Welcome!

Welcome to the official BlackBerry Support Community Forums.

This is your resource to discuss support topics with your peers, and learn from each other.

Reply
New Contributor
GenericNickname
Posts: 3
Registered: ‎03-06-2013
My Device: Developer
My Carrier: Many providers
Accepted Solution

Certificate problem for custom MDS content filter

[ Edited ]

Hello,

 

We have a custom content filtering application that we have deployed to regular computers without any problems, but that seems to be having issues working with Blackberry devices. We have enabled the MDS service in order to redirect all the browser traffic through the BES (5.0.4), and have installed our application on the server.

 

The users can get access, and the filtering works properly, with the following caveat: HTTPS access shows errors for all websites. This is because our application intercepts HTTPS traffic and changes the certificate to one based on our own custom root CA certificate.

 

What we have tried:

 

Installed the root certificate into the server's keystore

Installed the root certificate into the Java keystore

Installed the root certificate into a device's keystore manually (by emailing it to the device)

 

Error messages we are recieving:

 

The server certificate chain is not valid before <current date>

Stale Chain Status

Unknown Chain Status

 

Apparently, we aren't allowed to contact support without laying out $20k for a whole year, instead of paying upfront for one support call. Can any of you help me figure out why this error is happening, despite the fact that the root certificate has been installed on the server and the device, and HTTPS access works as expected on the server's browser?

 

Additional detail:

 

Our software grabs traffic using a Windows LSP (Layered Service Provider), instead of acting as a normal HTTP/HTTPS proxy. Certificates for each HTTPS website are created on the fly and cached for a while, and have an expiration date at least one year in the future. The "Valid From" date is the same moment that the certificate is created. Perhaps the blackberry browser would prefer that the "Valid From" date be farther into the past? No other browser has ever had any problems, though.

Please use plain text.
New Contributor
GenericNickname
Posts: 3
Registered: ‎03-06-2013
My Device: Developer
My Carrier: Many providers

Re: Certificate problem for custom MDS content filter

No one has any ideas?
Please use plain text.
New Contributor
GenericNickname
Posts: 3
Registered: ‎03-06-2013
My Device: Developer
My Carrier: Many providers

Re: Certificate problem for custom MDS content filter

Hello folks,

 

I thought I'd write in to tell everyone how we solved this problem.

We modified our custom internet filting application to generate a certificate with a VALID FROM date that is 10 days in the past, instead of being the the same date and time as when it was generated. This seems to have stopped the errors on our test devices.

 

We still really wish we had a way to push out a root cerificate without requiring the users to muddle around with an email attached certificate or clicking a link in a webpage.

 

Please use plain text.