Go Daddy Root Certificate install problem

Discussion in 'Motorola Q' started by heddle, Apr 30, 2009.

  1. heddle

    heddle New Member

    Go Daddy Root Certificate install problem

    My company switched venders from Verisign to Go Daddy, which, of course, shut down me Outlook Exchange Web Access email to my Moto Q. I have tried every solution that has been told on every forum I can find, but it still doesn't work. There are three certificates, path nested, I need:
    Go Daddy Class 2 Certification Authority - root
    Go Daddy Secure Certification Authority - intermediate
    *.companyname.com - Intermediate(if manually assigned) Other/Personal(if auto assigned)

    I export all three, but, using the Sprint SpAddCert.exe program, only the first one will install because it is, in fact, the root certificate, but I still cant sync to my Exchange Server. The other two give me and invalid root certificate error. When I click on them directly, I get the "security permission was insuffiecient to update you device" error.

    Another person in my person in my company had the same problem with a WM5, non-Sprint, non-MotoQ phone and she could put the root certificate in the Root folder and the intermediate certificate in the Intermediate folder on her phone; and now it is working. I do not have these folders on my Q. Am I just SOL? I even tried the trick to convert the certificate to XML, them convert it to a CAB file and install on the phone through the cab, didn't like that either.

    Somebody please help!!!
  2. Q-Area51

    Q-Area51 Guest

    I think we are on the same page. Why can't you create the folders that you need and then copy the needed certs to them? :) -Q
  3. heddle

    heddle New Member

    re : install problem

    My phone doesn't recognize these folders as install locations. The SpAddCert.exe says to create a Storage folder, place the Certs there then run the program and choose which files to install, but only the root cert will install.
  4. Q-Area51

    Q-Area51 Guest

    I'm thinkin' it may be a WM 5.0 limitation. Sadly, you may not be able to resolve it. Perhaps someone with an activated Q will pop up with more help. :) -Q
  5. heddle

    heddle New Member

    install problem

    It is definitly not a WM5 problem because, as my post states, it works on a co-worker's phone with WM5, but it is non-Sprint, non-MotoQ, so implementation is different.
  6. Q-Area51

    Q-Area51 Guest

    Okee-Dokee. Can GoDaddy help? :) -Q
  7. trevorpauljohnson

    trevorpauljohnson New Member

    Wild Card Certificate

    My employer just updated the ssl security certificate for our domain. Our certificate used to be for www.example.com for our exchange server. Now it is *.example.com. Wild card certificates are new and not supported on Windows mobile 5.0. There is a work around if this is your case. They can update the certificate to use Subject Alternative Names (SANS). We use DigiCert here and this is what I found on their website: http://www.digicert.com/subject-alternative-name-compatibility.htm. I hope this helps.

    PS I am on Srint with the Q. I tried installing the certs too but it didn't work. Once IT update the cert to have SAN it worked fine.
  8. Q-Area51

    Q-Area51 Guest

    Thanks, man. At the outset I did believe it might have been a WM 5.0 glitch but what the heck would a 30+ year IT guy know. Got snapped off for that but it's all good now with your great info. New wrinkles - New irons, eh? :) Thanks again - great info fo all. :) -Q
  9. trevorpauljohnson

    trevorpauljohnson New Member

    I had a a Q with Verizon when they first came out and had ow problem syncing. (I am still with the same company). Got a Q again but now with Sprint about two months ago. Wroked fine. Then IT sent an email out so we could change our outlook settig on our desktop. It also mentioned they were updateing the cert. Then Monday morning.....ERROR! Frustrated the heck out of me. Stayed up all night two nights in a row trying to figure it out. Hard reset.....installed certs nothing worked. Then i stumbled onto this (after IT told me to EBAY my phone ad get one that works). WTF!!!! it worked last week!!!! Then i did some quick research on wild card certs and found the SAN. Asked IT to look at it and in 30 minutes it was working. Glad i didn't have to get rid of my Q.
  10. heddle

    heddle New Member

    Install problem

    Sorry Q-Area. The final result is that it is a WM5 limitation for a wildcard cert, but my postings here were not that far along in the issues I was having. I found a posting on this forum that someone had a utility to take the multiple certs and create an xml file, CAB it up, and install to the phone. It worked fine, but I started to get a new error about an IIS invalid Host Name which led me to find out that WM5 does not accept wildcard certs, but this error was not revealed until I solved the non-root certificate install issue.
  11. trevorpauljohnson

    trevorpauljohnson New Member

    This is exactly what my previous post stated. Eventhough WM5 is not compatible with wildcard certs, there is a workaround. Wildcard certs can utilize the Subject Alternative Name (SAN) on the wildcard cert to allow WM5 to work with the cert.

    From DigiCert.com:

    "There are three ways for browsers to find a match:
    1. The host name (in the address bar) exactly matches the Common Name in the certificate's Subject.
    2. The host name matches a wildcard common name. For example, www.example.com matches the common name *.example.com.
    3. The host name is listed in the Subject Alternative Name field.
    The most common form of SSL name matching is for the SSL client to compare the server name it connected to with the common name in the server's certificate. It's a safe bet that all SSL clients will support exact common name matching.
    If an SSL certificate has a Subject Alternative Name (SAN) field, then SSL clients are supposed to ignore the common name value and seek a match in the SAN list. This is why DigiCert always repeats the common name as the first SAN in our certificates.

    Windows Mobile 5 supports Subject Alternative Names, but it does not support wildcard matching (*.example.com). However, DigiCert wildcard certificates allow you to include SANs in your certificate as a workaround. "


    As for other certificate providers, i am not sure how they setup their wildcard certs.

Share This Page