locked
Edge verisign certificates for Mobile phones RRS feed

  • Question

  • I installed communicator to a couple Windows Mobile 6 phones and they cannot seem to see the certificates? I have two certificates posted to the edge server (access and conference). Computers work fine, but mobile phones dont
    Monday, July 20, 2009 3:44 PM

Answers

  • Well Verisign is not one of the UC cert providers. http://support.microsoft.com/default.aspx/kb/929395 however not many people follow this. I will point out that your certificate is using a 2048 key and I have had problems with that and have had to reissue the certificate to a 1024 key.

    but not sure if that will fix your issue or not. but may be worth a try.
    Mitch Roberson |MCITP:Enterprise Server Admin, Messaging |MCTS:OCS with Voice Achievement |MCT
    Thursday, July 23, 2009 1:06 AM

All replies

  • Well now I manually installed the certificates (all of them) onto the phone and it still doesn't work.

    "Cannot verify the certificate from the server. Check your clock settigns or contact your system administrator".

    Clock is the same... this is a HTC touch pro btw
    Monday, July 20, 2009 3:49 PM
  • Jacob

    on a mobile 6.1 phone you can see what Certificate vendors are trusted. you may need to add the vendor of your certificate to the trusted root store on the phone. Can you tell me the company that issued the phone?
    Mitch Roberson |MCITP:Enterprise Server Admin, Messaging |MCTS:OCS with Voice Achievement |MCT
    Monday, July 20, 2009 5:53 PM
  • Alltel did.. let me look at the certificates.. I imported it and it said it was successful.. let me check

    I looked, doesn't seem to be a "Trusted or untrusted". Just seems like if they are in there they are trusted, if not, then they arn't.
    It put all 3 of them in the Intermediate. I have Personal, Intermediate, and Root.

    One is the Verisign Trust Network (Expires 3/24/19)
    Verisign Class 3 Secure Server CA - G2 (Expires 7/16/12)
    Verisign Class 3 Secure Server CA - G2 (Expires 7/16/12)

    The class 3 are for my edge servers.
    access.adem.arkansas.gov
    and
    conference.adem.arkansas.gov
    Monday, July 20, 2009 5:56 PM
  • Now these are not SAN certificates. THey are only for access and conference @ adem.arkansas.gov. So using SIP.adem.arkansas.gov won't work.

    The mobile phones use the SRV records right?
    Monday, July 20, 2009 6:10 PM
  • yes the mobile phone should have automatic configuration capability using the SRV record. So I would set the server manually on the phone as a test. be sure you put the full sip.adem.arkansas.gov:443

    Try that if it does not work let us know. If it does work do the same so we can offer other suggestions to review your deployment.

    thanks
    Mitch Roberson |MCITP:Enterprise Server Admin, Messaging |MCTS:OCS with Voice Achievement |MCT
    Tuesday, July 21, 2009 2:01 AM
  • I did try the manual config with no luck. Same error but I used access.adem.Arkansas.gov and not sip since my verisign certifixTe isn't a SAN certificate Same error...

    Do I have to use SIP? That would be using the A Host record. It won't work because of the type of certificate we bought.....
    our SRV record is for access.adem.arkansas.gov (Edge server).

    When manually settings that (access.adem.arkansas.gov:443) I still get the same exact error.
    Tuesday, July 21, 2009 3:38 PM
  • Is there a problem with communicator mobile?

    http://msgoodies.blogspot.com/2007/01/office-communicator-mobile-and.html

    Something I was trying to research and seems others have problems with it as well.
    Wednesday, July 22, 2009 2:22 AM
  • So it really depends on who you purchased the certificate from. And how they issued it. The Mobile MOC client and the Tanjay's have some limitations for public certificates in general.

    I have deployed a number of ocs edge servers and as long as you use one of the approved UC providers from MS I have very rarely had a problem
    Mitch Roberson |MCITP:Enterprise Server Admin, Messaging |MCTS:OCS with Voice Achievement |MCT
    Wednesday, July 22, 2009 8:47 PM
  • I am using Verisign's Standard Certificate(Secure Site)

    I figured if anyone's was trusted it would be Verisign?

    • Edited by Jacob Dixon Wednesday, July 22, 2009 11:05 PM
    Wednesday, July 22, 2009 10:58 PM
  • DNS resolves 'access.adem.arkansas.gov' to 170.94.72.210

    SSL certificate

    Subject = access.adem.arkansas.gov

    Issuer = VeriSign Class 3 Secure Server CA - G2

    Serial Number = 74829E92F42EE3F81C6478380BAF0CDC

    Key size = 2048 bit

    Signature algorithm = SHA1+RSA (good)

    This certificate does not use a vulnerable Debian key (this is good)

    SSL Certificate expiration

    The certificate expires 16/Jul/2012, 1090 days from today.

    Certificate Name matches access.adem.arkansas.gov
    Subject access.adem.arkansas.gov
    Valid from 17/Jul/2009 to 16/Jul/2012.
    Issuer VeriSign Class 3 Secure Server CA - G2
     
    Subject VeriSign Class 3 Secure Server CA - G2
    Valid from 25/Mar/2009 to 24/Mar/2019.
    Issuer /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority - G2/OU=(c) 1998 VeriSign, Inc. - For authorized use only/OU=VeriSign Trust Network

    Wednesday, July 22, 2009 11:05 PM
  • Well Verisign is not one of the UC cert providers. http://support.microsoft.com/default.aspx/kb/929395 however not many people follow this. I will point out that your certificate is using a 2048 key and I have had problems with that and have had to reissue the certificate to a 1024 key.

    but not sure if that will fix your issue or not. but may be worth a try.
    Mitch Roberson |MCITP:Enterprise Server Admin, Messaging |MCTS:OCS with Voice Achievement |MCT
    Thursday, July 23, 2009 1:06 AM
  • Oh wow.. I didn't know that....

    I am setting up a ISA 2006 server since Communications Server needs it for some things. Should I not use a Verisign certificate?
    Thursday, July 23, 2009 1:24 AM
  • Ok I am trying to buy one 3 year UCC certificate from digicert to cover OCS 2007 R2 and Exchange 2007. They asure me this will work. I will post once I do this.
    Thursday, July 23, 2009 2:37 AM
  • not sure on the ISA server I have always used Digicert it saves me some time in the long run. just be sure the cert is using a 1024 key.


    Mitch Roberson |MCITP:Enterprise Server Admin, Messaging |MCTS:OCS with Voice Achievement |MCT
    Thursday, July 23, 2009 3:50 AM
  • I have put in a PO for digicert certifcate that covers OCS and Exchange.

    They seem to be a much better choice (and cheaper)

    Thursday, July 30, 2009 12:58 AM