03-08-2013 06:51 AM
I could successfull install BDS and also could Activate a Z10 with ActiveSync via Email-Profile.
The only thing which is not working is that the device brings during activation the following warning:
Provider Identity not verifiable
This email provider may not be thrustworthy.
Personal information may not be protected.
This certificate is not trusted.
This certificate can: authenticate a server.
This certificate authenticates the following domains: cas-server.xxx.local
After tapping "OK" sending and receiving of messages on device is working fine.
It seems that the device is not trusting the certificate which is deployed to the device during activation (important NO SCEP Profile is configured yet on BDS).
Does anybody know, how I can get rid of this warning? Do I have to create a SCEP profile? How can I configure BDS so that device is trusting to certificate?
Thanks and regards,
Solved! Go to Solution.
03-08-2013 09:15 AM
i think that problem occur because you have a self signed certificate on your exchange server. I get the same message on my system. No worries thats not a real security issue.
03-08-2013 09:33 AM
thanks for response.
Exactly, this is a self signed certificate. I know that this is not a security issue, but I would get rid of it.
I think, I have somehow to deploy the Root Certificate to the device. With the Root certificate it would (this is how I think) trusted.
Found in the Admin Guide following:
Admin Guide BDS Page 144
"Sending certificates to devices
You might need to distribute root certificates to BlackBerry devices if the devices use certificate-based authentication to connect to a network or server in your organization’s environment (for example, to connect to a web server using SSL). If your work Wi-Fi network or VPN use certificate-based authentication, you might also need to distribute server certificates to devices to allow devices to connect to your work Wi-Fi network or VPN"
Further it says:
"You can send certificates to every device that is managed by the BlackBerry Device Service by copying the certificates into the Certificate folder in the shared network folder for applications."
But I can't find a folder called "certificates". What does this mean? Do I need to create an application?
03-08-2013 10:22 AM
In Blackberry Solution topology - Component view - Blackberry Administration Service configure a "BAS shared net work drive" for example " \\ BESSERVER10 \ BASShare ".
BAS will create its needed subfolders like Certificates.
Now download your CA Root Certificate e.g. as .cer or .pem file and copy it into " \\ BESSERVER10 \ BASShare \ Shared \ Certificates ".
Now the certificate will be pushed to all Playbooks, Z10s.
03-08-2013 11:33 AM
Anzaro, you did it man :-)
I already created the path in the BASShare but searched for the folders before I created the path.
Your tip with:
"BAS will create its needed subfolders like Certificates."
Was very good :-)
Thank you very much.
Now it is working.
03-11-2013 02:37 AM
03-11-2013 04:47 AM
no problem occured. I have put the root certificate which was assigned by our CA.
With the root certificate, the Exchange CAS certificate was trusted and the warning (on device) did not ouccur anymore.
The only thing is, that I have to replace the certificate every time it is exceeded. Therefore a SCEP server would be a better solution I think. As far as I know the SCEP server/service replaces the certificates automatically.
But for the moment I can live with this solution.
09-19-2013 11:01 AM
I have exactly the same issue here. So can you please answer the following questions:
In which folder did you placed the certificate? I see Enterprise, VPN, WIFI and WWW.
Which format did you have used for the certificate? "DER encoded binary" or "base-64 encoded" or something else?
Which filename and extension have you used?
4. [optional question])
How can I check on the device if the certificate was pushed correctly?
a month ago
Has anyone got this to work with BES 10.1 or higher?
Following this Article ID: KB33797 I've done the following:
From one of our CAS servers I exported the DER encoded x.509 cert for our internal CA, as well as the cert for our cas array and placed them in the ...shared\certificates\enterprise folder. They successfully push down to the devices, but when activating they still prompt with the 'email provider...' warning.
The KB states "...ensure that the Active Sync server name listed in the Email Profile for BlackBerry Enterprise Service 10 is included in the Subject Alternative Name list in the certificate." This is correct and included as well in the certificate as a SAN in the cas array cert.
I'm wondering, is it because it's set as the cas array name, rather than an individual server name?
Just grasping at straws here. Any ideas?