Personal Certificate Import Utility for Pocket PC 2003 and Windows Mobile

Last update: Jun 11, 2007

1.1 Introduction

I have made three programs for Pocket PC 2003, Windows Mobile 5.0 and Windows Mobile 6. These are P12imprt, PFXimprt and Crtimprt. See below for a comparison of the three programs and where to download them. All three programs allow you to import:

A "Personal Certificate" issued by any Certificate Authority (CA).
A private key which corresponds to this certificate.
One, zero or more "Root Certificates".

Once an X.509 personal certificate is installed, you can use it to for user authentication on the Pocket PC. The imported certificate can be used in the following scenarios:

User authentication in L2TP/IPsec VPNs (more info).
Web client authentication in Pocket Internet Explorer (SSL, HTTPS) (more info).
User authentication in 802.1x wireless networks (EAP-TLS only) (more info).
Exchange ActiveSync certificate-based authentication (more info).
Microsoft Office Communicator Mobile Client (more info).
Sending and receiving encrypted e-mail (S/MIME) (more info).
Other third-party applications that happen to support personal certificates.

2.1 Differences between P12imprt, PFXimprt and Crtimprt

I have made three programs, but I recommend P12imprt over the other two. It is the easiest to use and it runs on Pocket PC 2003, Windows Mobile 5.0 and Windows Mobile 6. It is a bit larger than the other programs but after you have installed your personal certificate you can simply delete the executable or move it to your Storage Card (flash memory).

The following table compares the features of my three programs. They are also compared to other methods supported by Microsoft:

	P12imprt	PFXimprt	Crtimprt	Enroll	AS 4.1+ enroller	AS 4.5 enroller	WM6 cert import
Supplier	me	me	me	MSFT	MSFT	MSFT	MSFT
Supports Pocket PC 2003 (SE)	yes	no	yes	yes	no	no	no
Supports Windows Mobile 5.0	yes	yes	yes	yes	yes	no	no
Supports Windows Mobile 6	yes	yes	yes	yes	yes	yes	yes
Imports PKCS#12 files directly without conversion	yes	yes	no	no	no	no	yes
Graphical user interface	yes	yes	no	yes	yes	yes	yes
Supports any CA (no Microsoft vendor lock-in)	yes	yes	yes	no	no	no	yes
Supports Unicode passwords	no	yes	no	yes	(n/a)	(n/a)	yes
Supports certificates for S/MIME secure e-mail	yes	yes	yes	no	yes	yes	yes
Documentation available from supplier	yes	yes	yes	yes	yes	some	no
Ease of use	++	++	-	--	---	+	+++
Source code available	yes	yes	yes	yes	no	no	no
GPL Licensed ('Free as in free speech')	yes	yes	no	no	no	no	no
Source code compiles on free compiler	yes	no	yes	yes	(n/a)	(n/a)	(n/a)
Readily available for download (or in ROM)	yes	yes	yes	no	yes	yes	yes
Size of executable on device	676 KB	135 KB	30 KB	24 KB	in ROM	in ROM	in ROM

In my opinion P12imprt has its advantages over the other programs. PPCCertImport by Kiko Vives Aragonés and Antonia Saez Bernal is similar to Crtimprt, only it is not based on Microsoft source code and it has a BSD-style licence.

I have not yet tried the certificate enrolment in Vista Mobile Device Center. Apparently it requires Exchange server which increases the cost of ownership.

(Sorry, I am not good at inventing names for programs. All my three programs basically do the same thing and I came up with equivalent names :-).

2.1. Web enrolment, the MSFP update and ActiveSync 4.5

Web enrolment is the only method that is officially supported by Microsoft. There are a number of implementations that can be used for web enrolment:

The "Enroll" program or the enrolment client included with the MSFP update.
The "Messaging and Security Feature Pack for Windows Mobile 5.0" (MSFP) is an AKU2 update for (some) Windows Mobile 5.0 devices. More recent devices ship with this update on board. The MSFP update add support for S/MIME and it includes a web enrolment client which allows the Windows Mobile 5.0 device to enrol for a personal certificate using an Desktop ActiveSync connection to a PC. However, I have not been able to get this working. There is some documentation but the setup is finicky and difficult to troubleshoot.
ActiveSync 4.5 has a new "Get Device Certificates" menu option. It works only with Windows Mobile 6 devices. The menu option remains ghosted with other devices.
A third-party program called PKI Companion by winlinx is available. I don't have much information on it. They have not responded to my repeated attempts to contact them, so I assume they are no longer interested in offering their product on the market.

Back to Contents

3.1 Author

The author of this document is Jacco de Leeuw (contact me). Corrections, additions, extra information etc. are much appreciated.

Jacco de Leeuw