Re: Versign new-Exchange cert
- From: "John" <john@xxxxxxxxxxxxxxxxx>
- Date: Wed, 1 Jul 2009 11:21:42 -0400
Thanks for responding Rich.
Responses Inline...
"Rich Matheisen [MVP]" <richnews@xxxxxxxxxxxxxxxxxxxxx> wrote in message
news:egom45lhhmrbke33sa9gsntiplcfuv6r5p@xxxxxxxxxx
On Wed, 1 Jul 2009 02:11:15 -0400, "John" <john@xxxxxxxxxxxxxxxxx>
wrote:
Which CA do you recommend for people that would like
windows mobile devices to recognize the certificate
out-of-the-box?
That depends on which certificates are loaded by the OEM onto the
device. You may also have the root certificate on the device but the
vendor uses a secondary CA to create the cert. If the secondary cert
isn't on the device then the cert you use won't work, either.
I am aware of this. My certs are issued directly from the CA root;
no secondary CA.
Currently every time I have a new windows mobile user
I have to connect it to a computer with Activesync installed,
copy the CA's root certificate to the device, then finally
install the cert by clicking on it from the phone.
Or you could put it on a web site, download it, and then tap the
downloaded cert. Or put it on a SD and/or mini-SD card and stick that
into the device and install the cert from there.
I was considering the web site option. I will have to add .crt
as allowed under IIS. Have you attempted this? I was unsure
that it would be as simple as the end user typing in the web
file address and clicking save. Specifically I was concerned
how Pocket IE would handle an attempt to download .crt.
I am rarely in physical contact with the end users. Many users
are not sophisticated so the more steps required for them to
configure their phone for syncing the more work required for
me (or someone else) to help them.
Our
current root is "Equifax Secure Global eBusiness CA-1",
however, that is not the same as "Equifax Secure Certification
Authority" as listed here:
So it looks like they issue the certs from another CA (probably a
secondary CA). My guess is that they add secondary CAs as their
business expands and they need additional capacity.
No, it is a root CA. It is just not the exact one on the "approved"
list shipped with Windows Mobile.
How to install root certificates on a Windows Mobile-based device
http://support.microsoft.com/kb/915840
I bring it up in the context of this thread because avoiding the
trusted root issue *may* be a good reason to use VeriSign. I
would love to know the cheapest provider of a windows-mobile
approved UCC certificate.
How old are the devices? ;-) I have some that work with GoDaddy and
some that don't. Some work with one cert issued by another CA but not
with one issued from a secondary CA by the same vendor.
New and old. I just had someone purchase a new phone this
month as well as last and both had this issue.
I guess the bigger question is why doesn't Microsoft update
the list of trusted roots included with Windows Mobile? It
has been this same limited list for many years now.
Should the question be reversed and put the the CA's and OEMs? MS only
provides the O/S to the OEMs for them to customize and load onto their
devices. The updates should be coming from the OEMs, not from MS. Some
devices are "locked" and allow only certs that have been approved and
digitally signed by the OEM to be added to the device. An updated set
of certs from MS would do little good in those cases.
I do not think so. The list of certs that ship with mobile is
painfully small, and as far as I can tell has not changed for many
years/versions. If you desire to have the phone sync setup be
as easy as possible (and thus reduce admin costs), then it
seems the only choice is to use a cert from the built-in list.
Some OEMs may include additional certs, but I do not have
control over what phones the end-users choose to purchase,
except for the requirement that they work with Exchange.
How does Pocket IE work if the device only has such
a small list of trusted roots? I mean, most of the discount
certs out there work with over 99% of the browsers, however,
in my experience they will *not* work with 99% of Windows
Mobile phones connecting to Exchange.
Perhaps people rarely use their Windows Mobile phone
to connect to secure sites?
Sometimes it seems the mobile/CE/etc. versions of windows
are treated like a stepchild at Microsoft. One example I
can think of is the fact that the Remote Desktop client has
not been updated for a very long time, even though it
needs to be to match the new RDP versions.
It makes me wonder if the list of trusted certs has not
been updated only because of this "stepchild" status, and
not because it does not need to be.
Current phones have lots of storage so it should not be
an issue of trying to conserve space (each cert is only
about 1K). My XP has 254 trusted authority certs
at the moment, many of which are expired so could
be eliminated.
.
- Follow-Ups:
- Re: Versign new-Exchange cert
- From: Rich Matheisen [MVP]
- Re: Versign new-Exchange cert
- References:
- Re: Versign new-Exchange cert
- From: Rich Matheisen [MVP]
- Re: Versign new-Exchange cert
- From: John
- Re: Versign new-Exchange cert
- From: Rich Matheisen [MVP]
- Re: Versign new-Exchange cert
- Prev by Date: Email retention leaving stragglers
- Next by Date: Re: Less spam?
- Previous by thread: Re: Versign new-Exchange cert
- Next by thread: Re: Versign new-Exchange cert
- Index(es):
Relevant Pages
|
