You need to upload the signed certificate to the server. In most of the cases, uploading an “Intermediate SSL Certificate” is also required. This topic describes how to test your certificates after installation to ensure that they are fully trusted.
The easiest way to test if your installed server certificate is fully trusted, is to use a test tool. If the web server certificate is not valid or unknown to the mobile phone, no connection can be made and the configuration deployment will fail.
During the TLS handshake the client will check if the certificate offered by the MiCollab or MBG server can be verified. In some cases, the authenticity for the server cannot be verified because the signing Certificate Authority (CA) is unknown to the phone. This is an issue which may not occur on a web browser, because Firefox - for example - uses its own CA certificate pool and does not use the same certificate store as the operating system.
The MiCollab server allows you to specify and upload an “Intermediate SSL Certificate file”. This file can contain one or more intermediate certificates which are transferred to the client once it connects to the server. The certificate path can be validated, even if the phone does not have all Intermediate CAs installed.
Note: Certificates must be in a BASE64 encoded format (*.pem or *.crt) and the file must use the UNIX file format.
Enter the hostname of your UCA server:
Note: If an error occurs as shown in the above example, most likely all the required intermediate certificates are not installed.
Note: Information about different certificate chains must be obtained from the issuer. You must read and understand the certificate installation instructions from your certificate vendor. Normally they should be e-mailed to you whenever you receive the signed certificate from them.
Instead of the using the sslshopper test site, you can use the following openssl command:
openssl s_client -CAfile /etc/pki/tls/certs/ca-bundle.crt -connect uca.example.com:443 < /dev/null
The UCA websocket connection for the client should also be verified:
openssl s_client -CAfile /etc/pki/tls/certs/ca-bundle.crt -connect uca.example.com:36008 < /dev/null
Both commands must return:
Verify return code: 0 (ok)
The information about the installed certificates can be contained by
connecting via web browser to the MiCollab or MBG server. Click on the
symbol in order to find information
about the installed certificate:
The “Issued by:” field of your certificate, that is “Go Daddy Secure Certificate Authority - G2”, helps you to identify which CA was used to sign your MiCollab certificate.
Locate the website of the certificate authority and check the instructions:
https://certs.godaddy.com/repository/
Certificates can be downloaded to this repository. If the filename extension is .crt, you can open and display the certificate with Windows .
Windows will only display the first certificate included in the file. If the file contains more than one certificate, you can display them using a text editor. Separate both certificate sections and save them to different files.
Note: Do not use Notepad because it does not understand the UNIX line formatting.
