locked
SSL connectivity with Geotrust certificate in WP7.1 RRS feed

  • General discussion

  • I'm developing an application for Windows Phone 7.1. Currently, it connects to a rest web service and it works fine. In a next version of this app, I need to connect it to the same rest web service with SSL connection. The web server supports this certificate:

    http://gtssl-aia.geotrust.com/gtssl.crt

    I have a Nokia Lumia 710 and the WP7 emulator to test the application. I'm using HttpWebRequest class to make the requests to the rest SSL web service, but HttpWebRequest throws a "not found" exception.

    Then, I paste the rest ssl request uri to the WP7 Internet Explorer and it works fine. 

    I read this documents:

    http://www.microsoft.com/en-us/download/details.aspx?displaylang=en&id=8842

    I need to install de Geotrust certificate on the cellphone to make the app works. I try to paste this url on WP7 Internet Explorer: 

    http://gtssl-aia.geotrust.com/gtssl.crt

    But I couldn't install this certificate. I receive this error message:

    Can't download file
    Windows Phone doesn't support this file type

    Then, I made another try. I downloaded the certificate using my desktop computer, and placed this file to my Internet Information Server. Then I tried to install this certificate and it works.

    So, the question is: Why the application certificate installation is not automatic?

    In the documentation, I read that Geotrust certificates is available in United States. I'm working from Argentina. 

    I have another question. Is it possible to add the certificate as a content file and install it in the app first run? I want to make the certification transparent to the user, because we are using a valid certificate.

    Thanks a lot

    Tuesday, July 3, 2012 8:24 PM

All replies

  • The certificate you referenced is not the correct type of certificate, i.e. it is not a server identity certificate.
    From the looks of it I would guess that the cerficate you referenced is an intermediate signing certificate.

    If your server certificate derives from a trusted root certificate and your IIS server is configured correctly then you do not need to install the certificate to the phone.

    The certificate you use on your web service must be "issued to" the target server (CN=<host domain name>) and include "Enhanced Key Usage": "Server Authentication (1.3.6.1.5.5.7.3.1)".  (note: "Key Usage" should include: "Digital Signature" and "Key Encipherment"

    For information about obtaining server certificates and configuring IIS to use server certificates see:

    Configuring Internet Server Certificates (IIS 7)

    note: When using intermediate certificates, the server must include the server certificate and all intermediate certificates in SSL negotiation phase.  If an intermediate certificate is missing then Windows Phone cannot validate the server certificate.
    Thursday, July 5, 2012 5:03 PM