Nokia E-Series with Self-Signed SSL Certificate

Revision as of 12:29, 30 March 2015 by Jorge de la Cruz (talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Note: This guide uses an E62 as an example, but should be applicable for the E51, E61, E65, and E90.

Scenario

  • This setup assumes you installed Zimbra with the default self-signed SSL Certificate
  • You want to a secure connection to your Zimbra server via Mail for Exchange (latest version is 1.3.1 as of this writing which is what I tested this with)

Discussion

  • I tried all kinds of different ways to get the cert onto the E62 without resorting to putting it on the webserver, but it was the only way to get it working. When I transferred via bluetooth, I would always get Invalid File Format errors. Putting the cert on the web server and setting the mime type is a solution I found via google.
  • If you're using a commercial certificate from a "cheaper" SSL unblocker, e.g. www.rapidssl.com, download the ROOT certificate of that CA. It's not the cert itself (your server's) you need to download to your phone, it's the root certificate (the CA provider's root cert). I struggled with this for a long time.

Steps

  • Setup your CA certificate so your E62 can download it:
Login to zimbra server and convert CA from .pem format to .der format  ; reference: [1]
su - zimbra
cd /opt/zimbra/ssl/ssl/ca
openssl x509 -outform der -in ca.pem -out ca.der
cp /opt/zimbra/ssl/ssl/ca/ca.der /opt/zimbra/httpd/htdocs/
cd /opt/zimbra/httpd/htdocs
vi /opt/zimbra/httpd/conf/mime.types
(add the end of the file, add the following line)
application/x-x509-ca-cert  der
(as zimbra)
zmapachectl stop
zmapachectl start
(Is your firewall port 7780 opened? It needs to be to use this approach...)
  • I found the procedure above to work, but the directories in Zimbra 5.0 have changed a bit. This is how I was able to get the ssl certificate onto an E61i:
Log into server as root

cd /opt/zimbra/ssl/zimbra/ca
openssl x509 -in ca.pem -out ca.der -outform DER
cp /opt/zimbra/ssl/zimbra/ca/ca.der /opt/zimbra/httpd/htdocs/
cd /opt/zimbra/httpd/htdocs
vi /opt/zimbra/httpd/conf/mime.types

In 'mime.types', at the end of the file, or in alphabetical order (since the list in the file is in alphabetical order), add the following line:
application/x-x509-ca-cert	der

(The zmapachectl stop and start didn't work for me. I had to restart the server.)
  • Transfer Zimbra server CA to your E62:
With your E62, browse to http://yourzimbradomain.com:7780/ca.der
(you should be prompted to install the CA certificate)

Note: You can download the cert using port 7071, but the mime type is not properly set so you will NOT be prompted to install the cert, hence use port 7780.
Ensure you check both checkboxes for the trust settings for Internet and Online Certificate Check
  • Your CA certificate should now be on your phone.
You can verify that your CA was installed on your E62 by going to Settings > Config > Security > Certif Management and looking for your Zimbra CA
Jump to: navigation, search