A solution for SSL Certificates and ActiveSync problems

Further to my previous posts Mobile ActiveSync and Microsoft Exchange 2007 and SSL Certificates for Exchange Server 2007 continued… I am happy to report that I’m finally making progress on the ongoing SSL certificate/ActiveSync debacle. I dug out my Blackberry 8820 to test the certificate problem and of all things the Blackberry gave the clearest indicator of what the problem was – leading me to the discovery that some mobile devices only seem to read the first entry name entry in certificates that support multiple names.

A little digging and a few penny drops later and I managed to get ActiveSync working properly on the Sony Ericsson p1i. I had put the server address into the p1i as mail.domainname.com (I also tried www.domainname.com) but the certificate we applied for listed domainname.com as the first entry followed by www.domainname.com, mail.domainname.com, autodiscover.domainname.com, host. Of course the p1i seemed to be checking only the first entry and considered that www.domainname.com (the entry I had put in for the server) and domainname.com (the first entry on the certificate) were completely different entities thus throwing up a certificate violation warning.

It seems that although the certificate and Exchange 2007 support (SAN) Subject Alternate Naming – that in actual fact certain mobile devices don’t and as such the order of the addresses in the certificate, particular the first one, is vital. The p1i is now syncing quite happily using ActiveSync and push. Mind you, I still haven’t got the iPAQ working using ActiveSync but I’m getting closer!

  • Gopal Vanamamalai

    Hi, i’m running into the same problem on my P1i. Everytime the activesync runs it prompts me to manually accept the certificate. I’m glad to see you found a solution.

    How could i fix that problems. If my server address is “webmail.hds.com” and my domain is “hds” what should i be doing.

    Thanks
    -Gopal

  • http://www.jasonslater.co.uk jasonslater

    Gopal, did you put webmail.hds.com as the first host entry in the certificate chain? It would be interesting to know if you did.

  • Pingback: blackberry 8820 t mobile

  • http://futuresoftsolutions.com manoj

    we also have similar problem at one of our client. we are using SAN certificate with
    webmail.domain.com
    autodiscover.domain.com
    cas01 (cas01 server netbios name)
    case01.internaldomainname.com
    case02
    case02.internaldomainname.com

    What name should i put during activesync configuration?
    Thanks.

  • Alex

    I’m having the same issues! And it seems about right what your suggesting because the certificate check also appears in the opera browser when connecting to the OWA.

    The only thing that is holding me back at the moment is how do you change the order of urls in the certificate. I have never done anything like that and would love to see al the SE users syncing happily ever after…

  • http://www.jasonslater.co.uk jasonslater

    Alex,
    The only way I could find to change the order of the URLs was to re-apply for our certificate via the certificate provider.

    Manoj,
    Personally I would put the first entry in the url list (webmail.domain.com in your example).

    Jas.

  • Gopal

    Jason, I still have the problem. i have the server name correct and the domain name correct and still i get the SSL certificate manual acceptance request.

    Thanks

  • http://www.jasonslater.co.uk jasonslater

    Gopal,
    What device are you running and is the problem on an internal network?

    One thing I did find on the SE p1i was that the server address on the device needed to be put in without the hostname so hostname.domain.com simply became domain.com

  • Pingback: microsoft activesync