Hi please can someone confirm when a PDA first connects to Exchange 2007 CAS does it download the CAS server certificate to encrypt the device or does it download the CAS certificate and the use this for SSL, also when you renew the Cert do you have to change the AS policy to get clients to check for updates? Thanks

Hi, If you still use the self-signed certificate than you need to install this on the PDA if you renew the self-signed than you need to install that new cert to the PDA. If you use a Public certificate than check the certificate chain and install the ROOT Cert on the device. You don't have to change the AS policy when you renew the cert. Greetzz, Timmy

Cheer mate, i use a public cert and have never had to install the chain, just needed to confirm the the device does pull down the public cert. How does the device know to pull down the new cert?

Also what certificate does the pda use to encrypt the device? thanks again

A PDA never pulls down a certificate. It only needs to verify the trust of the cert against the root ca before encrypting the data. Quote: SSL Certificates 'guarantee' the identity of a server by assigning a certificate to a server that comprises a digital hash value calculated by running the server's name through a complex algorithm. When requesting content from a server, the server presents its certificate, containing the hash value. Should the requesting machine perform a calculation on that hash value and come up with anything other than the expected server name, the connection is flagged as insecure. That is a massive simplification, but you get the idea. In order to be able to perform the calculation, the requesting server needs to be able to access the algorithm. If the server was assigned a root-trusted certificate, (by providers such as VeriSign, or Thawte), that algorithm is preinstalled on the device already. When using a self-signed certificate, your CA is not automatically trusted by the client device, so your root CA certificate (that contains the algorithm) needs to be installed onto devices manually before any certificates issued by that CA can be trusted. In a nutshell, in order to be able to trust a certificate, the root certificate of the CA that issued that certificate needs to be installed on the device. I noticed recently that public certificate issuers use different root ca certs than pre-installed on the device/machine. So its a good practice to check it... Greetzz, Timmy