Welcome to the MacNN Forums.

If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below.

You are here: MacNN Forums > Hardware - Troubleshooting and Discussion > iPhone, iPad & iPod > How to (can one?) install a root certificate for iPhone's email?

How to (can one?) install a root certificate for iPhone's email?
Thread Tools
Cold Warrior
Moderator
Join Date: Jan 2001
Location: Polwaristan
Status: Offline
Reply With Quote
Sep 1, 2007, 11:11 AM
 
I didn't see any posts about this, and Google didn't return anything useful.

I have an IMAP account with an employer that publishes its own root certificates for secure web browsing and access to its IMAP server (sending and receiving). These certs are issued by the employer and are not included by default on commercial operating systems. Employees download them from the employer and install them on their systems (Windows or Mac).

What I'm wondering is whether the iPhone will sync the employer's root certificate from my Keychain and employ it in the email client to establish incoming and outgoing SSL connections with the IMAP server; I do this manually, or it won't work at all.

Thanks.
     
kman42
Professional Poster
Join Date: Sep 2000
Location: San Francisco
Status: Offline
Reply With Quote
Sep 1, 2007, 12:45 PM
 
It works for me. My university uses a certificate to authenticate and when the IT guy moved the server, I stopped being able to send mail from my iPhone. I would also get an error on my desktop through Mail saying that the cert could not be authenticated and asking if I wanted to send the email anyway. I told my IT guy, he moved the correct certs over and now all is well again.

I derived from this that the iPhone is cert-aware.

kman
     
Cold Warrior  (op)
Moderator
Join Date: Jan 2001
Location: Polwaristan
Status: Offline
Reply With Quote
Sep 1, 2007, 12:47 PM
 
Originally Posted by kman42 View Post
It works for me. My university uses a certificate to authenticate and when the IT guy moved the server, I stopped being able to send mail from my iPhone. I would also get an error on my desktop through Mail saying that the cert could not be authenticated and asking if I wanted to send the email anyway. I told my IT guy, he moved the correct certs over and now all is well again.

I derived from this that the iPhone is cert-aware.

kman
Cool. So he added the cert to Mail, then it seems to have made its way to your iPhone, and iPhone's mail client doesn't give a notice when sending?

Thanks.
     
kman42
Professional Poster
Join Date: Sep 2000
Location: San Francisco
Status: Offline
Reply With Quote
Sep 1, 2007, 02:26 PM
 
Once he put the proper cert on the mail server, Mail stopped telling me that it couldn't authenticate the server since I had the matching cert in my keychain. My iPhone then started sending mail again, when it previously did not during the period when he didn't have the correct cert on the server.
     
Cold Warrior  (op)
Moderator
Join Date: Jan 2001
Location: Polwaristan
Status: Offline
Reply With Quote
Sep 1, 2007, 02:35 PM
 
OK. Sounds like the iPhone syncs Keychain certs then.

Thanks!
     
besson3c
Clinically Insane
Join Date: Mar 2001
Location: yes
Status: Offline
Reply With Quote
Sep 1, 2007, 03:28 PM
 
Originally Posted by Cold Warrior View Post
OK. Sounds like the iPhone syncs Keychain certs then.

Thanks!
Not necessarily. It sounds like the person who responded to you misunderstood the question asked.

If your company is using their own self-signed certificate, the only way for a client to recognize this cert without complaining about it is to add this cert to your client machine. The poster was talking about his server admins correcting the cert offered by the server, but this is a different issue - it sounds like his server is offering a commercial certificate.
     
Cold Warrior  (op)
Moderator
Join Date: Jan 2001
Location: Polwaristan
Status: Offline
Reply With Quote
Sep 1, 2007, 03:37 PM
 
Originally Posted by besson3c View Post
Not necessarily. It sounds like the person who responded to you misunderstood the question asked.

If your company is using their own self-signed certificate, the only way for a client to recognize this cert without complaining about it is to add this cert to your client machine. The poster was talking about his server admins correcting the cert offered by the server, but this is a different issue - it sounds like his server is offering a commercial certificate.
Makes sense. So I guess the question is still open: is there a way to add a cert to the iPhone (the client-side)?
     
besson3c
Clinically Insane
Join Date: Mar 2001
Location: yes
Status: Offline
Reply With Quote
Sep 1, 2007, 03:54 PM
 
Originally Posted by Cold Warrior View Post
Makes sense. So I guess the question is still open: is there a way to add a cert to the iPhone (the client-side)?
Sorry, I don't have an iPhone, so I don't know.

I'm not sure why your admins would require their users to install the self-signed certificate, when a commercial certificate can be purchased for under $200, probably cheaper than the support resources needed to pacify users who don't like getting warnings

Still, I'm sure that a lot of people are making a lot of money in the SSL cert business. It seems silly to shell out this kind of dough for a damn text file
     
kman42
Professional Poster
Join Date: Sep 2000
Location: San Francisco
Status: Offline
Reply With Quote
Sep 1, 2007, 09:17 PM
 
I had to add the cert to my desktop. The IT guy made a self-signed cert for the server (I'm one of only two people on this server as it is a test IMAP server for the department before he puts everyone on it) and sent it to me. I dragged it into Keychain and my mail started working. This was 6 months before I got the iPhone. The iPhone just worked from the beginning until he moved servers. Then everything stopped working. He moved the server-side cert to the new server and all was well again. I guess this was the matching cert for the one he sent me? I don't know that much about how this works, I'm just trying to relate what happened in my case. I never had to do anything again on my desktops or my iPhone. Once he moved the cert over, it started working again.

kman
     
besson3c
Clinically Insane
Join Date: Mar 2001
Location: yes
Status: Offline
Reply With Quote
Sep 1, 2007, 09:23 PM
 
Originally Posted by kman42 View Post
I had to add the cert to my desktop. The IT guy made a self-signed cert for the server (I'm one of only two people on this server as it is a test IMAP server for the department before he puts everyone on it) and sent it to me. I dragged it into Keychain and my mail started working. This was 6 months before I got the iPhone. The iPhone just worked from the beginning until he moved servers. Then everything stopped working. He moved the server-side cert to the new server and all was well again. I guess this was the matching cert for the one he sent me? I don't know that much about how this works, I'm just trying to relate what happened in my case. I never had to do anything again on my desktops or my iPhone. Once he moved the cert over, it started working again.

kman

So, if you delete the self-signed cert from your computer, you see error messages?

If so, I guess the iPhone does respect and sync with Keychain data, I was just thrown by what you were saying about moving servers. As long as the domain name being accessed matches the Common Name included within the cert, providing the certificate authority is recognized by the client there should be no errors. If your IT guy forgot to move the SSL cert over to the new server, this would have resulted in seeing error messages.

Good news for the original iPhone poster. All he has to do is add the self-signed cert into his OS X keychain and sync with his iPhone. There should be a number of guides online for doing the former.
     
Big Mac
Clinically Insane
Join Date: Oct 2000
Location: Los Angeles
Status: Offline
Reply With Quote
Sep 1, 2007, 09:33 PM
 
I would think the iPhone would have to import from the keychain, or else people who use encryption (and Mail as their mail client, at least) would not be able to receive encrypted mail.

"The natural progress of things is for liberty to yield and government to gain ground." TJ
     
besson3c
Clinically Insane
Join Date: Mar 2001
Location: yes
Status: Offline
Reply With Quote
Sep 1, 2007, 10:42 PM
 
Originally Posted by Big Mac View Post
I would think the iPhone would have to import from the keychain, or else people who use encryption (and Mail as their mail client, at least) would not be able to receive encrypted mail.
You are referring to SSL encrypted mail, but PGP encryption works without SSL certs (and is a more secure solution, albeit more complicated).
     
kman42
Professional Poster
Join Date: Sep 2000
Location: San Francisco
Status: Offline
Reply With Quote
Sep 2, 2007, 01:34 AM
 
Originally Posted by besson3c View Post
If your IT guy forgot to move the SSL cert over to the new server, this would have resulted in seeing error messages.
Based on the emails from my IT guy, this is what I believe happened.
     
Cold Warrior  (op)
Moderator
Join Date: Jan 2001
Location: Polwaristan
Status: Offline
Reply With Quote
Sep 2, 2007, 09:53 AM
 
Thanks all. Good news for my intended iPhone purchase.
     
   
Thread Tools
 
Forum Links
Forum Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Top
Privacy Policy
All times are GMT -4. The time now is 05:31 PM.
All contents of these forums © 1995-2017 MacNN. All rights reserved.
Branding + Design: www.gesamtbild.com
vBulletin v.3.8.8 © 2000-2017, Jelsoft Enterprises Ltd.,