Microsoft KB Archive/841060

= How to add root certificates to Windows Mobile 2003 Smartphone and to Windows Mobile 2002 Smartphone =

Article ID: 841060

Article Last Modified on 10/25/2007

-

APPLIES TO


 * Microsoft Exchange Server 2003 Enterprise Edition
 * Microsoft Exchange Server 2003 Standard Edition
 * Microsoft Windows Mobile 2003 software for Smartphone
 * Microsoft Smartphone 2002 software
 * Microsoft Mobile Information Server 2002 Enterprise Edition

-



SUMMARY
This article describes implementation options that you can use to add root certificates to Microsoft Windows Mobile 2003 Smartphone and to Microsoft Windows Mobile 2002 Smartphone.



MORE INFORMATION
Microsoft Windows Mobile-based Smartphones use the Microsoft Crypto API (CAPI) certificate store to securely store root certificates. The following applications use root certificates:
 * Microsoft Pocket Internet Explorer for Secure Sockets Layer (SSL) connections.
 * Microsoft ActiveSync when it is configured to synchronize directly with either Microsoft Mobile Information Server (MIS) or with Microsoft Exchange 2003 Server.
 * Layer 2 Tunneling Protocol (L2TP)-based virtual private network (VPN) connections that are available in Windows Mobile 2003-based Smartphone.
 * Third-party programs as necessary.

To use one of the previously mentioned four applications, use one of the following implementation options for using internal SSL Web sites without receiving warnings about untrusted certificates:  Obtain the backend server certificate from one of the certificate authorities that are represented by the root certificates that are included on the device.

The root certificates that are included with the Windows Mobile 2002-based Smartphone device represent the following certificate authorities:  VeriSign Cybertrust Thawte Entrust

The root certificates that are included with the Windows Mobile 2003-based Smartphone device represent the following certificate authorities:  VeriSign</li> Cybertrust</li> Thawte</li> Entrust</li> GlobalSign</li> Equifax</li></ul>

</li> Add the root certificate for the private issuing authority on the device that you choose. Make sure that you do this before you follow the steps in the &quot;How to add root certificates to Windows Mobile 2002 Smartphone and Windows Mobile 2003 Smartphone&quot; section.</li></ul>

How to add root certificates to Windows Mobile 2002 Smartphone and to Windows Mobile 2003 Smartphone

 * 1) Export the root certificate to a computer that is running Microsoft Windows in DER encoded binary X.509 format with a .cer file name extension.
 * 2) Connect your Smartphone to the computer.
 * 3) On your computer, start ActiveSync, and then click Explore.
 * 4) Copy the SPAddcert.exe file to the Smartphone that is in one of the following locations depending on your situation:
 * 5) * Windows Mobile 2003 Smartphone - copy the file to \Storage\Windows\Start Menu\Accessories on the Smartphone.
 * 6) * Windows Mobile 2002 Smartphone - copy the file to \IPSM\Windows\Start Menu\Accessories on the Smartphone.
 * 7) Copy the exported root certificate file to one of the following locations depending on your situation:
 * 8) * Windows Mobile 2003 Smartphone - copy the exported root certificate file to either \Storage on the Smartphone or on the root folder of a storage card.
 * 9) * Windows Mobile 2002 Smartphone - copy the exported root certificate file to either \IPSM on the Smartphone or on the root folder of a storage card.
 * 10) On the Smartphone, click Start, click Accessories, and then click SPAddCert.
 * 11) Select the certificate with the Dpad, and then click OK. The certificate details will appear.
 * 12) Click OK when are prompted to add the certificate \IPSM\smartphone.cer.
 * 13) Restart your Smartphone.

Note The SPAddCert utility runs only on Smartphones that have the Unrestricted Application Security Policy. If your device has been restricted by the mobile operator, you will receive the following message:

This device is currently secured such that certificates cannot be added to the root store. For support please contact your device administrator.

For the SPAddCert utility to run on restricted Smartphones, it must be signed and distributed by the mobile operator. A restricted Smartphone is a telephone that uses a Restricted policy or a Standard Prompt policy. Contact your mobile operator for support.

Windows Mobile-based Smartphones implement an application security model that is based on digital code signing. Application security helps protect the integrity of the end-user’s device by not permitting the user to run programs that are from an unknown source.

The mobile operator company decides whether to implement application security before it brings a Smartphone to market. The mobile operator may change its policy decision at any time.

For more information about Smartphone Application Security, visit the following Microsoft Web site, and then see the “A Practical Guide to the Smartphone Application Security and Code Signing Model for Developers” section that is located at the following Microsoft Web site:

http://msdn2.microsoft.com/en-us/library/ms839377.aspx

The following download provides sample scripts to add certificates to Smartphones.

The following file is available for download from the Microsoft Download Center:

Download the SmartPhoneAddCert.exe package now.

Release Date: April 29, 2004

For more information about how to download Microsoft support files, click the following article number to view the article in the Microsoft Knowledge Base:

119591 How to obtain Microsoft support files from online services

Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help prevent any unauthorized changes to the file.

Verizon Smartphones
Microsoft has worked with VerizonWireless to create a signed version of the SPAddCert.exe utility to run on VerizonWireless Windows Mobile Smartphones. To download the VZW_SPAddCert.exe file, visit the following Microsoft Web site:

http://www.microsoft.com/downloads/details.aspx?FamilyId=5D7E27EE-4654-480C-876D-442AED8F47AE&displaylang=en

Release Date: October 15, 2004

Sprint Smartphones
Microsoft has worked with Sprint PCS to create a signed version of this SPAddCert.exe utility to run on Sprint PCS Windows Mobile 2003 SmartPhones. To download the SPCS_signed_SPAddCert.exe file, visit the following Microsoft Web site:

http://www.microsoft.com/downloads/details.aspx?FamilyId=E479CE04-514E-408E-B1CB-0D902D23616F&displaylang=en

Microsoft has worked with Sprint to create a signed version of this SPAddCert.exe utility to run on Sprint iDEN Windows Mobile 2003 SmartPhones. To download the SprintIden_signed_SPAddCert.exe file, visit the following Microsoft Web site:

http://www.microsoft.com/downloads/details.aspx?FamilyId=D5DEBD1C-FD62-44BA-813C-18660D9BFD49&displaylang=en

Keywords: kbhowto KB841060

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.