12-30-2013 03:09 AM - edited 12-30-2013 03:14 AM
I have Z30 over the past 2 weeks, I am trying to get the device to consider my personal/business intranet site to be trusted. This has self-signed CA and intermediate and site cert (a chain of 3), this configuration has been working well across multiple devices for 18 months.
I have imported successfully the CA. The CA certs is marked trusted. It also indicates the Certificate is valid.
I have imported successfully the intermediate. The intermediate does not provide any mechanism to mark it as trusted, but I would presume it inherits this status from the custom CA that is above it in the cert chain, that is marked as trusted. It also indicates the Certificate is valid (implying the device Z30 has checked it in every other way possible).
This means both certificates are visible from the Settings -> Security & Privacy -> Certificates area and show up with the appropriate filter "Authorities" (for the CA) and "Others" (for the Intermediate)
The web-server provide both certificates to each client ("the website cert", and the immediate parent, "the intermediate"). It is expected the root CA.
All certificates are 10+ years long and do not expire for another 8+ years.
The certs are used successfully in a number of other devices over the past 18months, i.e. both mobile and desktop, windows and linux. This confirms things should work as they work on at least 2 other devices I also use the website with right now.
My device is a standalone device, with no association to BIS/BES or any enterprise.
The problem is when browsing to the website I get a red marker in the URL box all the time, and I have to provide a security exception to allow the content to be viewed. I am expecting to remove the security exception so that the installed CA and cert chain it utilised as a trusted.
From the BB10 browser poinrt of view the certificate is not trusted, even though the device has the cert listed as trusted. This is using "Site Info" option from browser I get "This site may not be trustworthy".
The certificate purpose fields is shown for each cert, I am not aware of any purpose restriction in place inside the certificate data. All certs have "Authenticate a server" listed as well as at least 5 other purposes listed.
Similar sounding issues:
12-30-2013 12:51 PM - edited 12-30-2013 01:08 PM
Possibly related posting http://supportforums.blackberry.com/t5/BlackBerry-
Where might the manual be for the Settings -> Certificate options "Restrict to VPN" and "Restrict to Wi-Fi".
I have taken (my guessed) meaning to be that the certificate is to be used to authenticate the remote part concerning:
* Enterprise Access Points (for WiFi)
* The remote VPN endpoint (for VPN)
But when these settings are left unticked, the certificate use on the Z30 device shall be for web browser with HTTPS.
Updated: starting here helps http://docs.blackberry.com/en/smartphone_users/cat
12-10-2014 11:45 AM
This issue is still not solved, someone of the support staff should forward it to the Devs at BB. It's not good that I can't even validate a website.