[hparsons]

I do not think that I am missing the point. They are not using certificates at all. Is it possible to make something "secure" without using certificates? If the answer is no then my IT department is all sorts of backwards. If the answer is yes, then maybe you will start getting my point.

But, you're talking in circles. Here was your previous statement:

If your IT department basically has the security and encryption given by SSL and certificates, what is the point of another certificate just to make a phone work? That is why I think they should make it an option.

(my emphasis added). Your previous post implied that your IT department already had certificates.

To broadcast over SSL, a server must have a certificate. It's part of the protocol.

Most SSL client programs (such as browsers) require that you accept a certificate. Internet Explorer does this, as do most other browsers. The primary differences in what Palm is doing are:

1. They are requiring that you import the certificate, you can't just acknowledge it (as in IE). Whether or not this is a mistake is debatable, but personally I don't think it is.
2. They (apparently) have a bug that will not accept multiple CNs, which many self-signed certificates have.

...
All in all, I am not trying to be confrontational. I am simply not understanding why palm didn't include this as an option. I really am enjoying this phone. To be honest, I would just like to get this EAS thing figured out without having to do any work. So if palm send and update I will keep the phone. If they don't, I might not keep it. I haven't decided that yet.

Keep in mind that if Palm had not set things up so you imported the certificate, they would have been forced to do one of two things:

1. Accept questionable certificates without having the user acknowledge them. This would be a big security issue for the Pre.
2. Force the user to acknowledge the problem certificate each time the application ran! That means that each time your Pre established a new connection, you would have to acknowledge the problems with the cert (just as you do with IE and other browsers when a cet has issues).

By having the user import the certificate once, they will not have to acknowledge it again. Where Palm erred was in not properly accepting the self-signed certs.

[hparsons]

I'm not sure which certificate I need... and there a lot. Is it okay to delete all of them and just sign into my owa to re-trust them via firefox then export them to my phone?

Yes, that should work.

Is there anything wrong with deleting all certs from my computer?

Not really. You'll be prompted to import each one again, but that's no big deal.

[nukular]

I don't think the current version of the Pre is going to do it. I believe it's a bug in their (the Pre's) system on how it looks at certs with multiple CNs.

I say that because I sent the actual certificate from the root of my server. The certificate was mined using the name "matt.parsonsys.com" (along with the other CN's - common names - that the server uses). The pre saw it, every time, as matt.ps.local (the Active Directory domain and name that I use). The Pre ignored the rest of that CNs, thus would not work.

That said, you don't have to have your IT department send you the root certificate. You can export it from a browser. I've found that it's actually easier from FireFox, but can be done from IE. Do a quick google search on "export certificate" and your browser of choice.

Ummm...I've "exported" my certificate using firefox and well....the certificate manager on my Pre says that the "The current folder is empty" if I put it in a certificates folder, and if I send it to myself attached to an email I'm told the phone doesn't know what application to use to open it.

Any suggestions? My phone just doesn't seem to recognize the certificate at all... I also exported it as a DER binary whatever the hell that is.

[hparsons]

Thanks for the reply. I actually had IT get me the cert. I loaded it, "trusted" it and NOTHING. Same error. L2 support is clueless about this stuff as am I. the common name that shows up in Cert Manager is *.Domain. I'm in gov't, so the domain is like *.district.dept.state.us. Don't know if that matters and don't know how to check if we use multiple CNs.

I'm not 100% sure, but I seem to remember reading somewhere that the Pre is not accepting wild card certificates. That's what you're talking about wth the *.domain.

I'm surprised that a gov't agency is considering this. I work for a contractor, for the gov't, and directly spoke to the one person doing the pilot roll out in the agency I work for, and he said that they are looking at the Pre, but flatly stated that the only device they're going to roll out now are the Blackberries that meet DOD standards. I can't imagine a govt' agency (I'm assuming Fed level) would allow devices that can't be wiped.

Sounds like you're saying wait for L3 support to fix. Is this something core to OS or a security issue where they need to think of the security implications of a fix?

No, it's really the particular client application. My suspicion (and it's just an educated guess) is that this is particularly troublesome for the Pre, because of Synergy. They are likely going to have to fix a lot of client pieces.

Lastly, as someone else mentioned, how do we know which certificate to export?

Look for the certificate that lists the server by the exact name you are using on the Pre.

[hparsons]

Ummm...I've "exported" my certificate using firefox and well....the certificate manager on my Pre says that the "The current folder is empty" if I put it in a certificates folder, and if I send it to myself attached to an email I'm told the phone doesn't know what application to use to open it.

Any suggestions? My phone just doesn't seem to recognize the certificate at all... I also exported it as a DER binary whatever the hell that is.

Make sure that it has the .cer extension, then email it to yourself.

[nukular]

Make sure that it has the .cer extension, then email it to yourself.

Thanks. Unfortunately it didn't work. I accepted the certificate, but got the same error....

[MLJones8]

So I cleared my certificates.. then logged in to my owa via https://pod51000.outlook.com I had to accept 3 security warnings.

(below is a pic the expanded certifications go to outlook.com in some way the collapsed is gmail)


I exported each to my desktop and tried to e-mail them to my self but only one is a .crt the other two are executable files and can't be e-mailed.

Should I sync the other two files via USB or are they not important?

[realistdreamer]

It is in fact a wildcard CN. I re-exported it on my home machine and it's the same one. On the details screen before the export, there are many details about the certificate, but I have no clue what they mean. I have no idea why it's a wildcard either. I'm trying to investigate why the Pre doesn't like it, but with my level of knowledge of Synergy, Certificates and Exchange it's painful at best.

Thanks for everything though.

[realistdreamer]

OK, went over to Palm forums (many of the same names) and found that having the CN match the mailserver in setup is important. Also wildcards (*) appear to be a problem as the mailserver address field won't accept them.

It even appears (through search there) that a similar issue existed with VersaMail in terms of SSL Certificates with wildcards. I'll call L2 again tomorrow and update them, but unless I can change the CN on my cert, I think I'm stuck waiting for a fix that never came on VersaMail on the 680.

No sleep and the problem isn't fixed. Typical.

[Davidm1519]

Hmmm... have you updated? In device info it should be v. 1.0.2 or above.

Yea, I have most current version.

[bpdamas]

The same upgrade might have included support for non-ssl EAS? :-\

Ahh. I see. Unfortunately it did not.

[Davidm1519]

I don't think you have a total understanding what an ssl cert does. They are not specifically for cell phone use. If you connect into that server for any other reason than mail you should have a certificate. If you don't you are really putting your email and password in clear text out on the internet for practically anyone to see. And in most environments your username and password is the same you use for your business's domain access (not smart). So not only can someone access your mail but also every share or file you have on your entire network. So to say its not a priority for your IT staff is just ridiculous.

My IT Dude says we are using a "Self Signed Cert" this is my problem. I have copied the cert numerous ways and installed it on my pre. It shows cert under Cert Manager that it is installed.

No matter what I do, "SSL certificate error, are the date & time correct".

So I'm screwed.... Just waiting fot the software update.

[bpdamas]

But, you're talking in circles. Here was your previous statement:



(my emphasis added). Your previous post implied that your IT department already had certificates.

To broadcast over SSL, a server must have a certificate. It's part of the protocol.

Most SSL client programs (such as browsers) require that you accept a certificate. Internet Explorer does this, as do most other browsers. The primary differences in what Palm is doing are:

1. They are requiring that you import the certificate, you can't just acknowledge it (as in IE). Whether or not this is a mistake is debatable, but personally I don't think it is.
2. They (apparently) have a bug that will not accept multiple CNs, which many self-signed certificates have.

Keep in mind that if Palm had not set things up so you imported the certificate, they would have been forced to do one of two things:

1. Accept questionable certificates without having the user acknowledge them. This would be a big security issue for the Pre.
2. Force the user to acknowledge the problem certificate each time the application ran! That means that each time your Pre established a new connection, you would have to acknowledge the problems with the cert (just as you do with IE and other browsers when a cet has issues).

By having the user import the certificate once, they will not have to acknowledge it again. Where Palm erred was in not properly accepting the self-signed certs.

I did misspeak. They are not using SSL but encryption like SSL. My bad on that one.

Anyway, I see what you are saying and maybe this all falls back to the issue of the "cloud". I guess that would justify palms reasoning. I guess I am forgetting how this phone pulls all of the information all the time and Palm did not want user's to be vulnerable. It is okay and ultimately I would like Palm to fix this. They are not obligated to and I understand that. If they choose not to fix this soon then this phone just might not be the right one for me (pains me to say it) but I can potentially live with that. I will just have to wait until I hear back from the people at Palm.

[hparsons]

My IT Dude says we are using a "Self Signed Cert" this is my problem. I have copied the cert numerous ways and installed it on my pre. It shows cert under Cert Manager that it is installed.

No matter what I do, "SSL certificate error, are the date & time correct".

So I'm screwed.... Just waiting fot the software update.

Again, the problem isn't that it's a self-signed certificate, others have used self-signed certs with no problem. The problem (most likely) is that the "real" name of the server is different than the public facing name (the name that you use). Look at the cert on the Pre, and compare it with the name you are using for the server. If they are different, that is the problem. The Pre is only seeng one name (the first name given the server), it should look at all of the names on the cert.

[Davidm1519]

Somone posted a comment about installing startSSL, what is that, Does it work with Self Signed certs as well.

[Davidm1519]

Dont answer that, I'm an *****!

[hparsons]

Somone posted a comment about installing startSSL, what is that, Does it work with Self Signed certs as well.

Certificates are either issued by a commonly trusted entity, or they are self-signed (and the user knows to trust that entity). StartSSL is a trusted entity (by some clients, including the Pre).

The issued cert is free.

Edited Nah, I don't think you're an *****. With all the information and misinformation being tossed about, it's easy to get a little lost. I'll leave the explanation up, there are probably 5 other people wondering exactly the same thing you asked, without the nerve to ask publicly.

[MaxGator]

hparsons - thanks for all of your info.

It appears that I'm having the problem with the difference in CNs since there are multiple on my cert.

A couple of questions:

When you say the cert name should match the "name you use" - what is the name you use? ie. is it the https address. For example in my settings for the mail server address mine is "https://mail.xxx-yyy.com." Are you saying that the CN needs to be "xxx-yyy"?

The first CN on the cert is just xxx. No where on the cn is there xxx-yyy. So I think by implication you would say that cert would never work, right?

The odd thing is I went through installing sscerts on my 700p as well. I can't look at the cert that is installed on my 700p unfortunately, but I'm certain it is the same as the one currently installed on my pre and I could sync with exchange EAS until the day I bought the pre.

To me that suggests that I may be having some other problem. Any thoughts?

[Cmdr Grunt]

I'm in the same boat, the dns records for my server set up through register.com are for example opserver.opposition-media.com

However when I set up my exchange, the domain structure I settled on (for better or worse) internal.opposition-media.com so the server FQDN would be opserver.internal.opposition-media.com

I used selfssl with the IIS resource kit to generate a self signed ssl certificate, which I installed on to my sprint diamond, and of course EAS worked right away

I'm not sure why the pre is having trouble, but it may be the disparity between internal and external domain names. I'm attempting to get a free ssl cert from startcom and see what happens, because I just want to get my contacts synced up and don't know if I can wait for palm to re-jigger their EAS/SSL routines..

[hparsons]

..
A couple of questions:

When you say the cert name should match the "name you use" - what is the name you use? ie. is it the https address. For example in my settings for the mail server address mine is "https://mail.xxx-yyy.com." Are you saying that the CN needs to be "xxx-yyy"?
...

No. If you are using https://mail.xxx-yyy.com, then the CN on the cert should show mail.xxx-yyy.com . If it does not, then the cert either does not have the server in the cert, or it has multi-CN's on the cert. In either case, it won't work with the Pre right now. The latter is most likely a bug, it should work.

...
The first CN on the cert is just xxx. No where on the cn is there xxx-yyy. So I think by implication you would say that cert would never work, right?
...

"Never" is so ... absolute. It won't work right now. I'm hoping that Palm fixes this soon.

...
The odd thing is I went through installing sscerts on my 700p as well. I can't look at the cert that is installed on my 700p unfortunately, but I'm certain it is the same as the one currently installed on my pre and I could sync with exchange EAS until the day I bought the pre.

To me that suggests that I may be having some other problem. Any thoughts?

I'm suspecting that the cert you are using has multiple CNs. This is common. The Pre is not recognizing anything but the original CN. It sounds as if the 700p did recognize them.