-2008. Finjan Software Inc. and its affiliates and subsidiaries ( Finjan ). All rights reserved. All text and figures included in this publication are the exclusive
Software Version 9.0 Copyright Copyright 1996-2008. Finjan Software Inc. and its affiliates and subsidiaries ( Finjan ). All rights reserved. All text and figures included in this publication are the exclusive
DIGIPASS CertiID Getting Started 3.1.0 Disclaimer Disclaimer of Warranties and Limitations of Liabilities The Product is provided on an 'as is' basis, without any other warranties, or conditions, express
Generating an Apple Push Notification Service Certificate for use with GO!Enterprise MDM This guide provides information on...... APNs Requirements Tips on Enrolling in the ios Developer Enterprise Program...
Implementing Secure Sockets Layer on iseries Presented by Barbara Brown Alliance Systems & Programming, Inc. Agenda SSL Concepts Digital Certificate Manager Local Certificate Authority Server Certificates
Securing your Online Data Transfer with SSL A GUIDE TO UNDERSTANDING SSL CERTIFICATES, how they operate and their application 1. Overview 2. What is SSL? 3. How to tell if a Website is Secure 4. What does
Setting Up Email on Your Touch by HTC Intellectual Property Notices 2007 Sprint Nextel. All rights reserved. No reproduction in whole or in part without prior written approval. SPRINT and other trademarks
Update and Installation Guide for Microsoft Management Reporter 2.0 Feature Pack 1 Microsoft Corporation Published: December 2010 Microsoft Dynamics is a line of integrated, adaptable business management
Xerox Multifunction Devices Customer Tips March 15, 2007 This document applies to these Xerox products: X WC 4150 X WCP 32/40 X WCP 35/45/55 X WCP 65/75/90 X WCP 165/175 X WCP 232/238 X WCP 245/255 X WCP
Securing your Microsoft Internet Information Services (MS IIS) Web Server with a thawte Digital Certificate A STEP-BY-STEP GUIDE to test, install and use a thawte Digital Certificate on your MS IIS Web
Table of Contents Introduction... 1 Setting Up Endpoint Encryption s HTTP Server...2 How to trust Control Break as an CA... 20 Start Endpoint Encryption s HTTP Server service... 23 Verify Endpoint Encryption
www.novell.com/documentation Android App User Guide ZENworks Mobile Management 2.7.x August 2013 Legal Notices Novell, Inc., makes no representations or warranties with respect to the contents or use of
How to Secure a Groove Manager Web Site Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the companies, organizations,
Entrust Managed Services Entrust Managed Services PKI Configuring secure LDAP with Domain Controller digital certificates Document issue: 1.0 Date of issue: October 2009 Copyright 2009 Entrust. All rights
Digital Certificates (Public Key Infrastructure) Reshma Afshar Indiana State University October 2015 1 List of Figures Contents 1 Introduction 1 2 History 2 3 Public Key Infrastructure (PKI) 3 3.1 Certificate