[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Geotrust and android users



I just got it working here.  I put the info I used to get it to work in the rather outdated wiki article, so now it's not so outdated.  The link to it is in the forum post here...

http://www.zimbra.com/forums/administrators/44675-new-geotrust-ssl-certificates-android-users-2.html#post204259

Matt


----- Original Message -----
From: "James M. Cook" <jmcook1@mail.plymouth.edu>
To: zimbra-hied-admins@sfu.ca
Sent: Monday, December 13, 2010 12:27:10 PM
Subject: Re: Geotrust and android users

We recently ran into this type of problem with our new Thawte cert. Thawte had changed the cert chain this past summer when switching to a 2048 root cert.

I ended up working with Zimbra support to try and figure out what the correct chain should be. It appears that most browsers & OSes would look at the mail server cert and follow the chain correctly. Android phones and Mac OS would not. Android doesn't have the newer CA certs installed and Mac OS looks at the entire cert chain handed out by the mail server. Mac OS was easily fixed by removing an extra cert we had accidentally included in the chain.

Android is actually more difficult. We did find a website that explains how to install new certs on Android (http://www.realmb.com/droidCert/) but we have been unable to get this to work. HTC phones are particularly problematic as HTC has apparently modified the stock mail client so adding a new cert for imaps is impossible due to a bug. We've been unable to find a user who is willing to wipe their phone to see if restarting from scratch will allow us to install the correct certs. Oddly enough, Active Sync users are simply prompted to accept the new cert and imaps works for them as well.

I'm not sure if any of this helps but if you think it might help I can take a look at the notes from our support case.

James


----- Original Message -----
From: "Steve Elliott" <selliott@kennesaw.edu>
To: zimbra-hied-admins@sfu.ca
Sent: Monday, December 13, 2010 1:02:18 PM
Subject: Geotrust and android users


Upgraded our certs on our zimbra 5.0.24 system and immediately Android users and Zimbra Desktop began showing SSL warning messages on the new certificates. This error does not happen with the webclient, blackberry, iPhones and a couple of others. 

Geotrust offers a crossroot CA but when performing a zmcertmgr verifycrt the certificate will not verify. 
Using their normal CA it does verify. 

Does anyone know how to incorporate this Crossroot CA? 

This problem has been also reported by other zimbra using sites that use verisign and few others. Could not find any solutions online. Meaning the problem is the CA's that Android/Zimbra Desktop has built into its unit (my theory). 

Thank you, 
Steve