Welcome!

Welcome to the official BlackBerry Support Community Forums.

This is your resource to discuss support topics with your peers, and learn from each other.

inside custom component

BlackBerry® Enterprise Service 10

Reply
Trusted Contributor
Hape
Posts: 146
Registered: ‎08-18-2010
My Device: Z10
Accepted Solution

Blackberry Device Service. Z10 Activation questions. Certificate warning: This email provider may not be thrustworthy

Hi together,

 

I could successfull install BDS and also could Activate a Z10 with ActiveSync via Email-Profile.

 

The only thing which is not working is that the device brings during activation the following warning:

 

Provider Identity not verifiable

This email provider may not be thrustworthy.
Personal information may not be protected.

This certificate is not trusted.

This certificate can: authenticate a server.
This certificate authenticates the following domains: cas-server.xxx.local

 

After tapping "OK" sending and receiving of messages on device is working fine.

 

It seems that the device is not trusting the certificate which is deployed to the device during activation (important NO SCEP Profile is configured yet on BDS).

 

Does anybody know, how I can get rid of this warning? Do I have to create a SCEP profile? How can I configure BDS so that device is trusting to certificate?

 

Thanks and regards,

Hape

 

Contributor
sambika
Posts: 36
Registered: ‎10-22-2012
My Device: 9900

Re: Blackberry Device Service. Z10 Activation questions. Certificate warning: This email provider may not be thrustworthy

Hi there,

 

i think that problem occur because you have a self signed certificate on your exchange server. I get the same message on my system. No worries thats not a real security issue.

Trusted Contributor
Hape
Posts: 146
Registered: ‎08-18-2010
My Device: Z10

Re: Blackberry Device Service. Z10 Activation questions. Certificate warning: This email provider may not be thrustworthy

Hi sambika,

 

thanks for response.

Exactly, this is a self signed certificate. I know that this is not a security issue, but I would get rid of it.

 

I think, I have somehow to deploy the Root Certificate to the device. With the Root certificate it would (this is how I think) trusted.

 

Found in the Admin Guide following:

 

Admin Guide BDS Page 144

 

"Sending certificates to devices

You might need to distribute root certificates to BlackBerry devices if the devices use certificate-based authentication to connect to a network or server in your organization’s environment (for example, to connect to a web server using SSL). If your work Wi-Fi network or VPN use certificate-based authentication, you might also need to distribute server certificates to devices to allow devices to connect to your work Wi-Fi network or VPN"

 

Further it says:

 

"You can send certificates to every device that is managed by the BlackBerry Device Service by copying the certificates into the Certificate folder in the shared network folder for applications."

 

But I can't find a folder called "certificates". What does this mean? Do I need to create an application?

 

Thanks,

Hape

 

Contributor
anzoro
Posts: 46
Registered: ‎04-19-2010
My Device: BB Playbook, BB Torch 9800, BB Z10, iPhone5

Re: Blackberry Device Service. Z10 Activation questions. Certificate warning: This email provider may not be thrustworthy

Try this:

In Blackberry Solution topology - Component view - Blackberry Administration Service configure a "BAS shared net work drive" for example " \\ BESSERVER10 \ BASShare ".

BAS will create its needed subfolders like Certificates.

Now download your CA Root Certificate e.g. as .cer or .pem file and copy it into " \\ BESSERVER10 \ BASShare \ Shared \ Certificates ".

Now the certificate will be pushed to all Playbooks, Z10s.

Trusted Contributor
Hape
Posts: 146
Registered: ‎08-18-2010
My Device: Z10

Re: Blackberry Device Service. Z10 Activation questions. Certificate warning: This email provider may not be thrustworthy

Anzaro, you did it man :-)

 

I already created the path in the BASShare but searched for the folders before I created the path.

 

Your tip with:

 

"BAS will create its needed subfolders like Certificates."

 

Was very good :-)

 

Thank you very much.

 

Now it is working.

 

New Developer
NdotIndia
Posts: 38
Registered: ‎04-02-2012
My Device: blackberry bold 9900 ( I am a blackberry application developer)

Re: Blackberry Device Service. Z10 Activation questions. Certificate warning: This email provider may not be thrustworthy

Trusted Contributor
Hape
Posts: 146
Registered: ‎08-18-2010
My Device: Z10

Re: Blackberry Device Service. Z10 Activation questions. Certificate warning: This email provider may not be thrustworthy

NdotIndia,

 

no problem occured. I have put the root certificate which was assigned by our CA.

With the root certificate, the Exchange CAS certificate was trusted and the warning (on device) did not ouccur anymore.

 

The only thing is, that I have to replace the certificate every time it is exceeded. Therefore a SCEP server would be a better solution I think. As far as I know the SCEP server/service replaces the certificates automatically.

 

But for the moment I can live with this solution.

 

Regards,

hape

Developer
BastianW
Posts: 52
Registered: ‎04-04-2008
My Device: BlackBerry

Re: Blackberry Device Service. Z10 Activation questions. Certificate warning: This email provider may not be thrustworthy

I have exactly the same issue here. So can you please answer the following questions:

 

1.)

In which folder did you placed the certificate? I see Enterprise, VPN, WIFI and WWW.

 

2.)

Which format did you have used for the certificate? "DER encoded binary" or "base-64 encoded" or something else?

 

3.)

Which filename and extension have you used?

 

4. [optional question])

How can I check on the device if the certificate was pushed correctly?

Bastian W.
Regular Contributor
dq72
Posts: 84
Registered: ‎05-14-2009
My Device: Z30
My Carrier: Bell

Re: Blackberry Device Service. Z10 Activation questions. Certificate warning: This email provider may not be thrustworthy

Has anyone got this to work with BES 10.1 or higher?

Following this Article ID: KB33797 I've done the following:

 From one of our CAS servers I exported the DER encoded x.509 cert for our internal CA, as well as the cert for our cas array and placed them in the ...shared\certificates\enterprise folder. They successfully push down to the devices, but when activating they still prompt with the 'email provider...' warning.

 

 The KB states "...ensure that the Active Sync server name listed in the Email Profile for BlackBerry Enterprise Service 10 is included in the Subject Alternative Name list in the certificate." This is correct and included as well in the certificate as a SAN in the cas array cert.

 

I'm wondering, is it because it's set as the cas array name, rather than an individual server name?

Just grasping at straws here. Any ideas?

BES 5.0.4
BES 10.2
Exchange 2010
SQL2008R2