|
|
How to (can one?) install a root certificate for iPhone's email?
|
|
|
|
Moderator
Join Date: Jan 2001
Location: Polwaristan
Status:
Offline
|
|
I didn't see any posts about this, and Google didn't return anything useful.
I have an IMAP account with an employer that publishes its own root certificates for secure web browsing and access to its IMAP server (sending and receiving). These certs are issued by the employer and are not included by default on commercial operating systems. Employees download them from the employer and install them on their systems (Windows or Mac).
What I'm wondering is whether the iPhone will sync the employer's root certificate from my Keychain and employ it in the email client to establish incoming and outgoing SSL connections with the IMAP server; I do this manually, or it won't work at all.
Thanks.
|
|
|
|
|
|
|
|
|
Professional Poster
Join Date: Sep 2000
Location: San Francisco
Status:
Offline
|
|
It works for me. My university uses a certificate to authenticate and when the IT guy moved the server, I stopped being able to send mail from my iPhone. I would also get an error on my desktop through Mail saying that the cert could not be authenticated and asking if I wanted to send the email anyway. I told my IT guy, he moved the correct certs over and now all is well again.
I derived from this that the iPhone is cert-aware.
kman
|
|
|
|
|
|
|
|
|
Moderator
Join Date: Jan 2001
Location: Polwaristan
Status:
Offline
|
|
Originally Posted by kman42
It works for me. My university uses a certificate to authenticate and when the IT guy moved the server, I stopped being able to send mail from my iPhone. I would also get an error on my desktop through Mail saying that the cert could not be authenticated and asking if I wanted to send the email anyway. I told my IT guy, he moved the correct certs over and now all is well again.
I derived from this that the iPhone is cert-aware.
kman
Cool. So he added the cert to Mail, then it seems to have made its way to your iPhone, and iPhone's mail client doesn't give a notice when sending?
Thanks.
|
|
|
|
|
|
|
|
|
Professional Poster
Join Date: Sep 2000
Location: San Francisco
Status:
Offline
|
|
Once he put the proper cert on the mail server, Mail stopped telling me that it couldn't authenticate the server since I had the matching cert in my keychain. My iPhone then started sending mail again, when it previously did not during the period when he didn't have the correct cert on the server.
|
|
|
|
|
|
|
|
|
Moderator
Join Date: Jan 2001
Location: Polwaristan
Status:
Offline
|
|
OK. Sounds like the iPhone syncs Keychain certs then.
Thanks!
|
|
|
|
|
|
|
|
|
Clinically Insane
Join Date: Mar 2001
Location: yes
Status:
Offline
|
|
Originally Posted by Cold Warrior
OK. Sounds like the iPhone syncs Keychain certs then.
Thanks!
Not necessarily. It sounds like the person who responded to you misunderstood the question asked.
If your company is using their own self-signed certificate, the only way for a client to recognize this cert without complaining about it is to add this cert to your client machine. The poster was talking about his server admins correcting the cert offered by the server, but this is a different issue - it sounds like his server is offering a commercial certificate.
|
|
|
|
|
|
|
|
|
Moderator
Join Date: Jan 2001
Location: Polwaristan
Status:
Offline
|
|
Originally Posted by besson3c
Not necessarily. It sounds like the person who responded to you misunderstood the question asked.
If your company is using their own self-signed certificate, the only way for a client to recognize this cert without complaining about it is to add this cert to your client machine. The poster was talking about his server admins correcting the cert offered by the server, but this is a different issue - it sounds like his server is offering a commercial certificate.
Makes sense. So I guess the question is still open: is there a way to add a cert to the iPhone (the client-side)?
|
|
|
|
|
|
|
|
|
Clinically Insane
Join Date: Mar 2001
Location: yes
Status:
Offline
|
|
Originally Posted by Cold Warrior
Makes sense. So I guess the question is still open: is there a way to add a cert to the iPhone (the client-side)?
Sorry, I don't have an iPhone, so I don't know.
I'm not sure why your admins would require their users to install the self-signed certificate, when a commercial certificate can be purchased for under $200, probably cheaper than the support resources needed to pacify users who don't like getting warnings
Still, I'm sure that a lot of people are making a lot of money in the SSL cert business. It seems silly to shell out this kind of dough for a damn text file
|
|
|
|
|
|
|
|
|
Professional Poster
Join Date: Sep 2000
Location: San Francisco
Status:
Offline
|
|
I had to add the cert to my desktop. The IT guy made a self-signed cert for the server (I'm one of only two people on this server as it is a test IMAP server for the department before he puts everyone on it) and sent it to me. I dragged it into Keychain and my mail started working. This was 6 months before I got the iPhone. The iPhone just worked from the beginning until he moved servers. Then everything stopped working. He moved the server-side cert to the new server and all was well again. I guess this was the matching cert for the one he sent me? I don't know that much about how this works, I'm just trying to relate what happened in my case. I never had to do anything again on my desktops or my iPhone. Once he moved the cert over, it started working again.
kman
|
|
|
|
|
|
|
|
|
Clinically Insane
Join Date: Mar 2001
Location: yes
Status:
Offline
|
|
Originally Posted by kman42
I had to add the cert to my desktop. The IT guy made a self-signed cert for the server (I'm one of only two people on this server as it is a test IMAP server for the department before he puts everyone on it) and sent it to me. I dragged it into Keychain and my mail started working. This was 6 months before I got the iPhone. The iPhone just worked from the beginning until he moved servers. Then everything stopped working. He moved the server-side cert to the new server and all was well again. I guess this was the matching cert for the one he sent me? I don't know that much about how this works, I'm just trying to relate what happened in my case. I never had to do anything again on my desktops or my iPhone. Once he moved the cert over, it started working again.
kman
So, if you delete the self-signed cert from your computer, you see error messages?
If so, I guess the iPhone does respect and sync with Keychain data, I was just thrown by what you were saying about moving servers. As long as the domain name being accessed matches the Common Name included within the cert, providing the certificate authority is recognized by the client there should be no errors. If your IT guy forgot to move the SSL cert over to the new server, this would have resulted in seeing error messages.
Good news for the original iPhone poster. All he has to do is add the self-signed cert into his OS X keychain and sync with his iPhone. There should be a number of guides online for doing the former.
|
|
|
|
|
|
|
|
|
Clinically Insane
Join Date: Oct 2000
Location: Los Angeles
Status:
Offline
|
|
I would think the iPhone would have to import from the keychain, or else people who use encryption (and Mail as their mail client, at least) would not be able to receive encrypted mail.
|
"The natural progress of things is for liberty to yield and government to gain ground." TJ
|
|
|
|
|
|
|
|
Clinically Insane
Join Date: Mar 2001
Location: yes
Status:
Offline
|
|
Originally Posted by Big Mac
I would think the iPhone would have to import from the keychain, or else people who use encryption (and Mail as their mail client, at least) would not be able to receive encrypted mail.
You are referring to SSL encrypted mail, but PGP encryption works without SSL certs (and is a more secure solution, albeit more complicated).
|
|
|
|
|
|
|
|
|
Professional Poster
Join Date: Sep 2000
Location: San Francisco
Status:
Offline
|
|
Originally Posted by besson3c
If your IT guy forgot to move the SSL cert over to the new server, this would have resulted in seeing error messages.
Based on the emails from my IT guy, this is what I believe happened.
|
|
|
|
|
|
|
|
|
Moderator
Join Date: Jan 2001
Location: Polwaristan
Status:
Offline
|
|
Thanks all. Good news for my intended iPhone purchase.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Forum Rules
|
|
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
|
HTML code is Off
|
|
|
|
|
|
|
|
|
|
|
|