Downloads

Things to download free, from posters and shortcut guides to white-papers and checklists

Free Applications

Explore our recommended free applications from around the Internet

How To & Tutorials

These handy problem solving tips and advice should save you some time

Industry News

News and commentary from news in the technology industry

Technical Terms

We regularly take a technical term and try to make sense of it in the real world

Home » Email, VoIP, Telephony, How To & Tutorials, Mobility & Wireless

A solution for SSL Certificates and ActiveSync problems

Submitted by jasonslater on Wednesday, 9 January 20089 Comments

Further to my previous posts Mobile ActiveSync and Microsoft Exchange 2007 and SSL Certificates for Exchange Server 2007 continued… I am happy to report that I’m finally making progress on the ongoing SSL certificate/ActiveSync debacle. I dug out my Blackberry 8820 to test the certificate problem and of all things the Blackberry gave the clearest indicator of what the problem was - leading me to the discovery that some mobile devices only seem to read the first entry name entry in certificates that support multiple names.

A little digging and a few penny drops later and I managed to get ActiveSync working properly on the Sony Ericsson p1i. I had put the server address into the p1i as mail.domainname.com (I also tried www.domainname.com) but the certificate we applied for listed domainname.com as the first entry followed by www.domainname.com, mail.domainname.com, autodiscover.domainname.com, host. Of course the p1i seemed to be checking only the first entry and considered that www.domainname.com (the entry I had put in for the server) and domainname.com (the first entry on the certificate) were completely different entities thus throwing up a certificate violation warning.

It seems that although the certificate and Exchange 2007 support (SAN) Subject Alternate Naming - that in actual fact certain mobile devices don’t and as such the order of the addresses in the certificate, particular the first one, is vital. The p1i is now syncing quite happily using ActiveSync and push. Mind you, I still haven’t got the iPAQ working using ActiveSync but I’m getting closer!

Subscribe now and never miss a post
RSS Subscribe

Share and Enjoy:
  • E-mail this story to a friend!
  • Print this article!
  • Digg
  • Google
  • del.icio.us
  • Facebook
  • MySpace
  • Reddit
  • Slashdot
  • StumbleUpon
  • Technorati
  • TwitThis
  • LinkedIn
  • Live

9 Comments »

  • Gopal Vanamamalai said:

    Hi, i’m running into the same problem on my P1i. Everytime the activesync runs it prompts me to manually accept the certificate. I’m glad to see you found a solution.

    How could i fix that problems. If my server address is “webmail.hds.com” and my domain is “hds” what should i be doing.

    Thanks
    -Gopal

    - 16 April 2008 at 12:30 am
  • jasonslater (author) said:

    Gopal, did you put webmail.hds.com as the first host entry in the certificate chain? It would be interesting to know if you did.

    - 16 April 2008 at 8:08 am
  • blackberry 8820 t mobile said:

    [...] that I??m finally making progress on the ongoing SSL certificate/ActiveSync debacle. I dug out my Bhttp://www.jasonslater.co.uk/index.php/2008/01/09/a-solution-for-ssl-certificates-and-activesync-pro…Review: RIM BlackBerry 8820 T-Mobile business smartphone …Mar 28, 2008 … T-Mobile&39s blackberry [...]

    - 27 April 2008 at 5:46 pm
  • manoj said:

    we also have similar problem at one of our client. we are using SAN certificate with
    webmail.domain.com
    autodiscover.domain.com
    cas01 (cas01 server netbios name)
    case01.internaldomainname.com
    case02
    case02.internaldomainname.com

    What name should i put during activesync configuration?
    Thanks.

    - 3 May 2008 at 8:47 am
  • Alex said:

    I’m having the same issues! And it seems about right what your suggesting because the certificate check also appears in the opera browser when connecting to the OWA.

    The only thing that is holding me back at the moment is how do you change the order of urls in the certificate. I have never done anything like that and would love to see al the SE users syncing happily ever after…

    - 5 May 2008 at 2:55 pm
  • jasonslater (author) said:

    Alex,
    The only way I could find to change the order of the URLs was to re-apply for our certificate via the certificate provider.

    Manoj,
    Personally I would put the first entry in the url list (webmail.domain.com in your example).

    Jas.

    - 6 May 2008 at 10:52 am
  • Gopal said:

    Jason, I still have the problem. i have the server name correct and the domain name correct and still i get the SSL certificate manual acceptance request.

    Thanks

    - 6 May 2008 at 9:55 pm
  • jasonslater (author) said:

    Gopal,
    What device are you running and is the problem on an internal network?

    One thing I did find on the SE p1i was that the server address on the device needed to be put in without the hostname so hostname.domain.com simply became domain.com

    - 8 May 2008 at 3:59 pm
  • microsoft activesync said:

    [...] that I??m finally making progress on the ongoing SSL certificate/ActiveSync debacle. I dug out my Bhttp://www.jasonslater.co.uk/index.php/2008/01/09/a-solution-for-ssl-certificates-and-activesync-pro…Microsoft ActiveSync 3.x Desktop Software - HPC FactorWindows CE Synchronisation Software activesync [...]

    - 27 May 2008 at 1:57 pm

Leave a comment!

Add your comment below, or trackback from your own site. You can also subscribe to these comments via RSS.

Be nice. Keep it clean. Stay on topic. No spam.

You can use these tags:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

This is a Gravatar-enabled weblog. To get your own globally-recognized-avatar, please register at Gravatar.