1. Cixert's Avatar
    I would like to know how to update the client certificates on BBOS.
    In general I do not have very clear how to perform the standard procedure in the various browsers and systems such as on Windows computer.
    I have many doubts:
    -Do exist certificates that are installed automatically on BBOS after visiting a web page?
    - Is it necessary to install or update the certificates of the various certification authorities one by one or is there a procedure to update all at the same time?

    I read that there is a procedure on BBOS. But I'm not sure it works. Is this the correct procedure?

    1. Connected the phone to a Wi-Fi network and closed the applications plug the USB cable to the computer connected to the Internet and run BB Desktop Software.
    2. Tools + Options + Certificates = certificates appear in the main left tab.
    3. Click on Certificates from the main menu
    4. Enter any password.
    5. Wait a few seconds until phone certificates are recovered
    (if it takes more than 5 minutes there is an error, close and repeat the process)
    6. In the «main» option select «Synchronize the certificates»
    7. Wait until the phone restarts.


    After doing it I get more error messages than before doing it.
    For example every time I enter direct access to https://m.facebook.com from Facebook 4.4.0.16 it appears
    "mismatch error in the domain name"
    Attempt to connect to fbcdn.net
    The server certificate is configured to:
    * .facebook.com
    * .fb.com
    *.etc

    The administrator has deactivated it.

    Then I click on see certificate:
    Revocation status:
    Unknown.
    Trusted status:
    It is not trusted.
    Due date:
    July 31, 2019
    Type of certificate:
    X509

    Is this the correct procedure to update the certificates?

    In addition on BBOS there is a menu in options + security + advanced + certificate servers that says:
    - LDAP Servers
    * There are no servers *
    OCSP Servers
    * There are no servers *
    -CRL Servers
    * There are no servers *

    Can these options be useful for a private user?

    EDIT:
    The error when updating the certificates was simply that before clicking on "synchronize now" you must select the boxes of the certificates that are not installed in BBOS (except the expired ones) and then press synchronize now.
    Then the correct instructions are:
    1. Connected the phone to a Wi-Fi network and closed the applications plug the USB cable to the computer connected to the Internet and run BB Desktop Software.
    2. Tools + Options + Certificates = certificates appear in the main left tab.
    3. Click on Certificates from the main menu
    4. Enter any password.
    5. Wait a few seconds until phone certificates are recovered
    (if it takes more than 5 minutes there is an error, close and repeat the process)
    6. You must select the certificates check boxes that are not installed in BBOS (except expired ones)
    7. In the «main» option select «Synchronize the certificates»
    8. Wait until the phone restarts.


    Unfortunately some intermediate certificates like Google Internet Authority G3 or Let's Encrypt, are installed but the status is "unknown string status"

    On the Facebook certificate this problem happens always with the direct access of the app 4.4
    However the universal address https://m.facebook.com from a browser works without problems after issuing a first error message

    On updating certificates with LDAP, OCSP, CRL I still have no answer.
    Last edited by Cixert; 07-06-18 at 03:36 PM.
    06-17-18 11:33 AM
  2. Damian Montero's Avatar
    I haven't seen these steps before. But I have found the Google Internet authority G3 and if you click on the file (same with the godaddy root certificate) they do "install" but they don't seem to be activated or I'm doing something wrong.

    If you're looking for that certificate specifically here's the link:
    http://pki.google.com/

    notice it's http and so it'll open just fine.
    Cixert likes this.
    07-06-18 12:46 AM
  3. Damian Montero's Avatar
    I haven't seen these steps before. But I have found the Google Internet authority G3 and if you click on the file (same with the godaddy root certificate) they do "install" but they don't seem to be activated or I'm doing something wrong.

    If you're looking for that certificate specifically here's the link:
    http://pki.google.com/

    notice it's http and so it'll open just fine.
    07-06-18 12:47 AM
  4. Cixert's Avatar
    I haven't seen these steps before. But I have found the Google Internet authority G3 and if you click on the file (same with the godaddy root certificate) they do "install" but they don't seem to be activated or I'm doing something wrong.

    If you're looking for that certificate specifically here's the link:
    Google Internet Authority G2 – Google

    notice it's http and so it'll open just fine.
    I think it is old certificate G2.
    New certificate G3 is in this link
    https://ssl-tools.net/subjects/f6edb...9d024a11aa6cad
    And the certificates for the future (I do not know why) are here:
    (Google Trust Services CA)
    https://pki.goog/

    I have actually extracted the Google Internet Security G3 certificate from Firefox 61 and it lights up green on Blackberry OS
    07-06-18 03:49 PM
  5. Damian Montero's Avatar
    YIKES> I wouldn't trust a certicate from a company OTHER than google. Although the pki.goog is them. I don't know who ssl-tools.net is...

    I'll try your solution and then try the "new" google certificate to see if I get the same results you do.
    07-06-18 04:52 PM
  6. Cixert's Avatar
    YIKES> I wouldn't trust a certicate from a company OTHER than google. Although the pki.goog is them. I don't know who ssl-tools.net is...

    I'll try your solution and then try the "new" google certificate to see if I get the same results you do.
    In addition, you must install the Globalsign root certificate "R2 GlobalSign Root Certificate"
    https://secure.globalsign.net/cacert/Root-R2.crt
    More info...
    https://textslashplain.com/2017/10/2...-authority-g3/

    It says:
    On modern versions of Windows, you can direct Windows to check its trusted certificate list against the WindowsUpdate servers by running the following from a command prompt:

    certutil -f -verifyCTL AuthRootWU

    Older versions of Windows might not support the -verifyCTL command. You might instead try downloading the R2 GlobalSign Root Certificate directly and then installing it in your Trusted Root Certification Authorities.


    Edit:
    I have seen official Google Internet Authority G3
    this is called GTS GIAG3
    https://pki.goog/gsr2/GTSGIAG3.crt
    And this is the CRL online revocation list.
    https://crl.pki.goog/GTSGIAG3.crl
    But pay attention there is another G3 ECC
    https://pki.goog/gsr4/GIAG3ECC.crt
    https://crl.pki.goog/GIAG3ECC.crl
    Last edited by Cixert; 07-06-18 at 06:09 PM.
    07-06-18 05:49 PM

Similar Threads

  1. switching devices from Classic to Motion
    By mymcbk in forum Ask a Question
    Replies: 4
    Last Post: 06-30-18, 07:16 AM
  2. Don't see a compelling reason to upgrade to KEY2
    By AM83 in forum BlackBerry KEY2
    Replies: 46
    Last Post: 06-20-18, 04:16 PM
  3. Replies: 2
    Last Post: 06-17-18, 07:25 PM
  4. Is the KEY2 going to be sold in the United States?
    By CrackBerry Question in forum Ask a Question
    Replies: 1
    Last Post: 06-17-18, 10:03 AM
LINK TO POST COPIED TO CLIPBOARD