View Full Version : Import server certificate to E61


sunlie
29-06-2006, 09:31 AM
The ActiveSync works just fine in E61, only one problem it keeps asking to accept my server certificate. I use SBS 2003 server that create its own certificate. Anyone know how to import a server certificate to E61 ?

phazlehurst
29-06-2006, 02:12 PM
The ActiveSync works just fine in E61, only one problem it keeps asking to accept my server certificate. I use SBS 2003 server that create its own certificate. Anyone know how to import a server certificate to E61 ?

Hi, what you have to do is the following:

1) Get a .CER (the certificate) file from your administrator and save it to your hard drive somewhere
2) Using PCSuite, copy that .CER file to your phone in any folder really. Documents will work
3) Using FileManager on your phone, navigate to the file, and you should be able to "open" it, and then it will say do you want to import it.

Tx

P

sunlie
30-06-2006, 02:25 AM
Hi, what you have to do is the following:

1) Get a .CER (the certificate) file from your administrator and save it to your hard drive somewhere
2) Using PCSuite, copy that .CER file to your phone in any folder really. Documents will work
3) Using FileManager on your phone, navigate to the file, and you should be able to "open" it, and then it will say do you want to import it.

Tx

P

Thanks, try that, when I open it, nothing happen, no question ask wheter I would like to import it or not. Any other suggestion anyone ? :con?

Rafe
30-06-2006, 09:35 AM
Check the format;

Try sending a X.509v3 format cert file to the phone over Bluetooth and then open the received message, or download it from a web or WAP page (assuming the server has been configured to send the correct MIME type, application/x-x509-ca-cert).

sunlie
01-07-2006, 01:43 AM
Check the format;

Try sending a X.509v3 format cert file to the phone over Bluetooth and then open the received message, or download it from a web or WAP page (assuming the server has been configured to send the correct MIME type, application/x-x509-ca-cert).

Try to send it with Bluetooth, nothing happen when I open it, just a blink on the screen. Try to put the certificate in a webpage and set the correct MIME, but the phone open it as a text file. Still no luck here...:frown:

shidongting
08-07-2006, 10:48 AM
I had the same problem. Make sure the certificate is in the DER format, not base64. The Exchange server can export the format for you by going to http://exchangeserveraddress/certsrv/. Copy the cert to your phone with bluetooth or whatever and then open it. It will ask you if you want to install it. After, you won't be prompted.

Hope this helps.

sunlie
10-07-2006, 02:04 AM
I had the same problem. Make sure the certificate is in the DER format, not base64. The Exchange server can export the format for you by going to http://exchangeserveraddress/certsrv/. Copy the cert to your phone with bluetooth or whatever and then open it. It will ask you if you want to install it. After, you won't be prompted.

Hope this helps.

Thanks, but since I use SBS 2003 I dont have the certsrv installed. Still no luck. Wouldn't it be nice if some one came up with an application to import certificate...

Rafe
10-07-2006, 09:52 AM
I understand that you cna use openssl to convert certificates. I don't the details, but perhaps you could to a Google for this?

sunlie
29-07-2006, 02:57 AM
Finally... I can make the E61 to install my certificate, thanks Rafe for the OpenSSL tips. It turns out that the E61 can't accept the server exported certificate "as is", you have to convert the .cer certificate exported by SBS 2003 to .pem then converted it again to .der using OpenSSL, put the newly converted .der certificate in your web server root and access it with E61 default browser. Now my E61 happily activesync every 1 hour.

bluemonkey
09-08-2006, 07:59 PM
Hey There,
I am running into alot of problems getting a certif on my E61, could some one please help me set it up using openssl. i have no idea where to start

vdhd
10-08-2006, 12:37 AM
Bluemonkey, you aren't the only one. We ordered 5 of these phones with plans to scale to over 100 for our enterprise, and what a disaster. I have had more trouble getting the stupid cert to work on this device, it's a nightmare.

I've tried everything - I'm hoping someone would be kind enough to grab our cert from me and help me make it work. Please.... ?

sunlie
10-08-2006, 07:19 AM
Bluemonkey, vdhd, I'll try to help you guys if I could, kindly provide me with the URL of your secure website see if I can convert the certificate.

vdhd
10-08-2006, 05:58 PM
I will take you up on that - thankyou!

matt_storr
16-08-2006, 07:29 PM
So can any1 shed any light on how to import server root certs then? We have a self-signed root cert on our Windows 2003 server where Exchange is installed. I access the site, double click the secure lock icon and copy the cert to my desktop as a DER formatted cert. I then proceed to copy the .cer cert over to my E61 but it wont open it saying unknown format. I copy the same cert to my N70 and it installs fine.

I've used OpenSSL to copy to and from PEM to DER format - still no joy. Could it be that there is something wrong with self certified root certs created using Windows Certification Server?

karlossus
21-08-2006, 04:56 PM
I am having the same problem with a P990i. I can install the certificate but they are held in the user store not in the CA store. When I sync I have to ok the certificate each time. If anyone has a solution then please post it here. I have tried using OpenSSL to convert the .cer file but it doesn't seem to make a difference.

sunlie
22-08-2006, 07:42 AM
So can any1 shed any light on how to import server root certs then? We have a self-signed root cert on our Windows 2003 server where Exchange is installed. I access the site, double click the secure lock icon and copy the cert to my desktop as a DER formatted cert. I then proceed to copy the .cer cert over to my E61 but it wont open it saying unknown format. I copy the same cert to my N70 and it installs fine.

I've used OpenSSL to copy to and from PEM to DER format - still no joy. Could it be that there is something wrong with self certified root certs created using Windows Certification Server?

matt_storr, have you try putting the OpenSSL converted certificate to your website root directory and access it using the E61 built in web browser ? In my case this is the only way I can install the certificate.

karlossus
22-08-2006, 08:13 AM
Sunlie, could you post the conversion process step by step please? Just so there's a record of how it's done. Thank you.

sunlie
23-08-2006, 01:18 AM
karlossus, here's how I do it :

- export the .cer certificate
- use OpenSSL to convert the certificate to .pem, using the command : openssl x509 -inform der -in MYCERT.cer -out MYCERT.pem
- convert the .pem to .der using command : openssl x509 -outform der -in MYCERT.pem -out MYCERT.der
- copy the .der cetificate to the website root directory (recommended) or copy it to a newly created directory
- set the directory MIME types to application/x-x509-ca-cert for .der extension
- browse the file using the E61 built in web browser, the certificate will install automatically

From all possible ways, this is the only way I can get the certificate installed on my E61, hope it's helpfull.

karlossus
23-08-2006, 11:10 AM
Thanks Sunlie, those are great instructions. However it still hasn't worked for me. As always the certificate appears in the User folder of the certificate manager and not in the CA folder. Then Activesync still always asks if I trust the Exchange server (I do I do).

There must be a bug somewhere which isn't allowing me to trust the certificate properly.

It's a P990i I am trying to set up though both it and the E61 are the same version of symbian.

Thanks for your help again Sunlie.

elaverick
06-09-2006, 07:39 PM
Sorry for the thread archaeology, but a thought occurs to me having spent a long day playing with this myself.
What are the subjects of these failed certificates? Mine appears to be listing the internal domain (.local) rather than the domain the device thinks its connecting to (.com)
If I could figure out how to recreate the certificate for the external domain I'd test the theory but I don't know how to do that just yet...

Any thoughts?

chucksrover
10-10-2006, 07:14 PM
Sunlie-

This is the only place on the web where I've found proper directions to get this installed. I have an e62, and I've tried copying, sending, emailing the .der certificate without luck. It will not recognize the file format.

The only option was to publish or copy this to a directory on your exchange server website, with the proper MIME type added for the .der file type.

Thank you!!

bjornhij
12-10-2006, 08:09 PM
Karlossus, I have the same problem you have. The certificate appears in the 'user' folder, not the 'CA' folder. Did you find a solution yet?

Thanks,
Bjorn

desertrat
13-10-2006, 11:09 AM
Karlossus, I have the same problem you have. The certificate appears in the 'user' folder, not the 'CA' folder. Did you find a solution yet?

Are you sure you're importing the CA's (Certificate Authority's) certificate and not the server's certificate?

jventura
23-10-2006, 11:46 AM
Hello,

I've seen your comments in the forum and after following forum's indication was able to install the certificate to my N80 (S60 3rd ed) but it continues to ask for confirmation whenever I access the webpage.

Any ideas?

Thanks,

NOTE: I can find ther certificate in my N80 Certificate folder...

Joao Ventura

pelwell
25-10-2006, 11:44 AM
You will have to forgive me if my terminology is a little off, I am not fully conversant with all this.

I recently had to get an E61 working with an Exchange email server and hit the request to accept the certificate problem when it synchronised. I tried many of the above suggestions to no avail. I have fixed it though, and learnt a few things along the way.

What I didn't realise is that there are 2 certificates involved in the process. The 1st is what I will call the "root certificate" created on my Windows 2003 server, it has a 5 year life span. The 2nd is what I will call the "client certificate". The client certificate is a child, for want of a better word, of the root one.

I found that the only certificate I could install on the E61, by copying the .cer file across with no conversion necessary, was the root certificate. All others were rejected. Installing this made no difference to the acceptance request when syncing. The syncing, or web-browsing process, calls the client certificate and it not seen as trusted, hence the prompt.

The fix I found was to tell the E61 to trust my root certificate. Here's how:

Menu - Settings - Security - Certif. management

Find your root certificate (xyzCA in my case) in the list. Options - Trust settings. Set "Internet" and "Online certif. check" to Yes.

Hopefully now when you sync the client certificate will be trusted, because the root one is seen as a trusted source.

agerbo
25-10-2006, 07:36 PM
@pelwell

Where did you copy your .cer file to on your E61

/agerbo

pelwell
26-10-2006, 08:30 AM
I just copied the file across, via USB, to the Documents folder, though any folder will do.

rolexel
17-11-2006, 09:46 AM
The process is simple, and i just got my email client to work with my imap server.

Just send the .cer file to the phone, and open Certificate Manager in Tools. Then, add this .cer file. Once you added, select it, and hit View Details, and then Trust Settings. MAKE SURE email and web browsing is set to 'yes'. This will allow your email clients to trust the corresponding imap server and stop asking you repeatedly about accepting certificates!

dobermann
18-12-2006, 03:46 AM
Hi all. I've been trying to get exchange server to work with my E62, and its been a struggle. Although i'm a bit over my head here, i'm trying to learn and have found the forum helpful.

So here's where I am:

Have 2 certificates from my admin (who says on my own since not a windows device) ROOT Certificate.cer and EXPORTED owa.hedhifi.com SSLcertificate.cer that I have transferred to phone via USB into a cert file i created.

As far as i can tell, there isn't a way to add the files using certificate manager. The manager only shows the files that exist on the phone, and won't allow me to browse to the new ones.

The phone just keeps saying "can't open file" or "unknown file type" so it won't allow me to take any action.

I could try to download the file directly as some in the forum have suggested, but others say it works fine to manually transfer.

Does anyone have any suggestions? Any help would be appreciated, I really need to get this figured out...

Cheers.

dobermann
26-12-2006, 11:24 PM
Can anyone help me out with this? I haven't been able to make any progress, and can't find information elsewhere...

Thanks.

chapelhill
29-01-2007, 04:48 PM
I have been having problems with this too and have managed at last to get it working with an SBS server. Here follows what I hope is the sequence that I used, but be aware that you try so many adjustments, there may be extra or less steps isnvolved.

I followed all the instructions on the net and was successful in installing the cert, but the prompt messages kept appearing.

We are using SBS server premium.
I saw this web page which refered to certsrv directory which did not exist on my server.
"www .msexchange .org /tutorials/SSL_Enabling_OWA_2003.html" (Remove spaces)
The default installation of my server did not have the windows component certification services installed, however the sbs certification wizard worked ok for pc's, so I followed the instructions on the web page, (note warning about name changes) right to the end. I checked from an external pc that the certificate was working.

Then using my home pc I browsed to "mail .mydomain .com/certsrv" (Remove spaces)
and logged in as administrator.
Select request a certificate
Select user certificate
Then select submit (With xp pro and explorer7 it says no futher details required at this stage, you may get different options.)
Click ok to warning about scripting
Screen then comes back saying certificate was issued and a link to install the certificate and click yes to the prompts.
This then installed two certificates to my pc.
Tools>Internet options>Content>Certificates
There were two certificates installed a personal certificate and a root trusted certificate, I browsed to the root trusted certificate and exported in der format, converted .cer file to .der file using openssl as per web instructions, copied resultant file to root of server, modified mime types for .der files on server as per wen instructions, browsed to the file using native explorer in E61 which then gave me option to install which I did and voila it worked, only took me 3 days!
Note the previous certificates I managed to install always had the local host name as the properties, whereas the final one use the correct fqdn used for webmail.
From what this exercise has taught me there are 3 bits to certification, Authority, server and client. The client gets the client cert form the server and then warns if it cannot get to verify against certifying authority. The bit we need to install is the certifying authority to get rid of the prompt. Without the full cert services in the sbs there is some limitation which prevents us getting a correctly formatted certify authority, thankyou microsoft!
Thanks to all the other posters, and good luck to anyone attempting their own configuration.
Regards
Chapelhill

jazztronic
08-02-2007, 01:59 PM
Here's my certificate (in owa.zip) at DER format as described in this forum.
Unfortunatly, none of the solutions worked in my case.
Can someone help with this ?
Thanks

Nostra Systems
07-03-2007, 04:52 PM
Hi Guys

Read this piece especially the second part dealing with cert imports

nostrasystems.ie/smartphone.php

Regards
Senan

pauleec
23-03-2007, 01:10 PM
well, not quite that bad but I am losiing the will to live. I am attempting to synchronise my E61 with a Exchange 2003 SP2 server using Roadsync. I have managed to import all the required certificates (bought one from Go Daddy) onto the device, the settings are correct, I have setup RPC over HTTPS on the server and that works. But still the bloody thing won't synchronise.

The Roadsync error I get suggests that my account has expired (no), my username is greater then 20 characters (no) or my password or username is wrong (no again - have tested with other users, etc). I am completely flummoxed. If anyone has any ideas please let me know. Many thanks to sunlie and Senan by the way, their posts on here helped me with the certificate issues in a big way. Great forum (shame about the E61).

Paul

dan_the_man
22-09-2009, 11:13 AM
Hi

Is this thread still open, i need help on this issue with openssl.

How do you use it with the command line, i have downloaded "openssl-0.9.8k.tar.tar" and extracted it to a folder put the cer file in there but get "not reconised as an internal or external command"

Do i have to install it somehow first?

Hope someone is still reading this and can help.

Thanks...

thomasstuart
18-11-2009, 12:51 PM
Hi Guys I am Thomas.
I also have the same problem. Make sure the certificate is in the DER format, not base64. The Exchange server can export the format for you by going to http://exchangeserveraddress/certsrv/. Copy the cert to your phone with bluetooth or whatever and then open it. It will ask you if you want to install it. After, you won't be prompted.