We Suggest reading:

KB05539 - Unable to connect to BlackBerry MDS Services or the BlackBerry MDS Integration Service using HTTPS.
KB11623 - How to add a certificate for the web server to the BlackBerry Mobile Data Service or BlackBerry MDS keystore.
KB16159 - How to import and use a third party signed certificate with BlackBerry MDS Integration Service.
KB18777 - How to configure BlackBerry Enterprise Server version 5.0 to support S/MIME messaging.
KB02757 - Your Address Book does not contain any cross certificates capable of authenticating the server.
KB10336 - Security alert prompt to install the SSL certificate.
KB10342 - How to set up Pull Authorization to grant or restrict access to specific web sites on the BlackBerry Browser.
KB10708 - Repair Install process causes the BlackBerry MDS Connection Service to stop.
KB11101 - The BlackBerry device databases that are not wirelessly backed up by the BlackBerry Enterprise Server.
KB11897 - Unable to import SSL Certificate.

How to add a certificate for the web server to the BlackBerry Mobile Data Service or BlackBerry MDS keystore

Contents [show]

Doc ID: KB11623
Modified Date: 10-19-2009
Document Type: Support

Print this page

Environment

BlackBerry® Enterprise Server version 3.6 to 4.1
Java® Runtime Environment (JRE)

The cacerts file is a keystore with certificate authority (CA) certificates, and it includes multiple trusted root CA certificates, such as VeriSign®. For the BlackBerry® Mobile Data Service or BlackBerry MDS to trust a web server, the BlackBerry Mobile Data Service or BlackBerry MDS must check that the web server certificate with the certificate authority. If the web server certificate is purchased from a trusted certificate authority, the check is successful because the issuer′s root CA certificate is in the cacerts file by default. If a private certificate authority is used to issue the web site certificate, the check fails and access to the website from the BlackBerry smartphone is either denied or a prompt to trust the certificate appears. To resolve this issue, perform one of the following:

Import the private certificate authority′s root CA certificate and any relevant intermediate certificates into the cacerts file.
Import the web server certificate into the cacerts file.

Note: The BlackBerry Mobile Data Service is included with BlackBerry Enterprise Server version 3.6 to 4.0. BlackBerry MDS is included with BlackBerry Enterprise Server version 4.1.

To import the certificate into the cacerts file, complete the following tasks:

Task 1 - Add the Java Bin folder to the Path environment variable (Optional)

Note: To assist the Key and Certificate Management Tool, add the path of the Java Bin directory to the Path environment variable. If the Java Bin directory is not added to the Path environment variable, commands require full path information.

To add the Java Bin folder to the Path environment variable, complete the following steps:

On the computer, right-click My Computer and choose Properties.
Click the Advanced tab.
Click Environment Variables.
Select Path in the System Variables list box and click Edit.
Go to the end of the text by pressing the End key on the keyboard.
Add ; to the end of the text followed by the path to the Java Bin directory.

Task 2 - Add a certificate to the BlackBerry Mobile Data Service or BlackBerry MDS certificate store

Note: The default keystore password is changeit. The aliasname used in the commands below needs to be unique.

To add a certificate to the BlackBerry Mobile Data Service or BlackBerry MDS certificate store, complete the following steps:

Copy the certificatename.cer file to C:Program FilesJavajre1.5.0_06libsecurity.
If the Java directory is not in the Path environment variable, type the following command at the C:Program FilesJavajre1.5.0_06in prompt to add the certificate to the cacerts file.

keytool -import -trustcacerts -alias aliasname -file ..libsecuritycertificateName.cer -keystore ..libsecuritycacerts

Or

If the path statement exists for the Java Bin directory, type the following command from the C:Program FilesJavajre1.5.0_06libsecurity prompt:

keytool -import -trustcacerts -alias aliasname -file certificateName.cer -keystore cacerts
Check that the cacerts file contains the updated information for the new alias and certificate.
If the Java directory is not in the Path environment variable, type the following command at the C:Program FilesJavajre1.5.0_06in prompt to check that the cacerts file contains the updated information:

keytool -list -v -keystore ..libsecuritycacerts

Or

If the path variable exists, type the following command from the C:Program FilesJavajre1.5.0_06libsecurity prompt:

keytool -list -v -keystore cacerts
Once the cacerts file in the security folder contains the correct information, restart the BlackBerry Mobile Data Service or BlackBerry MDS Services for the changes to take effect.
Important: Restarting certain BlackBerry Enterprise Server services delays email message delivery to BlackBerry smartphones. For more information, see KB04789.

Additional Information

If the following error message appears in the BlackBerry Mobile Data Service or BlackBerry MDS log file after accessing an HTTPS site from a BlackBerry smartphone, it might be caused by the web server′s certificate not being added to the cacerts file:

BlackBerry Enterprise Server version 3.6 to 4.1 SP5

<MDS-CS_1>:<DEBUG>:<LAYER = IPPP, URL [https://testsite/test.css] SSLException
[sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]>

BlackBerry Enterprise Server version 4.1 SP6

<MDS-CS_SERVERNAME_MDS-CS_1>:<DEBUG>:<LAYER = IPPP, Access Denied: Insecure SSL Request>

BESAdmin.info - Your Technical Support Source