Unable to deploy certificates over the air to BlackBerry devices

Article ID: KB31298

Type: Support Content

Last Modified: 04-18-2012

 

Product(s) Affected:

  • S/MIME Support Package for BlackBerry smartphones
  • BlackBerry Enterprise Server for Microsoft Exchange
CollapseEnvironment
  • BlackBerry® Enterprise Server 5.0 SP3 to 5.0 SP3 MR6
CollapseOverview

The BlackBerry® smartphone displays the following sequence of messages:

Beginning enrollment
Retrieving distinguished name
Generating public/private key pair
Generating certificate request
Unable to connect to the server
The certificate request has been rescheduled

On the Certificate Authority, the user certificate is issued and displayed in the issued certificates container.

The MDAT logs show the following sequence of sequence of log lines:

<2012-03-15 10:25:55.823 GMT>:[154]:<MDS-CS_BES0001_MDS-CS_1>:<DEBUG>:<LAYER = IPPP, EVENT = Receiving, TAG = 645752053, DEVICEPIN = 12345678, USERID = 1234, VERSION = 16, CONNECTIONID = 711295082, SEQUENCE = 0, TYPE = CONNECTION-REQUEST, CONNECTIONHANDLER = pkcs10, PROTOCOL = TCP, PARAMETERS = [mds:0], SIZE = 977>
<2012-03-15 10:25:55.823 GMT>:[156]:<MDS-CS_BES0001_MDS-CS_1>:<DEBUG>:<LAYER = IPPP, EVENT = StartExecuting, TAG = 645752053, DEVICEPIN = 12345678, USERID = 1234, VERSION = 16, CONNECTIONID = 711295082, SEQUENCE = 0, TYPE = CONNECTION-REQUEST, CONNECTIONHANDLER = pkcs10, PROTOCOL = TCP, PARAMETERS = [mds:0], SIZE = 977>
<2012-03-15 10:25:55.823 GMT>:[157]:<MDS-CS_BES0001_MDS-CS_1>:<DEBUG>:<LAYER = IPPP, EVENT = EndExecuting, TAG = 645752053, DEVICEPIN = 12345678, USERID = 1234, VERSION = 16, CONNECTIONID = 711295082, SEQUENCE = 0, TYPE = CONNECTION-REQUEST, CONNECTIONHANDLER = pkcs10, PROTOCOL = TCP, PARAMETERS = [mds:0], SIZE = 977>
<2012-03-15 10:25:55.838 GMT>:[158]:<MDS-CS_BES0001_MDS-CS_1>:<DEBUG>:<LAYER = IPPP, HANDLER = PKCS10Pinging the CA for MSHTTP,user User@Company.com, profile TEST>
<2012-03-15 10:25:55.901 GMT>:[159]:<MDS-CS_BES0001_MDS-CS_1>:<DEBUG>:<LAYER = IPPP, HANDLER = PKCS10HTTP response : 401 for GET http://CertificateAuthority.company.com/certsrv/ (User@Company.com, TEST)>
<2012-03-15 10:25:55.901 GMT>:[160]:<MDS-CS_BES0001_MDS-CS_1>:<DEBUG>:<LAYER = IPPP, EVENT = CreatedSendingQueue, DEVICEPIN = 12345678, USERID = 1234>
<2012-03-15 10:25:55.901 GMT>:[162]:<MDS-CS_BES0001_MDS-CS_1>:<DEBUG>:<LAYER = IPPP, EVENT = Sending, TAG = 188284928, DEVICEPIN = 12345678, USERID = 1234, VERSION = 16, CONNECTIONID = 711295082, SEQUENCE = 0, TYPE = DISCONNECT-ORDER, SIZE = 1>
<2012-03-15 10:25:55.901 GMT>:[164]:<MDS-CS_BES0001_MDS-CS_1>:<INFO >:<LAYER = IPPP, DEVICEPIN = 12345678, DOMAINNAME = mds, CONNECTION_TYPE = DEVICE_CONN, ConnectionId = 711295082, DURATION(ms) = 78, MFH_KBytes = 0.954, MTH_KBytes = 0.001, MFH_PACKET_COUNT = 1, MTH_PACKET_COUNT = 1>
<2012-03-15 10:26:01.089 GMT>:[172]:<MDS-CS_BES0001_MDS-CS_1>:<DEBUG>:<LAYER = IPPP, EVENT = RemovedSendingQueue, DEVICEPIN = 12345678, USERID = 1234>
<2012-03-15 10:26:11.777 GMT>:[177]:<MDS-CS_BES0001_MDS-CS_1>:<DEBUG>:<LAYER = IPPP, EVENT = Receiving, TAG = 645752054, DEVICEPIN = 12345678, USERID = 1234, VERSION = 16, CONNECTIONID = 711295083, SEQUENCE = 0, TYPE = CONNECTION-REQUEST, CONNECTIONHANDLER = pkcs10, PROTOCOL = TCP, PARAMETERS = [mds:0], SIZE = 1002>
<2012-03-15 10:26:11.777 GMT>:[179]:<MDS-CS_BES0001_MDS-CS_1>:<DEBUG>:<LAYER = IPPP, EVENT = StartExecuting, TAG = 645752054, DEVICEPIN = 12345678, USERID = 1234, VERSION = 16, CONNECTIONID = 711295083, SEQUENCE = 0, TYPE = CONNECTION-REQUEST, CONNECTIONHANDLER = pkcs10, PROTOCOL = TCP, PARAMETERS = [mds:0], SIZE = 1002>
<2012-03-15 10:26:11.777 GMT>:[180]:<MDS-CS_BES0001_MDS-CS_1>:<DEBUG>:<LAYER = IPPP, EVENT = EndExecuting, TAG = 645752054, DEVICEPIN = 12345678, USERID = 1234, VERSION = 16, CONNECTIONID = 711295083, SEQUENCE = 0, TYPE = CONNECTION-REQUEST, CONNECTIONHANDLER = pkcs10, PROTOCOL = TCP, PARAMETERS = [mds:0], SIZE = 1002>
<2012-03-15 10:26:11.777 GMT>:[181]:<MDS-CS_BES0001_MDS-CS_1>:<DEBUG>:<LAYER = IPPP, HANDLER = PKCS10Pinging the CA for MSHTTP,user User@Company.com, profile TEST>
<2012-03-15 10:26:12.339 GMT>:[182]:<MDS-CS_BES0001_MDS-CS_1>:<DEBUG>:<LAYER = IPPP, HANDLER = PKCS10Fetching certificate chain for MSHTTP,user User@Company.com, profile TEST>
<2012-03-15 10:26:12.699 GMT>:[183]:<MDS-CS_BES0001_MDS-CS_1>:<DEBUG>:<LAYER = IPPP, HANDLER = PKCS10Retrieving certificate chain from MS CA for User@Company.com>
<2012-03-15 10:26:12.699 GMT>:[184]:<MDS-CS_BES0001_MDS-CS_1>:<DEBUG>:<LAYER = IPPP, HANDLER = PKCS10Exception occurred retrieving certificate chain from the MS CA for User@Company.com: java.io.IOException: DerInputStream.getLength(): lengthTag=59, too big.>
<2012-03-15 10:26:12.699 GMT>:[185]:<MDS-CS_BES0001_MDS-CS_1>:<DEBUG>:<LAYER = IPPP, HANDLER = PKCS10Certificate chain request failed for TEST>
<2012-03-15 10:26:12.699 GMT>:[186]:<MDS-CS_BES0001_MDS-CS_1>:<DEBUG>:<LAYER = IPPP, HANDLER = PKCS10Requestinng end entity certificate for MSHTTP,user User@Company.com, profile TEST>
<2012-03-15 10:26:14.027 GMT>:[187]:<MDS-CS_BES0001_MDS-CS_1>:<DEBUG>:<LAYER = IPPP, HANDLER = PKCS10Retrieving end entity certificate from the MS CA for User@Company.com >
<2012-03-15 10:26:14.027 GMT>:[188]:<MDS-CS_BES0001_MDS-CS_1>:<DEBUG>:<LAYER = IPPP, HANDLER = PKCS10End entity certificate approved for TEST, request id >
<2012-03-15 10:26:14.089 GMT>:[189]:<MDS-CS_BES0001_MDS-CS_1>:<DEBUG>:<LAYER = IPPP, EVENT = CreatedSendingQueue, DEVICEPIN = 12345678, USERID = 1234>
<2012-03-15 10:26:14.089 GMT>:[190]:<MDS-CS_BES0001_MDS-CS_1>:<DEBUG>:<LAYER = IPPP, EVENT = Sending, TAG = 188284929, DEVICEPIN = 12345678, USERID = 1234, VERSION = 16, CONNECTIONID = 711295083, SEQUENCE = 0, TYPE = DISCONNECT-ORDER, SIZE = 2>
 

When the handheld keystore is checked, it does not contain the user, root or any intermediate certificate.

CollapseCause

One of the certificates in the certificate chain is corrupt.

CollapseWorkaround

To determine which certificate is corrupt, run a packet capture between the BlackBerry® Enterprise Server and Certificate Authority and review the GET requests made to the Certificate Authority.

Paste each URL seen in the GET requests into a browser window to work out which certificate is causing the error.

Re-issue the certificate which is causing the error.

Disclaimer

By downloading, accessing or otherwise using the Knowledge Base documents you agree:

   (a) that the terms of use for the documents found at www.blackberry.com/legal/knowledgebase apply to your use or reference to these documents; and

   (b) not to copy, distribute, disclose or reproduce, in full or in part any of the documents without the express written consent of RIM.


Visit the BlackBerry Technical Solution Center at www.blackberry.com/btsc.