03-06-2013 05:17 PM - edited 03-06-2013 05:19 PM
We have a custom content filtering application that we have deployed to regular computers without any problems, but that seems to be having issues working with Blackberry devices. We have enabled the MDS service in order to redirect all the browser traffic through the BES (5.0.4), and have installed our application on the server.
The users can get access, and the filtering works properly, with the following caveat: HTTPS access shows errors for all websites. This is because our application intercepts HTTPS traffic and changes the certificate to one based on our own custom root CA certificate.
What we have tried:
Installed the root certificate into the server's keystore
Installed the root certificate into the Java keystore
Installed the root certificate into a device's keystore manually (by emailing it to the device)
Error messages we are recieving:
The server certificate chain is not valid before <current date>
Stale Chain Status
Unknown Chain Status
Apparently, we aren't allowed to contact support without laying out $20k for a whole year, instead of paying upfront for one support call. Can any of you help me figure out why this error is happening, despite the fact that the root certificate has been installed on the server and the device, and HTTPS access works as expected on the server's browser?
Our software grabs traffic using a Windows LSP (Layered Service Provider), instead of acting as a normal HTTP/HTTPS proxy. Certificates for each HTTPS website are created on the fly and cached for a while, and have an expiration date at least one year in the future. The "Valid From" date is the same moment that the certificate is created. Perhaps the blackberry browser would prefer that the "Valid From" date be farther into the past? No other browser has ever had any problems, though.
Solved! Go to Solution.
03-28-2013 01:12 PM
I thought I'd write in to tell everyone how we solved this problem.
We modified our custom internet filting application to generate a certificate with a VALID FROM date that is 10 days in the past, instead of being the the same date and time as when it was generated. This seems to have stopped the errors on our test devices.
We still really wish we had a way to push out a root cerificate without requiring the users to muddle around with an email attached certificate or clicking a link in a webpage.