I have a Comodo Personal email certificate, which I use for signing and encrypting emails using the S/MIME protocol, over MS Exchange.
The Samsung stock Email application supposedly allows the use of such certificates natively. However I am running into problems when I attempt to install my key.
I'm using a PFX file exported from Windows Certificate Manager. When I generate the file using the standard wizard, I have the option of exporting my key and user certificate either with or without the other certificates in the chain of trust.
The complete certificate chain, by the way, is as follows: Private key/Personal Cert --> Intermediate CA (Comodo SHA256 Client Authentication and Secure Email CA) --> Root CA (AddTrust External CA)
When I omit the other certificates in the signing chain when exporting, the PFX just installs my key and my user cert in credential storage. But then everytime I use it to sign or encrypt something in the Email app, I get a nag from the Email app warning me that it could not validate my credentials. That is, Samsung Email app is unable to verify my cert's trust unless the intermediate CA is provided to it.
But frustratingly, when export the PFX file so that it includes the intermediate and root CA's in the chain and install, Android places the Intermediate CA in User folder in the keystore, and treats it as a root CA. That is to say, instead of inheriting trust from the AddTrust Root CA (which is in the default keystore) Android assigns trust to the intermediate CA *explicitly*. And so, despite the fact it's a valid certificate signed by a trusted root authority in the default keystore, Android gives me nearly constant nags about my phone being "monitored by a 3rd party" until I delete the intermediate CA from User Trust. Which of course, breaks the Samsung Email app's ability to verify the certificate chain and yields a nag everytime I send an email.
Anyone else encounter this issue/know of a solution?
It seems to me that you're confusing Public/Private keys as required for S/Mime and certificates.
You do not install the S/Mime certificates and its keys using the certificate wizard/manager, this only import the certificate and not the keys.
Related
All need some help. I'm trying to utilize the Push Mail technology. I have set up to sync with an exchange server correctly, however within our company we use certificates to authenticate. So I expported my certificate and imported it into my 8125. When I go to look at my certs in my 8125 I see that it imported successfully. Now when I try to sync it asks for the password and it comes back with an error code of 0x85030028 (cannot obtain a valid cert). Now if I use my PIE and go to the OWA which utilizes the cert as well it sees it and authenticates just fine. For some reason activesync isn't seeing it. Any ideas how to fix?
Geno
From what I know, you can't use certificates with Push email. You have to setup a new virtual site on the server running OWA called it Exchange-PPC or something and have it set for Intergrated Authentication, then you would configure your device to hit the new site like http://www.site.com/exchange/username or something like that.
There's a little more than just setting up the site, some registry changes, check Microsofts site for the error number, you'll find a KB document explaining how to setup the Virtual Site for syncing with your device.
I have an 8125 and when I go to Start-->Settings-->System-->Certificates-->Root, I do not see Verisign in the list of trusted root certs. Is it just me or can anyone else with a Cingular 8125 confirm that they do not have Verisign listed in their trusted root certs? I list Thawte, GTE, and several other but no Verisign.
I am trying to authenticate with my corporate wifi using PEAP and keep getting an error - Cannot log on to the wireless network. This network requires a personal certificate to positively identify you. I get prompted for a username, password and domain and then it returns the error - The server certificate is issued by an unknown authority and since I purchased a Verisign WLAN cert, that is what lead me to check the root certs on the 8125 - no Verisign is listed.
Just need someone to confirm their Cingular root cert settings.
Thanks
Running the new ROM, not on my box either.
It appears that Class 3 Public Primary Certification Authority (VeriSign, Inc.) is the Verisign one. I Wonder why it doesnt work.
We are running off a 2003 server. We do have webmail access. However, apparently we are using a personal security certificate. I can set up the activesync connection, but it never syncs.
I need step by step instructions on what I need to do, how to get the certificate off the server, import to my device, etc. HELP!
Assume I know nothing about exchange, certificates, etc - cause I don't!
Exchange 2003
Have you resolved this yet? I have had extensive research on this subject. My first Q: Do you have exchange setup on laptop or desktop?
You need to install your private certificate authority as a trusted root certificate authority on your device. The following link talk about how to do this.
http://blogs.msdn.com/windowsmobile/archive/2006/01/28/making_a_root_cert_cab_file.aspx
You can also disable the certificate checking. The communication would still be encrypted, but if you ever accessed another site where the certifcate was invalid you would not be warned, so this solution is much less secure and therefore not recommended.
http://winzenz.blogspot.com/2006/03/hacking-your-windows-mobile-50.html
I noticed something interesting today. I changed the certificate for my mail server from z.net to a.com (moving domains - long story). The mail server that is listed in the email client (using built in email client - not the gmail app - with ActiveSync) is z.net - however the email client is not complaining that the host in the SSL certificate does not match the server name. Which had me thinking - so I installed "Packet Capture" and started to capture (and did NOT install the generated certificate into the trust store - which makes the certificate an untrusted self-signed certificate which could be used in a MITM attack). Android email happily connected and checked for email. Opened up the browser to browse the webmail and it complained that the certificate is not trusted (as it should).
I'm not an expert of ActiveSync by any stretch but is this a "feature" of ActiveSync? To ignore SSL verification???? I also use Outlook 2016 and it did prompt about the certificate mismatch.
I fired up an old phone that was using activesync with the gmail app and while it did not seem to update - it also did not show any certificate mismatch errors. Outlook for Android also seems to ignore the certificate mismatch.
Am I missing something really obvious?
(This could be a wider Android issue - but I found this issue specifically on my V20)
Hey all,
So I just set up a VPN server on my OPNsense firewall. I want to connect to it using my Android 9 phone with Lineage 16.0-20190725 using IPSec Xauth RSA.
Importing the CA certificate works great, but when I import the VPN client certificate it doesn't work the way it should. I don't get an error or anything, but the certificate is not in the list of possible "IPsec user certificate" in the VPN settings. It is, however, in the list of "IPsec server certificate" in the VPN settings. I double checked the OPNsense settings, and I can see that the certificate is clearly marked as a client certificate, not a server certificate. This suggests to me that android somehow does not realize that this certificate is a client/user certificate instead of a server certificate.
What can I do?
- Jaapyse