ActiveSync fun with my Orange M600 and server Certs

Had a wierd problem out of the blue yesterday with my Orange SPV M600. We recently changed over the public name of our ISA server and this involved a resync of my pda – not a problem. The biggest hassle (tiny at that) was picking up the folders to take offline in mobile Outlook.

Then I started getting an error when I attempted to synchronise my phone – “The security certificate on the server is invalid. Contact your Exchange Server administrator or ISP to install a valid certificate on the server. Support Code:80072f0d”. This error could be seen on both the pda and in activesync 4.5.0

I tried a whole pile of stuff, including back to basics as I did when I got usb sync working. I tried a few soft resets. I checked for the error code in microsoft support, but just found a listing explaining the error code, not the fixing procedure. I even thought it might be because I’m in a different location at work, and hitting some name resolution wierdness from the different network routing.

Then I stumbled over an article on root certificates and mobile 5 devices. I’m guessing that the root certificate authority (CA) had switched between the old address and the new address the pda was syncing to (i.e. the public name of the ISA server in front of Microsoft Exchange). The new SSL certificate (i had the checkbox in activesync checked) wasn’t acceptable. So I had to get a root certificate from our company root CA. This I did by popping into Internet Explorer 7.0 on my work machine, Choosing Tools Options, picked the Content tab and then certificates. Then I picked the Trusted Root Certification Authorities and exported the root certificate from my company to a DER encoded file. Then I used activesync to transfer the file over to my pda, then used file explorer on the PDA to find and open up the certificate. This fixed the problem!

So in summary, if you get 80072f0d, then it may be that the root CA on your sync server isn’t trusted. This can happen if the root CA isn’t one of the standard set that ships from Microsoft in Windows Mobile (IE is similar), in my case the root certificate was already on my desktop build as part of policy. You need to choose whether or not to change the server certificate to one issued by one of your existing trusted CAs, or trust the root CA that has been used.