BlackBerry Enterprise Server Express 5.0 plus VeriSign Certificates plus Microsoft ISA Server 2006
So I’ve been tasked to get the above baby up and running. We’re running a quick pilot to our users to see if the BlackBerry devices and services will be something of use to us. Currently on our internal Marketplace we already have Apple iPhones and Microsoft WinMo (Windows Mobile) devices available, so you might as well go for the BlackBerry.
Now before I started on this journey I didn’t realise what a pullava it would be to install trusted public certificates on BlackBerry Enterprise Server (BES) Express 5.0. If anyone from Research in Motion (RIM) or O2 is reading, wake up to yourselves! It’s ridiculous that we have to go through these steps I’m about to outline. Also, if someone from a large Enterprise calls up the support line and states that you would like to replace the self signed certificate with a publicly trusted one and publish the BES WebDesktop via ISA, don’t reply back, what would you want to do that? Fail.
I’m writing this little blurb to save someone out the mental anguish and therapy bills I had to go through! 
So once you have your BES server up and running with the self signed certificate and ensured that your WebConsole and WebDesktop sites are working you’re good to go. A lot of these steps are a gathering of scattered resources, so I’ll provide links but everything should work step by step on this page. There are two directories you need to be aware of first of all, I’m running this on a x64 machine;
# Jave Runtime Environment Keytool Path
“C:\Program Files (x86)\Java\jre1.6.0_15\bin\keytool.exe”
# BlackBerry Administration Service Keystore path
“C:\Program Files (x86)\Research In Motion\BlackBerry Enterprise Server\BAS\bin\web.keystore”
Lets go ahead and check what is in the web.keystore first of all, this will check which certificates are in a Java keystore. Notice one alias called httpssl, this is the certificate we’ll need to change. The password of the keystore was generated when you first installed the product, so note it down as you will be asked to enter over and over again. There’s heaps of links on how to change this if you’ve forgotten it;
“C:\Program Files (x86)\Java\jre1.6.0_15\bin\keytool.exe” -list -v -keystore “C:\Program Files (x86)\Research In Motion\BlackBerry Enterprise Server\BAS\bin\web.keystore”
So lets go ahead and look at our httpssl certifcate to ensure it’s there. If it’s there, all good, else we’ll need to create another one later on;
“C:\Program Files (x86)\Java\jre1.6.0_15\bin\keytool.exe” -list -v -alias httpssl -keystore “C:\Program Files (x86)\Research In Motion\BlackBerry Enterprise Server\BAS\bin\web.keystore”
Now this is where it all starts to get a little ‘exciting’. You can delete the httpssl alias from the keystore and still have the WebDesktop and WebConsole sites accessible, just DON’T restart your server or the BlackBerry Administration Service (BAS) services! Word of warning, if you do, then your users won’t be able to access those sites. So let’s delete the httpssl alias as we’ll be creating a new one. If you perform a generate a new key and generate a new certificate request with the current certificate VeriSign will moan that you do not have all the Owner details entered correctly.
“C:\Program Files (x86)\Java\jre1.6.0_15\bin\keytool.exe” -delete -alias httpssl -keystore “C:\Program Files (x86)\Research In Motion\BlackBerry Enterprise Server\BAS\bin\web.keystore”
Let’s go ahead and generate the new key and certificate request for the httpssl alias. When generating your certificate request the Full Name is your intended URL you will be publishing to your users, which intern should be the same as the Administration Service – High Availability – Poll Name setting in the BlackBerry Server Configuration application;
“C:\Program Files (x86)\Java\jre1.6.0_15\bin\keytool.exe” -genkey -keyalg RSA -alias httpssl -keystore “C:\Program Files (x86)\Research In Motion\BlackBerry Enterprise Server\BAS\bin\web.keystore”
“C:\Program Files (x86)\Java\jre1.6.0_15\bin\keytool.exe” -certreq -alias httpssl -file certreq.csr -keystore “C:\Program Files (x86)\Research In Motion\BlackBerry Enterprise Server\BAS\bin\web.keystore”
This will not generate your certreq.csr file which you can upload to VeriSign. It might take a couple of days for your certificate to come through so you can go ahead and install the VeriSign Intermediate certificates to complete the certificate chain. Get your VeriSign Intermediate CA Certificates;
Once you have your certificates, import the public root or intermediate CA certificate into your Java keystore;
“C:\Program Files (x86)\Java\jre1.6.0_15\bin\keytool.exe” -import -trustcacerts -alias evprimary -file primary_EV_inter.cer -keystore “C:\Program Files (x86)\Research In Motion\BlackBerry Enterprise Server\BAS\bin\web.keystore”
“C:\Program Files (x86)\Java\jre1.6.0_15\bin\keytool.exe” -import -trustcacerts -alias evsecondary -file secondary_EV_inter.cer -keystore “C:\Program Files (x86)\Research In Motion\BlackBerry Enterprise Server\BAS\bin\web.keystore”
Hopefully by this time you will have received your signed certificate from VeriSign and you’re good to go for the last import. Import your signed certificate to your Java keystore;
“C:\Program Files (x86)\Java\jre1.6.0_15\bin\keytool.exe” -import -trustcacerts -alias httpssl -file blackberry.cer -keystore “C:\Program Files (x86)\Research In Motion\BlackBerry Enterprise Server\BAS\bin\web.keystore”
You are done. All that remains now is the big test of restarting the BAS services and ensuring it works. After speaking to RIM at great length, you will know if your certificates were successfully imported as when you restart your BAS services. An easy way of checking this is bring up Task Manager, watch the BAS-AS.exe*32 service, if it sites at 19MB then you have issues. Wait till the service consumes about 190MB as the RIM engineer put it and then try logging into your WebDesktop or WebConsole site.
With any luck you are done and you’ve removed any certificate warnings from your BES WebDesktop and WebConsole sites.
If you work for a large enterprise then you no doubt will want to publish the WebDesktop site to your users, so they can configure their BlackBerrys on the go. For this to work you need to export the certificate we imported, with its associated private key and install it on each ISA Array member. I’m not going to go through the publishing of the WebDesktop site as that is the easy bit, what’s annoying about this whole procedure is exporting the certificate again with its private key! Ahhhh! Hair pulling time again.
So without further ado here is the procedure to create your certificate’s pfx file so you can then go ahead install it on your Windows machine private certificate store. For this to work you need to install OpenSSL for Windows which can be downloaded from;
Once you have OpenSSL up and running you need to go ahead and download jks2pfx.zip from;
Extract the contents to a folder and then run the JKS2PFX.bat file with your particular details. If all goes well, it will ask your enter a password and this will be the password you need to enter importing the pfx file into your ISA Array member’s certificate store.
Hopefully this little guide will save your sanity as it was driving me around the bend.
PS. If you copy and paste the commands you’ll need to change the “quote” marks to the generic command line ones. You’ve been warned. 
Kristof Kowalski – kristof@kowalski.ms
hi I followed your steps but when I go to the webconsole or webdesktop I still get a certificate warning.. any reason why this could be??