Monday, January 22, 2007

Office Communicator Mobile and Certificate chains

If you plan on deploying Access Proxies for external access to Office Communicator and maybe Office Communicator Mobile then you should be aware with a certificate issue (a.k.a. design flaw) in Communicator Mobile.

The problem is that CoMo isn't able to use intermediate certs by following certificate chains correctly. If you have a certificate issued directly by e.g. GlobalSign Root CA, then there's not a problem. But if you'r certificate (like ours) has the following chain

- GlobalSign Root CA
- GlobalSign Partners CA
- TDC Internet Root CA
- TDC SSL Server CA

Then there's a problem (As opposite to ActiveSync Windows Mobile, which works perfectly fine with the above certificates).

The solution is to either disable CRL checks in registry (Not "nice") using one of the many registry tools like regeditSTG or to load the entire chain in the Windows Mobile device. The latter can be done using e.g. sslchainsaver and its ability to create xml files that can be cab'ed (Follow the articles in the posting).

According to my sources the issue will be fixed in CoMo 2.0 which supposedly is a post OCS 2007 release.

No comments: