For security reasons, it is recommended to synchronize only by the HTTPS protocol, since ActiveSync uses only unencrypted user login data for authentication at the server.
For description on encryption of services running in Kerio MailServer, see chapter 16 Server's Certificates. This method requires a valid SSL certificate installed on the device.
The following conditions must be met to make certificates valid:
The certificate must be issued by a trustworthy certification authority. Trustworthy means that the mobile device needs to know the server's root certificate. Windows Mobile includes root certificates of several certification authorities. List of these authorities can be found at the Microsoft Corporation website.
Date of the certificate must be valid and correct date and time must be set in the device.
The certificate must include a valid name of the email domain for which Kerio MailServer is used.
Valid certificates for encrypted traffic can be either certificates issued by trustworthy certification authorities (these certificates can be quite expensive, however, they avoid possible installation difficulties) or a certificate issued by an internal certification authority or a so-called self-signed certificate generated in Kerio MailServer (for details, see chapter 16 Server's Certificates).
In case of certificates issued by a trusted certification authority, no settings or installations are required. In cases of internal certificates or self-signed certificates, the root certificate must be installed on the device.
Windows Mobile requires certificate encoded in the DER X.509 format. The
.cer extension is required. The simpliest method to get and install a certificate is to download it to the device by a browser.
Kerio MailServer's self-signed certificate in the required format is available at
On devices with Windows Mobile 2002, traffic can be performed only by HTTPS. The unencrypted version of the protocol is not supported. It is also necessary that Kerio MailServer authenticates with a certificate authorized by a trustworthy certification authority. This can be either a certificate authorized by a supported commercial certification authority (certificates issued by VeriSign, CyberTrust, Thawte and Entrust are supported) or a root certificate of the authority which issued the certificate for Kerio MailServer can be installed on the device (for details, see section Allowing installation of a root certificate in WM 2002).
It is not possible to install the Kerio MailServer's self-signed certificate on Windows Mobile 2002. It is only possible to use root certificates authorized by at least one internal authority.
Since Windows Mobile 2003, ActiveSync configuration includes an option to enable/disable SSL encryption. However, it is strongly recommended to use the SSL encryption since only the basic authentication method is used for user authentication within the synchronization (no encryption is used for the login data transfers so the data can be easily misused).
Since Windows Mobile 2003, installation of the self-signed certificate on mobile devices is very simple. The instructions can be found in section Installation of the Kerio MailServer's self-signed root certificate.
Security rules in Smartphone devices with Windows Mobile 2005 forbid installation of new root certificates. In such cases, it is necessary to enable installation of root certificates in the device registry first (the instructions are provided below).
To install the certificate on Windows Mobile 2002 or on Windows Mobile 5.0 Smartphone Edition, follow the instructions provided in sections Allowing installation of a root certificate in WM 2002 and Allowing installation of a root certificate in WM 5.0 Smartphone Edition. In other cases, start the installation by step
On the mobile device, run a web browser.
In the URl textfield, enter the server's address following the pattern
A dialog is displayed asking whether the certificate should be downloaded to the device. Clickto confirm the action.
Next, you'll be asked whether the certificate should be installed and used. Again, click on thebutton.
Now, the certificate is installed.
Download the application from the AddRootCert link [409KB] and unpack it.
addrootcert.exe file to the device.
Copy the server's certificate to the device (the certificate must be encoded in DER X.509 format and the
.cer extension is required).
In the device, click on the
addrootcert.exe file and run it.
Use the application to install the certificate.
Restart the device.
To allow installation of root certificates issued by authorities not supported by the particular device (an internal certificate or the Kerio MailServer's self-signed certificate), it is necessary to install a mobile device registry editor on the mobile device and use this editor to allow installation of untrustworthy root certificates. One of the options is for example application
regeditSTG.zip (24.01 KB).
In this editor, follow these instructions:
Find and download
regeditSTG.zip (available for free) and unpack it.
Move the editor to the mobile phone (e.g. by using the MS ActiveSync desktop application).
It is necessary that the file is saved in the phone, not on the memory card.
On the telephone, click on the file and run it.
regeditSTG.exe and find
Change the following registry items:
00001001 overwrite the 2 with 1
00001005 overwrite the 16 with 40
00001017 overwrite the 128 with 144
Now, it is possible to download the certificate from the server and install it as described in section 36.4 SSL encryption.
So called “hard reset” removes the registry changes (it is necessary to repeat the settings if needed).
[Security Information ?] The certificate could not be verified. Select 'Certificate details' to get more information about the certificate. Do you want to accept the certificate and proceed? [ Yes ] [ No ] [ Details ]
Therefore, it is recommended to install a certificate signed by a trustworthy certification authority.