MC55A SSL Certificate issue

W Warren Evans 3 years 5 months ago
39 1 0

The Problem We're getting this warning when loading up a site with HTTPS The certificate was issued by a company you have not chosen to trust. link to screen cap Clicking Yes, will get you to the page, but getting SSL to work on the mobile devices without warnings is a requirement. The Environment Motorola MC55As (running Windows Mobile 6.5) connecting to a Windows Server 2008r2.   Certificate was issued by the University's CA server (not by Verisign or any other paid provider.)   The site works on Windows Desktop browsers just fine.   So... Duh.. we have to install the root certificate (and perhaps others in the chain). Well, we've done that: What we've tried I used Windows Mobile SSLChainSaver.exe (results attached as sslchain.zip) to get the certs onto a local workstation, copied them to the MC55 and clicked on each one to install them. The certificates seem to get installed OK, and they show up in the certificate store (one in the root tab, two in the Intermediate tab).   I "viewed" them to make sure they match what I see when I examine the certificate chain in a Desktop Browser.   As an alternate method, I used IE on the desktop to "manually" export the certificates and copy them over to the device.   Still, no matter what I do, I cannot get the certificate to work on pocket IE without the above warning.  Additional Notes:

I've verified (many times) that the date & time are set correctly ... and have made sure that the URL used matches what was issued on the certificate. 
I've done all of this on multiple devices (all MC55s) and from multiple PC and have done scores of warm-boots, cold-boots and clean-cold-boots.  
Networking wise, there's nothing fancy in between the device and the Server (no secure gateways or proxies).  
I've run SSLDiag on the server (output is attached as SSLDiag.txt).
Someone suggested it might be that the server was setup to use SNI, but as far as I can tell, IIS 7.5 doesn't actually support SNI.   
I can get a netlog trace (using http://msdn.microsoft.com/en-us/library/ms886701), but I'm not sure what to look for.
Please Register or Login to post a reply

1 Replies

W Warren Evans 5 years 5 months ago

I believe I found the issue.  It appears that the Windows Mobile OS does not support certificate validation on certificates that are signed with the SHA-2 algorithm.  SHA-1 is certainly supported, and SHA-2 may be supported for encryption but not for certificate validation .
(This same situation existed for Windows Server 2003) 
I've been unable to find any official documentation, but I confirmed it by setting up two servers: one with SHA-1 and one with SHA-2.  The SHA-2 would always give the warning, while the SHA-1 did not.  

CONTACT
Can’t find what you’re looking for?
Get in touch