Public SSL certificates
The Business Connect mobile app relies on the native SSL/TLS validation mechanisms of the mobile operating system to establish a secure HTTPS connection. Unlike web browsers, mobile apps and operating systems cannot ignore or bypass SSL certificate warnings or validation errors, even if the same URL can be opened successfully in a browser. SSL certificates presented by the Business Connect Server must be trusted by the device at a system level.
When a public SSL certificate is used, the certificate chain is validated against a public root Certificate Authority (CA) that is usually included in the trusted root store of the mobile device.
As a result:
- The SSL connection is validated successfully.
- The app can connect to the server.
- The app can retrieve the server configuration without errors.
- No additional configuration is required on mobile devices.
We recommend this approach to ensure the highest level of security and compatibility across all supported mobile devices.
If a private or internally signed certificate is used, its root CA is not trusted by default on mobile devices. When this situation occurs:
- The mobile operating system rejects the SSL connection.
- The app cannot connect to the server.
- The server configuration cannot be retrieved.
As an alternative to public SSL certificates, it is possible to use a private (enterprise) SSL certificate, but this option requires additional configuration. The following conditions must be met:
- The root CA certificate of the organization (that signed the server certificate) must be installed and trusted on every mobile device.
- The private certificate must be correctly configured in the IIS bindings site for Business Connect.
- If the root CA is missing or not trusted on the device, the app will not connect.
Login issues
If there are non-self-signed certificates in the Trusted Root Certificate Authority store on the IIS server, login errors will occur. Run the following command to verify:
Get-Childitem cert:\LocalMachine\root -Recurse | Where-Object {$_.Issuer -ne $_.Subject} | Format-List * | Out-File "c:\computer_filtered.txt"
To resolve the issue, do one of the following:
- Uninstall the non-self-signed certificates in the CA store.
- Set this registry key and then reboot the server: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL ClientAuthTrustMode =dword:00000002
For more information, see the following Microsoft articles: