4.2  SSL Certificates

HTTP protocol is used for direct communication between Kerio Connect and mobile devices. This protocol is not secured and the connection might be wiretapped. This might lead to misuse of your fragile information such as username and password. For this reason, SSL (Secure Socket Layer) encryption is often used for traffic to protect the communication from wiretapping. The HTTP protocol secured by SSL encryption is called HTTPS.

SSL encryption is based on so called SSL certificates. Mailserver disposes of the certificate of the server against which the certificate in your mobile device is suppose to authenticate. There are two types of certificates:

If your certificate is signed by a commercial authority, there exists a great chance that the device already includes the certificate and no installation will be required. However, if you use the Kerio Connect's self-signed certificate or a certificate signed by an authority not supported by the device, it is necessary to download and install the certificate in your device. The instructions for this procedure are provided below..

To encrypt your traffic by SSL, download and install the certificate before configuring the ActiveSync.

The following guidelines suppose there is a working Internet connection set in your mobile device:

  1. In the browser, enter your Kerio Connect's URL to open the Kerio WebMail's login page (see section 1.2  Authentication to Kerio WebMail).

  2. Click on Download SSL certificate.

  3. Installation of the certificate should be offered by the device. Install it.

The suggested guidelines work on most of mobile devices. However, on some devices installation of the certificate is a bit more difficult:

Allowing installation of a root certificate in WM 5.0 Smartphone Edition

The security policy of Smartphone devices with Windows Mobile 5.0 or Windows Mobile 5.0 AKU2 forbids installation of certificates issued by other than trusted certification authorities.

To allow installation of certificates issued by authorities not supported by the particular device (an internal certificate or the Kerio Connect's self-signed certificate), it is necessary to install a mobile device registry editor on the mobile device and use this editor to allow installation of untrustworthy certificates. One of the options is for example application regeditSTG.zip (24.01 KB).

In this editor, follow these instructions:

  1. Find and download regeditSTG.zip (available for free) and unpack it.

  2. Move the editor to the mobile phone (e.g. by using the MS ActiveSync desktop application).

    Warning

    It is necessary that the file is saved in the phone, not on the memory card.

  3. On the telephone, click on the file and run it.

  4. Run regeditSTG.exe and find HKLM\Security\Policies\Policies.

  5. Change the following registry items:

    • 00001001 overwrite the 2 with 1

    • 00001005 overwrite the 16 with 40

    • 00001017 overwrite the 128 with 144

  6. Now you can download the certificate from the server and install it.

    Warning

    So called hard reset removes the registry changes (it is necessary to repeat the settings if needed).

SSL encryption in Sony Ericsson devices

If the Kerio Connect's self-signed certificate is installed, the device does not require confirmation for each synchronization with the server:

[Security Information       ?]
The certificate could not be
verified.
Select 'Certificate details' to get
more information about the
certificate.
Do you want to accept the
certificate and proceed?
[ Yes ]  [  No  ]  [ Details ]

Therefore, it is recommended to install a certificate signed by a trustworthy certification authority.