How to Add the SBS 2011 Standard Trusted Root Certificate to Windows Phone 7

[Today's post comes to us courtesy of Damian Leibaschoff from Commercial Technical Support]

As you all know, a successful synchronization from a mobile device using SSL requires that the device trusts the certificate installed in SBS. If we are using the self-issued certificate that is automatically generated when the Internet Address Management Wizard is completed then we will need to complete steps in the phone to get the root certificate properly installed so it can trust the self-issued certificate on the server, this is not required if using a third party trusted certificate from a well-known public certification authority and this is the recommended solution for SBS.

If we must use a self-issued certificate, there are multiple ways to accomplish the same end result of getting the device to trust it. Our goal is to get the certificate from \\server\public\downloads\Certificate Distribution Package\SBSCertificate.cer into the phone so we can install it.

With Windows Phone 7 you could attach the file as part of an email sent to a Windows Live (@hotmail.com for example) account that is already configured and synching on the phone, once the e-mail is received by the phone, you can install the cert by just tapping on the attachment.

You can also get to the certificate directly from the phone using Internet Explorer. For this, you can follow these steps:

  1. On the server, copy C:\Users\Public\Downloads\Certificate Distribution Package\SBSCertificate.cer to C:\inetpub\wwwroot\SBSCertificate.p7b (Note the extension name change.

  2. Open Internet Explorer on the Windows Phone 7 device.

  3. Confirm that you have Internet access. If you do, browse to the following URL (replace the host name in the example (remote.contoso.com) with the correct public FQDN/IP for your server) for example: https://remote.contoso.com/SBSCertificate.p7b.

  4. Once the file download completes, tap to open the file.

    clip_image002

  5. Proceed to tap install to complete the installation.

    clip_image004

  6. The confirmation page should look like this:

    clip_image006

  7. Reboot the phone and try accessing other sites hosted by your SBS server from your phone to confirm there are no certificate warnings (e.g.: /owa). Remember, the certificate issuer has to be trusted, the host name has to match and the certificate validity dates should be within the correct range.

Comments

  • Anonymous
    March 26, 2011
    When the iPhone syncs with Exchange Activesync, it causes the iPhone to lock and require a code to unlock.  This feature is controlled by Exchange and cannot be changed on the iPhone.  I believe the setting may be modified if I can get the self-signed certificate on the phone.  I am seeing a lot of guidance anywhere on this.  Can you help?

  • Anonymous
    June 11, 2014
    Pingback from Windows Phone Download Certificate