Ask a Question

Advanced Search

Solution ID : SO15597

Last Modified : 05/02/2018

ActiveSync failing on mobile devices for GeoTrust SSL certificate issued after July 22, 2010

Problem

ActiveSync failing on mobile devices for GeoTrust SSL certificate issued after July 22, 2010

Error: The certificate from the server is not validated.

Error: "This certificate is not from a trusted authority" when attempting to establish a secure connection with Android Mobile phones version 2.2 and prior

There are problems with the security certificate for this site

error adding account. certificate from server is not validated

Invalid Server Certificate

Cause

GeoTrust Global CA root not installed on various mobile devices.

Solution

To resolve this issue on mobile devices, perform the following steps.

For Microsoft IIS 5.0, 6.0 and 7.0

Step 1: Obtain GeoTrust Cross Root CA and GeoTrust Intermediate CA

Note: If you have already installed the GeoTrust Intermediate CA. You only need to obtain GeoTrust Cross Root CA and go to Step 4 through 6 below.


Step 2: Adding the Certificates Snap-in to the Microsoft Management Console (MMC):

Microsoft IIS 5.0 or 6.0

  1. From your Web server, go to Start > Run
  2. Enter mmc in the text box
  3. Click OK
  4. From the Microsoft Management Console (MMC) menu bar, select Console > Add/Remove Snap-in
  5. Click Add
  6. Select Certificates from the list of snap-ins
  7. Click Add
  8. Select the Computer account option
  9. Click Next
  10. Select the Local computer (the computer this console is running on) option
  11. Click Finish
  12. Click on the Close button on the snap-in list window
  13. Click on the OK button on the Add/Remove Snap-in window

Microsoft IIS 7.0

  1. From the Web server, click Start
  2. In the Search programs and files field, type mmc
  3. From the Programs list, click mmc.exe
  4. At the permission prompt, click Yes
  5. From the Microsoft Management Console (MMC), click  File > Add/Remove Snap-in
  6. From the list of snap-ins, select Certificates
  7. Click Add
  8. Select Computer account
  9. Click Next
  10. Select Local computer (the computer this console is running on)
  11. Click Finish
  12. In the Add/Remove Snap-in window, click OK
  13. Save these console settings for future use


Step 3: Install the GeoTrust Intermediate CA

  1. Open the Microsoft Management Console (MMC)
  2. Click on Certificates from the left pane
  3. Double-click on Intermediate Certification Authorities from the right pane
  4. Right-click on Certificates from the right pane and select All Tasks > Import to open the Certificate Import Wizard
  5. Click Next
  6. Specify the location of the GeoTrust Intermediate CA file obtained from Step 1 by clicking Browse
  7. Click Next
  8. By default, it will place the certificate in the Intermediate Certification Authorities store. Keep this selection and click on the Next button.
  9. Click Finish
  10. A message will appear confirming the successful import of the certificate. Click OK
  11. Keep the Console open


Step 4: Install the GeoTrust Cross Root CA Certificate

  1. Using the same Console, double-click on Intermediate Certification Authorities from the right pane
  2. Right-click on Certificates from the right pane and select All Tasks > Import to open the Certificate Import Wizard
  3. Click Next
  4. Specify the location of the GeoTrust Cross Root CA file obtained from Step 1 by clicking Browse
  5. Click Next
  6. By default, it will place the certificate in the Intermediate Certification Authorities store. Keep this selection and click on the Next button.
  7. Click Finish
  8. A message will appear confirming the successful import of the certificate. Click OK
  9. Keep the Console open


Step 5: Check for and Disable the GeoTrust self signed Root CA

  1. Using the open Console, expand the Trusted Root Certification Authorities folder on the left and select the Certificates sub-folder.
  2. Locate the following certificate:

    Issued to: GeoTrust Global CA
    Issued by: GeoTrust Global CA
    Valid from: 5/20/2002 to 5/20/2022
    Serial number: 02 34 56



     
  3. If this certificate is present, it must be disabled. Right click the certificate, select Properties.
  4. In the Certificate purposes section, select Disable all purposes for this certificate, then click OK


     
  5. Close MMC - there is no need to save console settings.
  6. Once this is done restart your IIS service and the error message should be resolved when you access your website.
    Note: In some cases the changes may not take place after restarting IIS Services and a re-boot is needed.


Step 6: Verify certificate installation

  1. Stop and start your Web server prior to any testing
    Note: In some cases the changes may not take place after restarting IIS Services and a re-boot is needed.
  2. To verify the SSL certificate installation, use the GeoTrust Certificate Installation checker utility located here: SO9557

Note: There are times when even if the intermediate certificates are installed correctly and in the correctly certificates store, yet the Microsoft IIS Servers still are not sending the correct chaining across to the client.  If so, export the certificate from the MMC, personal store as a .pfx file. Choose to "include all certificates in the certification path" during the export. then reimport the .pfx file back into the personal store. Make sure to assign the certificate to the website in IIS again after the import. This would link all the required intermediates and root certificate and allow the server to send the correct chain.