I think, I got the solution.
Thanks to this How-To
http://wiki.contribs.org/Certificates_signed_by_own_CA, that pointed me in the direction I was looking for.
Here's the situation: Winmobile 6.1 (maybe also later versions) requires for activesync a trusted certificate. I have no fix IP for my company server, my webpage is hosted by an ISP. For emails, contacts, calendar and tasks I use zarafa 7.0.1-28479 with z-push 1.5.5-790. It's easy to get access to the server from outside with a DynDns account. It's much more harder to get this stuff synced on a mobile phone running winmobile 6.1 OS. Here are the steps, that worked for me:
1. Follow the How-To exactly.
2. By editing the openssl.cnf, you have to put the correct values in:
# START EDITING HERE ------------------------------------------------------------
# Default values for the above
0.organizationName_default = XYZ Corporation
organizationalUnitName_default = IT Department
localityName_default = My City
stateOrProvinceName_default = My State
countryName_default = DE
commonName_default = YOUR_NAME.dyndns.org Root CA
emailAddress_default = support@YOUR_NAME.dyndns.org
# STOP EDITING HERE ------------------------------------------------------------
3.
./make_root_cert.sh YOUR_NAME.dyndns.org
4.
./make_cert_request.sh FQHN
Common Name (hostname, IP, or your name) [FQHN]:YOUR_NAME.dyndns.org <--- You have to overwrite the default
5.
./make_cert.sh FQHN YOUR_NAME.dyndns.org
6. Follow the How-To
7. convert the ca for your mobile
openssl x509 -in YOUR_NAME.dyndns.org_ca_cert.crt -inform PEM -out YOUR_NAME.dyndns.org_ca_cert.cer -outform DER
8. Transfer the converted cert on your mobile and install it.
9. Configure your mobile for activesync. Use as email-adress any zarafa-user@YOUR_NAME.dyndns.org. Use as server-adress YOUR_NAME.dyndns.org. Enter user and password. Use as domain the main domain of your server.
10. Check with tail -f /var/log/httpd/access_log if the device connects to z-push.
It worked for me, maybe it'll help some other people.
stefan