Microsoft KB Archive/915840

= How to install root certificates on a Windows Mobile-based device =

Article ID: 915840

Article Last Modified on 10/25/2007

-

APPLIES TO


 * Microsoft Exchange Server 2003 Enterprise Edition

-





INTRODUCTION
This article describes certificate stores and root certificates in Microsoft Windows Mobile 5.0 software for Pocket PCs. This article also describes how to install root certificates on a Windows Mobile-based device.



Certificate stores
Certificate stores contain the digital certificates of a mobile device. By default, Windows Mobile-based devices have the following set of certificate stores:
 * The ROOT store contains trusted root certificates which identify root certification authorities. This store typically contains certificates from a trusted public certification authority.
 * The CA store contains trusted intermediate certificates which identify intermediate certification authorities.
 * The MY store contains the user's personal client certificates.

Notes To store root certificates securely on a Windows Mobile-based device, Windows Mobile uses the CryptoAPI certificate store.

Microsoft Exchange ActiveSync is a program in Microsoft Exchange Server 2003 that is used to examine the root certificate store on a Windows Mobile-based device. Exchange ActiveSync is used to verify that the certificate on a server to which a Windows Mobile-based device connects is issued by a trusted authority.

Root certificates that are installed on a Windows Mobile-based device
The following root certificates are installed on a Windows Mobile-based device:
 * Class 2 Public Primary Certification Authority (VeriSign, Inc.)
 * Class 3 Public Primary Certification Authority (VeriSign, Inc.)
 * Entrust.net Certification Authority (2048)
 * Entrust.net Secure Server Certification Authority
 * Equifax Secure Certification Authority
 * GlobalSign Root CA
 * GTE CyberTrust Global Root
 * GTE CyberTrust Root
 * Secure Server Certification Authority (RSA)
 * Thawte Premium Server CA
 * Thawte Server CA

Note Windows Mobile 5.0 with AKU2(MSFP) has the following additional root certificate installed:

http://www.valicert.com/

We recommend that you install a certificate that is issued by an authority that the device trusts. Alternatively, install a certificate that is issued by a company that is chained to an authority that the device trusts.

Known third-party Secure Sockets Layer (SSL) certificates are issued by trusted root certification authorities that have a root store presence in Windows Mobile-based devices. For more information about these SSL certificates, visit the following Microsoft Web site:

http://go.microsoft.com/fwlink/?LinkId=61499

Sometimes you may have to issue a self-signed certificate or to obtain a certificate from a certification authority that the device does not trust. In this case, Exchange ActiveSync cannot use SSL certificates unless the root certificate can be installed on the device. Whether a root certificate can be installed on the device depends on how the device was configured by the original equipment manufacturer (OEM) or by the mobile operator.

How to install root certificates
Only trusted processes can install certificates. On a two-tier device, only privileged applications can run trusted processes. Therefore, the device manager (the OEM or the mobile operator) must let you install a certificate. Alternatively, the device manager must sign the application with a certificate that is in the privileged execution certificate store on the device.

When you are granted a device manager role on a Windows Mobile-based device, you can install a root certificate file by using the built-in certificate installer. To use the built-in certificate installer, follow these steps:
 * 1) Connect the mobile device to the computer.
 * 2) On the computer, start ActiveSync 4.1, and then click Explore.
 * 3) Copy the root certificate file (.cer) to the device.
 * 4) On the device, run the .cer file that is associated with the built-in Certinst.exe file.

If the security policy on the Windows Mobile-based device prevents the built-in certificate installer from working, try the following steps to install the certificate:
 * 1) Download the SmartPhoneAddcert.exe tool to your computer. The following file is available for download from the Microsoft Download Center:

Download the SmartPhoneAddCert.exe package now.

Note Some mobile operators provide a signed version of this tool. If a signed version is available for your device, download the signed version.
 * 1) Run SmartPhoneAddCert.exe to extract the contents to a folder on your computer.
 * 2) Copy SmartPhoneAddCert.exe to your device.
 * 3) On your device, create a folder that is named &quot;Storage.&quot; SmartPhonePAddCert.exe searches for the certificate in this folder.
 * 4) Copy the root certificate (.cer file) to the Storage folder on your device.
 * 5) Run SmartPhoneAddCert.exe. Click to select the .cer file that you copied to the Storage folder, and then install the root certificate.

If you have problems when you try to install certificates on your device, contact your OEM or your mobile operator. Microsoft provides third-party contact information to help you find technical support. This contact information may change without notice. Microsoft does not guarantee the accuracy of this third-party contact information. For information about how to contact your OEM or your mobile operator, click the appropriate article number in the following list to view the article in the Microsoft Knowledge Base:

65416 Hardware and software vendor contact information, A-K

60781 Hardware and software vendor contact information, L-P

60782 Hardware and software vendor contact information, Q-Z

Keywords: kbsecurity kbhowto KB915840

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.