KB291138: Seting up an Usher Server certificate when it is signed by a Certificate Authority that is not currently trusted

SYMPTOM:
When setting up Usher, if the customer’s Usher server certificate is not from a trusted certificate authority (CA), it won’t be accepted by the Usher app or the AD (ActiveDirectory) agent. This will cause the communication between the Usher app and the Usher server and the AD agent and Usher server to be broken.
 
CAUSE:
This is a known issue caused by the customer’s Usher server certificate needing to be issued by a CA trusted by both the Usher app and the AD agent.
 
ACTION:
Resolving this involves adding the certificate to three different places: the iOS Usher app, the Android Usher app, and the AD agent.
First, retrieve the complete certificate chain and save the certificates for Root CA and all intermediate CA(s) as individual files. The following steps show how to use certutil.exe in Windows (built in tool, no need to install) to achieve this. Assuming the server is www.youtube.com, and we have the server certificate file youtube.crt (replace youtube.crt with the name of the server certificate file in the commands).

1. Make sure computer is connected to Internet
2. Open a new command prompt window
3. Go to the folder where youtube.crt is saved, and type “certutil.exe –UI youtube.crt”

1. Click on “Certification Path” tab 

1. Double click on the top one (root CA) or select it and click on “View Certificate”

1. Click on “Details” to switch to Details tab, then click on “Copy to File” button.

1. Follow the wizard, and select “Base64 encoded X.509 (.CER)” format, choose a name for the file. In our case, we call it geotrust_rootca.cer.

Perform the same steps for all the intermediate CA(s) and save the corresponding certificate(s) as file(s)
For the iOS Usher app, the issue can easily be fixed by installing the root CA certificate and the intermediate CA certificate(s) on the mobile device. This can be done manually, but is best performed through the MDM provisioning profile.
For an Android Usher app, to fix the issue send the certificate files to Usher Client team. Usher client team will:

1. Add the root CA and intermediate CA(s)’s certificate into trusted CA list file in the source code CACerts.h
2. Rebuild the app
3. Get the new app to user by one of the following means
   
1. Distribute through MDM
2. Submit the newly built app as a new version to Google app store so users can install from the Google app store
3. Publish the newly built app as an apk file that user can download and install on mobile devices
4. Publish the newly built app in Google private app store

For the AD agent, first copy all the CA certificates obtained to the agent machine. In the setup process, in the following Window, select “No” for “Is signing CA included in the default trusted signing CA list?” Then choose “Certificate path” and “CA alias” for each CA certificates.
 

 
Additional Note:
Ad Agent has tighter control on CAs to trust. Even if a CA is trusted by Usher app, the AD Agent may not trust it. In this case, get all the certificate files and follow the instructions toUS47520US47520 setup the trust of CA in AD agent.
 
Third Party Software Installation Warning:
The third-party product(s) discussed in this technical note are manufactured by vendors independent of Strategy. Strategy makes no warranty, express, implied or otherwise, regarding these products, including their performance or reliability.