The page that you are now reading describes how you can import a
file to Pocket PC 2003, Windows Mobile 5.0 and Windows Mobile 6.
A PKCS#12 file contains
personal certificate and its corresponding private key, a root
certificate and optionally a number of intermediate CA certificates.
PKCS#12 files are stubbornly called "PFX" files by Microsoft. PFX was
actually a predecessor to PKCS#12, as this PKCS#12
want to access a webserver or a mail server (e.g. Sendmail or Exchange)
secure SSL connection.
You need a root certificate,
not a personal certificate. Import
the root certificate with File
Explorer. (Note: for sending and receiving encrypted e-mail you do need
a personal certificate; see this
You want to access an 802.1x
wireless network with PEAP, EAP-FAST,
EAP-TTLS or LEAP
You want to import a personal
certificate and you own a Toshiba Pocket PC or a Qtek 9100.
These particular models already
certificate import tool. You can still use P12imprt though.
You want to import a personal
certificate and you own a wireless adapter (Socket,
These adapters already ship with
a certificate import tool. You can still use P12imprt though.
You want to import a personal
certificate and you own a Windows CE device.
Some Windows CE devices already
ship with a certificate
for PVK and CER files. (Note: Windows Mobile based Pocket PC devices
do not ship with this tool). You may be able to use P12imprt on some
Windows CE devices.
You use a third-party browser such as NetFront or Thunderhawk
and you want to use it for web client authentication
In the introduction I already listed a number of applications
personal certificates. However, the three main applications for which
you can use P12imprt are: L2TP/IPsec,
EAP-TLS and web
3.2 Installing a root
As mentioned in the introduction, there are several
applications that require a root certificate but not a personal
certificate. So, how do you install a root certificate on Windows
Mobile based devices? For
Pocket PC 2002 you had to use a separate program available from
You copied the certificate file to your PPC2002 device, ran the
AddRootCert.exe utility and the certificate was added to the
Store. On Windows Mobile 2003 Smartphone and to Windows Mobile 2002
Smartphone you use a similar
On Pocket PC 2003 and Windows Mobile it is much easier to import
a root certificate. In most cases you don't have to use
a separate utility. Root certificates can be installed using the File
Explorer application (to be more precise: the ShellExecute function
which on its turn calls the built-in program certinst.exe).
The procedure for importing a root certificate is as follows. You copy
the certificate file to the device,
you start File Explorer and then simply tap the filename. Make sure
that the certificate filename has the extension .cer. On
Pocket PC 2003 and Windows Mobile 5.0 the file has to be in DER format.
DER is a binary format.
Another common format is PEM, which is a text based format in Base64 encoding
(first line starts with: -----BEGIN CERTIFICATE-----). PEM
certificates are not supported by Pocket PC 2003 and Windows Mobile
5.0: you will have to
convert them to DER with OpenSSL, or import the PEM certificate on a
desktop Windows computer and then re-export it to DER. Windows Mobile 6
supports both DER and PEM. More information
can also be found on this
In some cases it is a bit more difficult to install a root
certificate in Pocket PC 2003 or Windows Mobile. For example, when the
root certificate store of your device is "locked",
like many Smartphones. See this section.
In rare cases (depending on the "grant manager
policy" on the
Windows Mobile device) you cannot
use File Explorer to import a root certificate. As a workaround you
would need to create
a CAB file that installs the root certificate. The same routine can
also be used to install
intermediate certificates on those particular devices.
3.3 Installing a personal
On Pocket PC 2003 and Windows Mobile 5.0 you can use File Explorer
to install "Root" (CA)
certificates, but not "Personal" certificates. A personal certificate
has an associated private key which also has to be installed (see "Public Key
cryptography" for the basics on this). There are basically two
methods of installing a personal certificate: certificate enrolment
and certificate import. Pocket PC 2003 and Windows Mobile 5.0
do not support
certificates File Explorer, unlike desktop Windows and Windows Mobile 6.
3.3.1 Certificate enrolment
You can only install a personal certificate on Pocket PC 2003 and
Windows Mobile 5.0 through the use of Windows
2000/2003 Server's Certificate Services. This method is called "web
enrolment". Web enrolment
is fairly easy to do on desktop Windows PCs. Internet
Explorer and ActiveX are required to request, download and install a
undocumented proprietary protocol called Xenroll is used by Microsoft
for web enrolment. Pocket PC 2003 and Windows Mobile do not
support this type of ActiveX web enrolment.
Instead, you use a special "enrolment" program.
"Certificate enrolment" allows you
to obtain a certificate from a webserver. So, where do you obtain an
Windows Mobile 6 supports web enrolment with ActiveSync 4.5.
A certificate enrolment/import program is
wireless cards (Socket,
Some vendors ship a web enrolment program, either with the
device or as a free download. HP's 802.1x
Certificate Enrollment Tool for Pocket PC 2003 officially only runs
HP models. But it may work on some non-HP devices as well, according to
reports (obviously you install it at your own risk in that case).
As far as I know, Toshiba and Qtek are the only Pocket PC vendors
provide a tool for importing
a certificate from a file, and then only for selected wireless models
such as the Qtek 9100.
of the tool included with the
Toshiba e750 can be found here.
The Toshiba e830W also has a certificate import tool called "Toshiba
(see also this
screenshot). Non-wireless models such as the Toshiba e830 do not
ship with this import tool.
for a basic web enrolment program ("ENROLL") is included with the Windows
Mobile 2003 SDK for Pocket PC. Strangely
enough the ENROLL program has been removed in the SDKs for Windows
update for Windows Mobile 5.0 apparently supports web enrolment
through Desktop ActiveSync. This is a convoluted
method which involves XML, Rapi and CAB files which would result in
the device retrieving a certificate
connected to a desktop Windows PC. I have not tried this myself.
Companion, a commercial product ($ 24,99) by Socket Communications.
In the "Tools
Certificates" menu, there is an "Enroll"
option. I have not tested this program myself but there is a 3-day
that you can download.
The "Certificates" applet in the Settings->System menu of the
Windows Mobile device can
view and delete(!) certificates, not install them. The built-in
is very user unfriendly and little documentation is available from
Microsoft. Installing a certificate on Pocket PC 2003 and Windows
Mobile 5.0 through web enrolment
is not for the faint of heart (especially if you have to compile the
ENROLL sample code yourself!).
3.3.2 Certificate import
The problem with web enrolment is that the Windows Mobile device must
obtain the certificate from an (internal or external) webserver. Only
Windows 2000/2003 Server is supported: the webserver must be
IIS and the CA must be Microsoft Certificate Services.
It probably also requires Active Directory (read: Client Access
Linux user myself, I wanted to
generate my certificates on a non-Windows CA
and use a non-Windows VPN server, so I made P12imprt
Importing a certificate is an alternative to certificate enrolment. PKCS#12
files are often used to distribute personal certificates.
PKCS#12 is a standard format for storing private keys and certificates.
It is supported by many vendors, including Microsoft.
Most VPN clients support PKCS#12.
Unfortunately, Microsoft supports importing PKCS#12 files only on
Windows Mobile 6, not on Pocket PC
2003 and Windows Mobile 5.0. So you need a "certificate
import" program for the latter. So, where do you obtain a certificate
P12imprt for Windows Mobile 2003, Windows Mobile 5.0 and Windows
available from this webpage.
PFXimprt for Windows Mobile 5.0 and
Windows Mobile 6.
for Windows Mobile 2003, Windows Mobile 5.0 and Windows Mobile 6.
for Windows Mobile 2003, Windows Mobile 5.0 and Windows Mobile 6. By
Aragonés and Antonia Saez Bernal.
For a comparison of these program, see this
page. I am
not aware of any other Pocket PC program that can import a
PKCS#12 certificate from a
file to the standard Pocket PC certificate stores.
Back to Contents 4. Obtaining a personal certificate in
a PKCS#12 certificate file
The minimum you need is a personal certificate and the
private key. These are unique for every user. Usually you also need
one or more CA (root or intermediate) certificates. These
certificates are shared by all users. In many cases the certificates
are issued by your organisation's CA and not by one of the "well-known"
CAs such as
Verisign or Thawte: using your own CA is less expensive and third-party
CAs cannot be implicitly trusted for in-house applications such as VPNs.
In most cases the user credentials (private key plus certificates) are
distributed in a PKCS#12 file. This file is handed to you by your
system administrator. The PKCS#12 file is encrypted with a password,
which is also supplied to you. Alternatively, if you already have a
with private key on your desktop (Windows) PC, you can export it from
that PC to a
PKCS#12 file. You will be asked to enter a password to protect the
PKCS#12 file. If you have multiple PCs or PDAs, you
actually do not have to request different certificates. You can import
certificate to all these devices, if you want. In fact, if you obtained
certificate from a well-known CA such as Verisign, exporting to PKCS#12
is probably the only way to get this certificate installed on Pocket
PC because these CAs only support desktop PCs for requesting
certificates. Instructions for exporting your personal certificate
from your browser (Internet Explorer, Mozilla or Netscape) to a PKCS#12
file can be found on this
page (note: if you export from IE you should select the option
"Include all certificates in the certification path
if possible". This will add all intermediate certificates in the
PKCS#12 file. This is required because Windows Mobile does not have the
ability to automatically retrieve intermediate certificates from a
If you are a system administrator you need a CA to generate the keys
and certificates for your users. You
can for instance use OpenSSL (with or without front-ends such as OpenCA, TinyCA or IDX-PKI) or you
could use Windows 2000/2003 Certificate Services. (Note: I don't
think it makes sense to generate certificates with RSA keys larger than
1024 bits. Windows Mobile supports 3DES encryption
and I don't think it supports AES. Using a 2048 bit key is not very
useful because the 3DES
encryption would be the weakest link and the size of the RSA key may
slow down the Pocket PC).
"P12imprt" consists of a Pocket PC 2003 executable called
and a few other files.
The executable also runs on
Windows Mobile 5.0 and Windows Mobile 6. The files
are distributed in a zip file. The zip file also contains a sample
certificate file user.pfx.
All zip files have been signed with my PGP
key. Here is the ChangeLog. The
previous version, v0.2 released on 15-Mar-2006, can be downloaded here (sig).
V0.3 fixes a problem where imported personal certificates could not be
used with S/MIME secure e-mail.
The problem was solved by using AT_KEYEXCHANGE instead of AT_SIGNATURE
as the key spec, in combination with a patch for PVK support that I had
overlooked in OpenSSL's CVS.
(Warning: do not use my sample certificate on a live
network and expect things to be secure. You have the private key, but
so does everybody else!)
6. Using P12imprt on Pocket PC 2003,
Windows Mobile 5.0 and Windows Mobile 6
Here is how to use P12imprt to import private keys and certificates to
the Pocket PC:
Copy the p12imprt.exe executable to the Windows Mobile
device. You can use any method to do the transfer: ActiveSync, a
card, network share, Bluetooth, WiFi, infrared etc. (The p12imprt.exe
Windows Mobile executable, not a Win32 executable. You can't use it on
your desktop Windows computer).
Copy the certificate file (in PKCS#12 format) to your Windows
Execute p12imprt.exe by tapping
it in File
(Note: File Explorer does not show extensions, so the file shows
up as 'p12imprt' instead of 'p12imprt.exe').
location of the PKCS#12 file or
button. By default, P12imprt will look for the file "user.pfx"
"My Documents" folder. (The actual pathname of that folder
depends on the language version of your Windows Mobile device.
In the English version, it is "\My Documents", the German
version uses "\Meine Dokumente", etc.)
Enter the password that was used to encrypt the PKCS#12 file.
(Don't tap the "Enter" key in the virtual keyboard, otherwise the
program will exit).
The certificates included in the file will be imported. If an
equivalent certificate (i.e. with the same name) already exists on your
Windows Mobile device, P12imprt will ask if
you want to
overwrite the existing
certificate. You can respond by tapping Yes, No or Cancel. If you tap
Cancel this certificate and any remaining certificates will not be
but certificates that were already imported will not be removed.
If you tap on the name of this personal certificate, you should
see its details.
Tap "OK" to return to the previous window.
Tap on the "Root" tab. You should now see the new root
certificate that you
added. If you tap on the name of this root certificate, you should see
If you have installed my sample root certificate ("TESTCA") and
certificate ("TESTUSER") you will probably want to delete them
afterwards, if only for security reasons. On Pocket PC 2003
SE and Windows Mobile you can use the "Certificates" applet
in Settings->System. Tap
and hold the name of the certificate with your stylus.
A context menu will pop up. Select "Delete" to delete the certificate.
On Pocket PC 2003 (first edition) you can view the details of the
certificate by tapping its name. In the details window that pops up
you will find a "Delete" button. You will need to delete both the
personal certificate and the root certificate.
Unfortunately, on Pocket PC 2003 (First and Second Edition) you cannot
delete root certificates that have been
imported with P12imprt version 0.1. This is due to a bug that has been
corrected in version 0.2. If you want to delete the "TESTCA" certificate
you can use this
The device emulator included with Visual Studio 2005
(Contact me to get your device listed here!)
Problems have been reported with the following model(s):
MiTAC Mio A701 running WM5.0 Phone Edition ("Import Certificate"
button does not work?).
Qtek 2020: P12imprt runs fine, but for some reason Qtek did not
include the "Certificates"
applet on this model. So be warned that you cannot view or delete
certificates, unless you are prepared to use a registry editor (remove
keys from Hkey_current_user/comm/security/system
If P12imprt does or does not work on your Windows Mobile device it
would be great
if you could contact
me and let me
if your model is not listed above! I am also interested to learn if
there are any problem with the program running in landscape or portrait
mode, or with a high-resolution (VGA) or square display. Windows Mobile
and Windows CE are modularised which means that vendors are free to
out support for certain features. If you are out of luck, P12imprt
run because of this. Note that some Windows Mobile based Smartphones
are software locked,
so I suspect that P12imprt will not work on Smartphones, even if your
generic model is listed above. Please
the Windows Mobile version and your
cellular network if you contact me to report success or failure!
In case the program reports an error: here is a list of Windows CryptoAPI
error codes. These are probably not very helpful if you are not a
Contact me by e-mail if you really can't get it working. 8.1 Root certificate
cannot be deleted
There is a bug in P12imprt v0.1 which was corrected in v0.2. The bug is that imported root
certificates cannot be deleted on Pocket PC 2003 using the Certificates
applet in Settings->System. This problem does not occur on Windows
Mobile devices. It was a stupid mistake and I would like
to apologise for the inconvenience. You get the following error:
"The certificate issued by TESTCA was not deleted. You do
not have sufficient permissions, or the certificate was installed by
the device's manufacturer and cannot be deleted."
The bug was that certificates were imported to
CERT_SYSTEM_STORE_LOCAL_MACHINE instead of
Root certificates that have already been imported with v0.1 cannot
be deleted. This is only a bit of a nuisance if you have imported
your own root certificates. But if you have
imported the sample certificate ("TESTCA") you would probably want to
delete it for security reasons. I have made a program that can delete
imported root certificates:
I would have liked a more user friendly graphical interface but this
would have taken
more time. I don't know enough about programming GUIs on Pocket PC.
Any help on this is gladly accepted (e.g. how to make a scrollable list
on Windows Mobile and how to select an entry from the list) .
8.2 Problems running
P12imprt on Smartphone
There are a number of usability problems with P12imprt on
Smartphone. I have not spent much time on this. There are a couple of
reasons behind this:
I suspect that most Smartphones do not support WiFi or L2TP/IPsec
So you won't be able to use the personal certificate for EAP-TLS or
L2TP/IPsec for those Smartphone models.
I suspect that most people get their Smartphones from telecom
operators as part of a cellular phone plan. Telecom
operators usually lock the root certificate store of those Smartphones.
personal certificate is of little use without a corresponding root
certificate. Unlocked Smartphones without a plan are more expensive.
There is no "Ok" button to exit the program.
Modifying an existing Pocket PC program so that it fits on a
Smartphone screen does not seem to be straightforward. Again, this is
too much trouble for me.
Smartphone 2003 has a problem
with personal certificates in Pocket Internet Explorer.
On Embedded Visual C++ there is a difference between a Pocket PC
project and a Smartphone project. It is not easy to maintain a
program for both platforms.
If I remember correctly, I could not get WCECOMPAT and/or OpenSSL
to compile for the Smartphone project.
Perhaps things may have improved in Visual Studio but I
afford to buy it. Plus, Visual Studio does not support Windows Mobile
It would probably be better to use a menu (File/Open/Exit/About
etc.) instead of buttons but I have not looked into this.
MFC seems to work on the Microsoft Device Emulator 2.0. I
use MFC for the file dialogue. Smartphone does
not support MFC. I have statically linked the MFC library
in the P12imprt program, so I figured that even if the device is
MFC the file dialogue should pop up. But this is not the case.
recommends to build a list of available files on the Smartphone so that
you select one. This is a bit too much trouble for me. (Feel free to
send me source code :-).
That said, P12imprt should work (with a few quirks) on your Smartphone
as long as the root
certificate store has not been locked. There are a few usability
is how you can work around them.
If you have Windows Mobile 6, use its built-in certificate
installer instead of P12imprt.
Some items on the screen are not visible, most notably the
"import certificate" button and the password field. Smartphones do not
have a touch sensitive screen so you have to use the keypad. You can
navigate using the Up/Down buttons on the keypad. The order of the
is: "Location of personal certificate" -> "Password of
certificate"-> "Browse" -> "Import certificate" (and then back
again to "Location of personal certificate"). You just need to remember
this order when
the cursor moves off-screen.
The Browse button does not work on Smartphone. You will have to
enter the location of the certificate file manually.
An easier workaround is as follows. Rename your certificate file to
"user.pfx" and copy it to the "My Documents" folder. Then you don't
have to change the default filename in "Location of personal
Once you have entered the file location and the password, move
the cursor to the "Import certificate" button. The cursor will be
off-screen, but you can still press the centre button of the keypad.
This will activate the button and import the certificate.
You can exit the program by moving the cursor to an input field
and then pressing the middle button of the keypad, or by tapping the
"Enter" key in the virtual keyboard.
If you can improve support for Smartphones then I would gladly
accept your suggestions and source code.
This error probably means that your root certificate store is
"application locked". Is it a Smartphone? The error code 0x5
("ERROR_ACCESS_DENIED") may be returned. Note that Windows Mobile
devices can be "locked" in several ways (read this
Especially Smartphones are prone to this problem: adding a root
certificate is a "privileged
operation". This means that your Smartphone may not only have a
hardware lock (SIM lock, provider lock) but also a software lock!
operators and Smartphone manufacturers do not want you to install
applications that are not
approved by them. They claim that it is for your own good, so that
viruses cannot run on your device and run up your phone bill. This is
all part of the whole Digital Rights Management /
Trusted Computing situation that you already see on the Xbox and
Windows Vista as well. In the future you can expect to see this problem
more and more
if vendors get their way with this. To solve your
problem, you may have to
contact your operator to unlock your device. For instance, Orange has
page for their SPV. The AudioVox SMT5600 and equivalents can be unlocked
as well. More information can be found on the Smartphone2000
website. Microsoft has a Knowledge Base article
where you can download a utility called SPAddCert, but they too refer
to your mobile operator if the Smartphone happens to be
Some device manufacturers do not supply an unlock utility but a
(digitally signed) Registry editor has been leaked for a number of
models, for instance the HTC
models (i-mate, Qtek, XDA etc.). You can unlock the
device with this leaked registry editor. Normally an alternative would
be to buy a
certificate from one of
the 'standard' root CAs in the certificate
Unfortunately this alternative will not work because those Certificate
Authorities only issue server certificates,
not personal certificates...
Windows Mobile based Smartphones won't even run executables or .cab
files unless they are signed. That means you will not be able to
install your own root certificate or use run P12imprt on these
Smartphones. In an MSDN blog entry called "How can I add root certs to
my Windows Mobile 5.0 device?", Microsoft writes:
"We have definitely gotten the message that a lot of customers
find themselves in this situation and we feel your pain." Ha! We feel your pain...
what a right bunch of hypocrites! They fixed the problem with the
release of Windows Mobile 6 but that means forking out more money for a
WM6 update or you will have to buy a completely new device.
WARNING: if you have unlocked your Windows Mobile 5.0 based Smartphone
with a (leaked) registry editor and you install the MSFP (AKU2)
update, it will lock your Smartphone again! And there is a big chance
that you won't be able to run the registry editor again because your
it in the MSFP update! (Mental note to self: stay away from Windows
Version 0.2 of P12imprt will not abort when the root certificate store
is locked, but will continue to import just the personal certificate.
Of course without the corresponding root certificate it will probably
not have much use but I thought the program should continue anyway.
A related problem is that the Smartphone emulator
image is locked. Microsoft has released emulator images containing the
(AKU2) update for Pocket
PCs and Smartphones.
I could install personal certificates and root certificates on
the emulated Windows Mobile 5.0 MSFP devices but it failed on the
emulated Smartphone. For some reason
Microsoft decided to lock the root certificate store of the
emulated(!) Smartphone: with P12imprt I could only install a personal
certificate on this emulated Smartphone and not a root certificate. I
managed to work around this problem by relaxing the 'Grant Manager
policy' with the Security
Configuration Manager Powertoy for Windows Mobile to 'unlock'
virtual device. Alternatively, I could have converted the root
certificate to an XML document and
then used RapiConfig to install the certificate through the use of a CAB
8.4 Known problem with Smartphone
(This may or may not be relevant to Windows Mobile 5.0 based
Smartphones. It depends on whether Microsoft fixed the problem. I guess
they have had plenty of time by now).
You managed to import a personal certificate on
Smartphone 2003 but when you use Pocket Internet Explorer (PocketIE) to
connect to a website that requires certificate authentication, you get
an HTTP error ("403.7 Forbidden: Client certificate required").
This is a known issue in the Internet support functionality (WININET)
in Smartphone 2003, according
to Marcus Perryman from Microsoft. I take it that the personal
certificate can still be used for EAP-TLS and L2TP/IPsec VPNs but I am
not sure because I do not own a Smartphone. There is also a Usenet
discussion about this problem.
The Windows 2000/2003 Server CA ("Certificate Services") is
exposed to an internal (or even external) network. Some people prefer
keep their CA off-line for security reasons.
The web enrolment clients are reported to work only with English
The Windows CA has to run in "issue automatically" mode for
Windows Mobile devices. As far as I know, Windows Mobile devices cannot
a certificate request at one time and then pick up the certificate
when the request has been approved by a system administrator.
This may not fit your security policy.
While enrolling, clients send usernames and passwords in clear
text over HTTP to the Windows CA. That's not very secure.
Private keys are generated on the Windows Mobile device itself,
but the device may not be able to generate good
(i.e. cryptographically strong) random numbers for these private keys:
Windows Mobile devices do not have many sources of entropy, unlike
The enrolment sample program is not available for download as a
Microsoft wants you to install the SDK for Windows Mobile 2003-based
Pocket PCs so that you compile the
source code yourself. If you are not a programmer you are probably not
going to like this.
A web enrolment program is included as a feature of the MSFP update
but that update is available for only selected Windows Mobile
Some Windows Mobile vendors and wireless network
vendors ship with ready-to-run enrolment programs but these are
hardwired to work only with the vendor's hardware. They don't want
their programs to run on hardware from competitors. For example, HP's
graphical Certificate Enrollment Tool only runs
high-end models with wireless support (at least 5450,
5550, 5555 and 4150,
I could not get the ENROLL sample code to work with Windows
Server 2003 R2 (not that I tried hard, though).
Advantages of P12imprt:
You can use certificates from any CA, not just the Microsoft
Windows CA ("Certificate Services").
Many third-party CAs such as Thawte and Verisign do not support
Windows Mobile's web enrolment. Importing a PKCS#12 file is your only
You are not forced to use web enrolment. I.e., you are not
forced to buy into the whole Windows "ecosystem" with Windows
2000/2003, IIS, ISA Server, Active Directory etc.
Private keys can be generated on any machine, not just on the
Windows Mobile device itself.
Should run on any Pocket PC 2003 and Windows Mobile device
(unless the device is locked). The other certificate import and
enrolment tools run only on selected Windows Mobile
Available for free. Available for download now. Unlike the MSFP
update, which is only available on selected Windows Mobile 5.0
Disadvantages of P12imprt:
P12imprt's GUI is very basic.
P12imprt is quite large (almost 700 KB), compared to Crtimprt,
PFXimprt and web enrolment.
Some options are hard-coded such as
the CSP (Cryptographic Service Provider). This means for example that
currently not possible to import the certificate to a smartcard inside
the Windows Mobile device (are there any devices with smartcards
Another hard-coded setting is that the certificate should use RSA
not DSA/DSS. These settings are easy to change in the source code,
however. Perhaps a new 'Advanced settings' dialogue window can be added
to the problem if there is enough interest. (If you want to write it
yourself and submit the code to me that would be even better :-).
The OpenSSL toolkit
0.9.8a. Licensed under an Apache-style licence.
The PVK and
PRIVATEKEYBLOB patch by OpenSSL team member Steve Henson. This
patch is originally from OpenSSL CVS and had to be slightly modified by
me so that it applied to OpenSSL 0.9.8a. I also had to use this patch.
Mobile 5.0 and higher support the PFXImportCertStore()
function. This means that it can import PKCS#12
files directly. There are two problems however: Windows Mobile 5.0's Certificates
applet in "Settings->System" still does not have an option to
import PKCS#12 certificates (screenshot
3). The PKCS#12 API is there, but Microsoft just does not use it.
The other problem is that PFXImportCertStore() is not available on
Pocket PC 2003 (Windows CE 4.2) and earlier. This is why I wrote
P12imprt. My idea was to use the PKCS#12 routines included with OpenSSL
to parse the PKCS#12 file, convert it to something acceptable to
Microsoft's CryptoAPI implementation and then import these
datastructures using the regular API, such as CryptImportKey().
I used OpenSSL 0.9.8a which was the current released version when I
started working on P12imprt. I
then used the patch by
Steve Henson which adds support for some Microsoft CryptoAPI
datastructures. I simply did not want to wait for the upcoming OpenSSL
0.9.9 and I could not use the CVS version of OpenSSL because it is a
work in progress and at the time it did not compile under Windows CE.
OpenSSL for Pocket PC (read: Windows CE) I used the WCECOMPAT
compatibility library by Steven Reddie. This library compiled correctly
for the ARM target but unfortunately not for the emulator target.
Perhaps I should recompile P12imprt with a more current version of
OpenSSL with native Windows CE support.
For your convenience I have included the (slightly modified) source
code of WCECOMPAT and OpenSSL 0.9.8a in the p12imprt_src.zip
file. I encountered several other obstacles while compiling these
libraries which I had to correct in the code. Put the \wcecompat,
\openssl-0.9.8a and \p12imprt directories in the
root directory of your drive.
To compile the WCECOMPAT and OpenSSL libraries from the Command Prompt,
I have added the commands that I use myself at the top of that file.
main files that are produced by the compilation process are wcecompat\lib\wcecompat.lib
and openssl-0.9.8a\out32_ARMV4\libeay32.lib. The p12imprt
project depends on these two libraries and the corresponding header
files. After compiling the WCECOMPAT object files you may to rename
\wcecompat\include\time.h to some other name when linking P12imprt
with wcecompat.lib because of clashes with the regular
Windows include files. I have not looked into this yet.
When you double click the file p12imprt\p12imprt.vcw it
eVC++ and open the P12imprt project. Select "Pocket PC 2003 ARM"
device" (if not already selected) and then "Build all" from the menu to
generate the Pocket PC executable. I have modified the default project
settings so that eVC++ can
find the additional headers and .lib files of the WCECOMPAT and OpenSSL
libraries (see the "C++ Preprocessor"
and "Linker" tab pages in the Project Settings).
The code will not compile under Visual Studio 2005 or
because the WCECOMPAT and OpenSSL libraries do not yet support Visual
Studio. However, for testing purposes you can configure the
P12imprt source code to not use these libraries (you will need to read
the public key and private key from a file instead of a PKCS#12 file)
but I have not yet tested this on Visual Studio. You would need at
least the Standard
edition of Visual Studio 2005 which will set you back about US$249, or
the Professional edition of Visual Studio 2008 which is even $799. Visual C++ 2005/2008 Express Edition (which is a free
download from the Microsoft website) can
not be used to build Windows Mobile executables.
This is a
I used the ARM
emulator included with the "Microsoft Device Emulator
1.0" and v2.0 because I don't own a Pocket PC and I could not compile
for the (non-ARM based) Pocket PC 2003 emulator that ships with
eMbedded Visual C++
4.0. Fortunately this ARM emulator can be installed alongside eVC++ and
its own non-ARM based emulator. An inconvenience is that you cannot
use the debugger included with eVC++ with this ARM emulator. If you
want to use that debugger, you need to use the emulator
included with eVC++. Unfortunately, WCECOMPAT and OpenSSL will not
compile for the emulator target. For testing purposes there is a
workaround: comment out the line "#define WCECOMPAT_OPENSSL 1"
in p12imprtDlg.cpp and select "Pocket PC 2003 emulator", then
P12imprt will be built without WCECOMPAT/OpenSSL support. You will not
be able to import a PKCS#12 file but you can read in a private key and
public key from other files (PRIVATEKEYBLOB and personal certificate in
It's just a quick and dirty hack. Is there anyone with Windows CE /
Mobile programming skills who is willing to clean it up?
If you don't want to import your certificate from a file you can use
the web enrolment technique that is recommended by Microsoft. I
mention it here only for the sake of completeness, because I find it a
bit too limited and much too
Some versions of Windows CE (including Pocket PC 2003 and Windows
Mobile) contain a
built-in VPN client. This VPN client supports the PPTP protocol and
(with most variants of Windows Mobile) also the more secure L2TP/IPsec
supports authentication through X.509 certificates and Preshared Keys
provide better security than PSKs and they do not require static IP
or a 'Group Secret' (PSK) that has to be shared by all users.
If you want to use certificate authentication with L2TP/IPsec on
Windows Mobile you will need to install a personal certificate and a
root certificate. (On Windows 2000/XP you install a 'machine
for use with L2TP/IPsec but Windows Mobile devices are mostly
single-user so you install a personal certificate). If you would
like to know more about the built-in L2TP/IPsec client, read my other
I imported a personal certificate to the emulator and then proceeded to
connect to L2TP/IPsec VPN servers. I could make
an L2TP/IPsec connection with the Pocket PC 2003 and Windows Mobile
emulators to Openswan
Windows Server 2003 (Windows 2000 Server not yet tested).
Personal certificates can also be used for EAP-TLS. This
protocol that is often used to authenticate users in wireless 802.1x
networks, including those that are based on WPA or WPA2. Other
authentication protocols such as
PEAP (Microsoft), LEAP
(Cisco), TTLS (Funk) and EAP-FAST (Cisco) use a password for user
authentication and a
certificate for server authentication. For these protocols you do not
P12imprt. In most cases you would want to buy a server certificate from
one of the "trusted" root
certification authorities that are present in Windows Mobile devices
Geotrust, GlobalSign, Entrust, Thawte,
Verisign). Or, you would use File Explorer on the Windows Mobile
device to install your own CA
certificate. In the latter case you would save some money, but it may
turn out to be a bit of a hassle if you have a large number of Windows
EAP-TLS is more secure than PEAP et al. because
it uses certificates for both user and server authentication. Plus,
EAP-TLS is supported by many vendors and ratified by the IETF in RFC 2716,
other proposed EAP standards are currently still in draft phase.
Therefore EAP-TLS is often used by enterprises with strong security
drawback of EAPl-TLS is
that personal certificates are more difficult to distribute and manage
than passwords or
If you attempt to use EAP-TLS without installing a personal
certificate, you might get the following message:"Cannot
log on to the wireless network. This network requires a personal
certificate to positively identify you. Contact your network
administrator". (Note: if you are using PEAP, the other EAP
supported out of the box by Windows Mobile, and you are
this warning, then just ignore the warning. Personal certificates
are not required for PEAP and things should work without them. The
does not make sense).
Personal certificates that are used in EAP-TLS should contain the
"Client Authentication" Extended Key Usage purpose (EKU), which has the
I have been told that the wireless client may also prompt for a
username and a domainname (not a password) to access the wireless
network. I don't know the details because I have not been able to use
EAP-TLS myself on a Windows Mobile device. I do not own one myself and
the Windows Mobile emulator does
not emulate wireless interfaces. However, I have received several
reports that EAP-TLS works after you installed a personal certificate
with P12imprt. There are reports that you may need to soft reset your
device before the personal certificate can be used with EAP-TLS.
As you probably know, webbrowsers can secure their connections with the
protocol. Most SSL websites use a server certificate to authenticate
usernames and passwords for clients that wish to authenticate. The
advantage is that this is easy to use.
However, some websites (for instance, Internet banking sites) may
require personal certificates instead because these are more secure
than usernames and passwords.
Pocket Internet Explorer supports personal certificates
for web client authentication. It will prompt "The Web site you
want to view
requests identification. Select the certificate to use when connecting"
(as shown in this
Never mind Microsoft who say this
is not possible. One limitation
is that Pocket IE on Pocket PC 2003 and Windows Mobile 5.0 do not
support server certificates which contain a
wildcard (e.g. *.example.com). This limitation has been
resolved in WM6. Another limitation is that Windows
Mobile cannot retrieve intermediate certificates if the (web)server
does not send the chain of intermediate certificates on its own
initiative. These two limitations do not exist on desktop Windows.
If you would like to test client side certificate authentication with
Windows Mobile, you can obtain a free personal certificate from CAcert.org, install it with
P12imprt on your Windows Mobile device and use it to connect to the CAcert "Cert Login" website.
ActiveSync connections between Windows Mobile and Exchange can be
secured with SSL. In fact, this is
highly recommended when clients connect over a hostile
network such as
the Internet. As with any other SSL server, this requires a server
certificate to be installed on the IIS / Exchange server. The server
presents this server certificate to authenticate itself to clients (you
may also need to install
the root certificate of your CA on the Windows Mobile device, if it
is not already there). Then the clients authenticate to
the server. On SSL webservers, there are two
options for client
basic authentication (usernames/passwords) and certificate based
authentication (personal certificates). Personal certificates
provides stronger authentication than usernames
and passwords. But usernames and passwords
are probably easier to use.
I have described my Exchange ActiveSync setup on my other page. See also
webpage by Daniel Petri on using Windows Mobile with
Exchange. There is a screencast
by Microsoft employee Daniel
Melanchthon which shows how to configure Exchange 2003 SP2 and Windows
Mobile 5.0 with the MSFP update for direct push e-mail and Exchange
Activesync. He shows how to export the root certificate from the
Exchange server to the Windows Mobile client.
The audio is spoken in German but the video is in English so you should
probably get the idea.
If you don't want to install a root
certificate, you could disable
certificate verification on Windows Mobile.
But only do this when you are testing over a secure network, e.g. on
own LAN! Don't disable certificate verification when the client
connects over the Internet, otherwise a "Man-In-The-Middle" attack is
possible. So, if you are really confident that you can do without
certificate verification, you change a setting on your Windows Mobile
device. On Windows Mobile 2003 you have to use the CERTCHK utility from
Microsoft (read this
article by Daniel Petri). For Windows Mobile 5.0 devices you have
to change the registry (read this
article by Ben Winzenz).
Now, let's assume that you want clients to authenticate to an Exchange
Server with personal certificates, and not with usernames and password.
Knowledge Base article you cannot use personal certificates to
connect to Microsoft Exchange
ActiveSync (EAS). But that article is a few years old and it mentions
Pocket PC 2003.
It does not appear to be the case for Windows
Mobile 5.0 and 6. By the way, the
article claims that "the Pocket Internet Explorer component does not
the use of client certificates" but that is incorrect.
Certificate based authentication for Exchange ActiveSync can be enabled
as follows. Start IIS Manager. Open the Default Web Site folder.
Open the properties of the /Microsoft-Server-Activesync
virtual website. Go to "Directory Security". At "Secure
communications", select "Edit". You will probably already have ticked
the checkbox "Require
secure channel (SSL)". I would also recommend ticking the checkbox
"Require 128-bit encryption". Now here is what's new: select "Require
client certificates". Then select "Enable client certificate mapping".
Save this configuration. On your Windows Mobile device, go to Start
-> Settings -> Memory -> Running programs and make sure that
ActiveSync is not running. Then go to Start -> Programs and start
ActiveSync. Tap "Sync". The Windows Mobile device should now use the
personal certificate to authenticate the ActiveSync connection to the
Exchange server. You can verify that by tapping Menu -> Configure
server. Tap Next. Now you should not see the usual username /
password window but a client
certificate window (yeah, client certificates are personal
certificates, somebody should tell Microsoft to use consistent
terminology). If the Windows Mobile device does not contain a suitable
personal certificate, an error 85030027 will be reported.
There is a known
problem in Windows
Mobile 5.0 AKU2 when client certificate authenticated ActiveSync is
used. Reportedly this has been fixed in some versions of AKU3 and
higher. But most Windows Mobile 5.0 devices won't have this fix.
Windows Mobile 6 supports AES encryption with SSL/TLS, but (at the time
of this writing) IIS on Windows Server 2003 does not. Therefore, Windows
Mobile 6 cannot use AES with Exchange ActiveSync (EAS) because EAS
is built on IIS. AES may be supported by IIS on Windows Server 2008,
but I have not tried.
P12imprt v0.1 and v0.2 could not be used with S/MIME (secure e-mail).
problem has been resolved in v0.3. Alternatively, you can use PFXimprt or WM6's built-in
For more details about using S/MIME with Windows Mobile, see
Pocket Internet Explorer is included with Windows Mobile. It
supports clients certificates for authentication to webserver. There
web browsers available as well.
18.1 NetFront browser
browser for Pocket PC ships with a built-in
manager. You can access it under the menu 'Tools -> Browser
Setting -> Security'. The NetFront certificate manager can import
PKCS#12 files, single (root) certificates in DER format, multiple
(root) certificates in PKCS#7 format and private keys (not sure what
format). NetFront is commercial but a time-limited and crippled version
can be downloaded for free.
The NetFront certificate manager is separate from the Windows Mobile native
certificate applet. So if you import a (personal or root)
certificate with NetFront, the certificate can only be used by NetFront
itself. The certificate cannot be used by Pocket IE, L2TP/IPsec or
The NetFront certificate manager can be a great alternative to
P12imprt if you are already unhappy with Pocket IE and you only want to
use web client authentication.
ThunderHawk by Bitstream Inc. is licensed on a subscription basis
(US$5.95/month or US$49.95/year). It supports SSL with 128-bit
encryption (but is it RC4 or AES?). They also have a trial
version. See also this review.
18.3 Mozilla Minimo
Minimo is a
small, simple, powerful, innovative, web browser for mobile devices.
Because it is a spin-off from the Mozilla project, it is Open Source
and free to use. It supports SSLv3 and TLS. Minimo uses the
certificates installed in the Windows Mobile native certificate applet.
At the time of this writing the current version does not seem to
certificate authentication, only server authentication.
19.1 Protecting the private key of your personal certificate
On desktop Windows you can protect the private key of your personal
certificate with a password. Unfortunately this does not appear to be
possible on Windows Mobile. So if your
Windows Mobile device is lost or stolen, adversaries will be able to
read your encrypted e-mail,
signed e-mail, connect to your organisation wireless network etc. You
may need to implement other countermeasures to prevent unauthorised use
of your certificate. For example, your device may be equipped with
access controls such as a PIN or a fingerprint reader. This will
probably deter casual hackers but not skilled ones with a lot of time
money on their hands such as certain government agencies and PhD
students (well, perhaps not money).
One solution might be to store the private key on a smart card. This
will require a small change to the P12imprt source where PROVIDER_NAME
and PROVIDER_TYPE are set to the use the "driver" of the particular
smart card. A problem with this solution is that most Windows Mobile
devices do not ship with a smart card reader.
you use a personal certificate for L2TP/IPsec access, adversaries can
to your VPN if they also have your PPP password. If you don't like
that, don't type
your logon password in the VPN settings. Leave the field empty. You
will be prompted
for the password every time that you connect. It's less convenient but
P12imprt does not set the CRYPT_EXPORTABLE flag on private
keys that are imported. This is the safer choice. When an adversary has
physical access to your devices and he tries to export your private key
using the function CryptExportKey()
the function should fail with an error NTE_BAD_KEY_STATE (which
translates to: "You do
not have permission to export the key. That is, when the hKey key was
created, the CRYPT_EXPORTABLE flag was not specified."). I have
not actually wrote a program to test this but I have no reason to
disbelieve Microsoft's documentation. Another reason for not setting
CRYPT_EXPORTABLE flag is that the (legitimate) user is
importing from a file. In other words, he already has a (password
protected) copy of the certificate. Thus there should be no reason for
the legitimate user for re-exporting the private key.
If, for any reason, you do need to re-export the private key, you can
use the source code of P12imprt and compile a custom version of
P12imprt which does set the CRYPT_EXPORTABLE flag.
19.2 Restoring certificates after cold boot
I have been contacted a few times about a problem with Windows
Mobile based devices, in particular devices made by Symbol. These handheld
devices use a personal certificate for access to EAP-TLS wireless
networks. But after
a cold boot (e.g. a battery failure) everything is wiped, including
personal certificates that were stored on the device. The question is:
how does one make personal certificates persistent on the device?
I am not too familiar with Symbol devices. One option would be to
create a command line version of P12imprt so that people can run a
script or something like that to restore the personal cert. In theory
this should not be too difficult: removing features (such as a GUI)
from a program is easier than adding new features. A second option is
my other program Crtimprt. It is
almost a command-line program. There is a minimal GUI and with a little
bit of effort even that GUI can be removed. Both solutions would mean
that parameters and passwords are fixed or configured through a text
The following solution is suggested by Symbol (thanks to Timothy M. for
Get everything working so you can successfully get on the network
(i.e. install certificate, configure wireless profile, etc.).
Export the wireless settings for the profile you are using by
going into the radio options and selecting Options->Export. Click on
both the "Export Options" and "Export All Profiles" button and save
both using the default REG file that is displayed.
Place both files in the ZIP file supplied by Symbol*)
into the \Application folder on your Symbol device
Open up Windows Explorer and run SymScript.EXE
Click on the "Run a Script" button
Click on "Browse for a script"
Navigate to the \Application folder and select the CertCapture.spt
Click on the "Autostart script on startup" button
Click on the "Yes" button
Warm boot the unit.
The script should automatically run when the device boots up. It
will ask if the certificates are set up properly. Click on "Yes".
The script should say that the certificates have been saved.
Cold boot the unit.
After the unit boots up, the script should restore the
certificates and then warm boot the unit.
*) This ZIP file can be requested from Symbol. If you are a
customer it should be free and a relatively painless procedure.
I understand that Symbol is going to include a PKCS#12 import tool in
2.5.5. I don't know the status of this but if they provide their own
import tool it
would mean that P12imprt is no longer needed on Symbol devices.
19.3 Misc. remarks
I get the impression that Pocket PC 2003 and possibly also Windows
Mobile 5.0 do not actually delete the
private key when you use the Certificates applet to delete a particular
certificate from the "Personal" certificate store. If this is true, it
might be a security problem. Note that Microsoft has removed the "Delete"
Pocket PC 2003 Second Edition and higher. In these
new Windows Mobile versions you can delete a (personal or root)
certificate by tapping and holding the name in the list.
You can use P12imprt to import personal certificates, root certificates
and "intermediate" CA certificates. Unfortunately, intermediate
certificates are not shown by the "Certificates" applet in the Control
Panel (this has been resolved in WM6). So you cannot view or delete
them through the Certificates
applet. Windows Mobile cannot retrieve other recipient's certificates
through LDAP. I don't know if it checks the revocation status of
certificates (e.g. through OCSP or a CRL specified in the certificate)
but I suspect it does not.
20. Importing certificates on Blackberry
20.1 PalmOS based devices
I have been asked if a similar program exists for other platforms
such as Blackberry, PalmOS and Symbian. First off, my certificate
import program run only
Mobile devices. Palm makes a Windows Mobile device (the Treo 'w'
P12imprt runs on those devices. P12imprt does not run on Symbian
as the N70/N80/N95, nor does it run on PalmOS devices such as the
the TX. I'm sympathetic to PalmOS and Symbian but I do not own a
nor is there a free emulator. Otherwise I would have researched the
options more thoroughly. I did
manage to collect the following information.
It appears that on PalmOS each application requires its own support
Palm TX: there is additional
software that you can buy (the "Wi-Fi Enterprise Security Update
for the Palm® TX handheld"). Its list price is $ 5.99. PalmOS
supports WEP and WPA-PSK encryption schemes on selected
wireless models, but not 802.1x. The
software update adds support for EAP-TLS and other EAP schemes but it
not clear to me if it allows you to
import a client certificate from a file (I
suspect it does).
Palm Tungsten C: there is an 802.1x
client ("supplicant") by Meetinghouse Aegis. They have been bought
by Cisco but I
can't find any reference to the software on the Cisco website.
Other models: Blazer is a webbrowser that included with various
Palm models. I don't know if it supports client certificates for web
Other models(?): there is a commercial 802.1x
implementation for PalmOS by Devicescape, but this company only
makes the framework, not the actual client. You could contact
them and ask if there is someone who has
made a client for your particular Palm device.
Last ditch option: Linux can be installed on some Palm models,
as the Lifedrive.
There is a host of free software for Linux, including an 802.1x
supplicant. Switching from PalmOS to Linux is a solution, but obviously
it is a very drastic one.
client certificates for use with S/MIME secure e-mail. It requires
Blackberry Enterprise Server (BES) and Exchange Server.
Zhuang of Microsoft for showing how to determine a root or
And to everyone who helps by reporting success or failure with their
My crack team of lawyers advised me to include the following text. This
product includes software developed by the OpenSSL Project for use
in the OpenSSL Toolkit. This
product includes cryptographic software written by Eric Young
(email@example.com). This product includes software written by Tim
Hudson (firstname.lastname@example.org). This
page shows screenshots of a device resembling an iPAQ but this does
necessarily mean an endorsement of, or by, HP/Compaq or any other
company. I disclaim
Windows Mobile, Pocket PC and Windows CE are trademarks of Microsoft Corporation.
The author of this webpage is not associated with Microsoft or any
other company mentioned on the page. All
trademarks are owned by their respective companies.
Oct 1, 2007: Added more on Symbian. Jun 6, 2007: P12imprt v0.3 released. Imported certificates
can now be used with S/MIME. Oct 26, 2006: Added info on PalmOS and Symbian devices. Oct 17, 2006: PGP Mobile may be re-released, according to PGP
representatives. May 23, 2006: Sending/signing e-mail with the MSFP update
requires Exchange. Bummer! May 23, 2006: Emulator for Windows Mobile released. Pocket PC
images with the MSFP update. Mar 15, 2006:Bug
reported and fixed:
imported root certs
could not be deleted. v0.2 released. If you have downloaded
P12imprt.zip before, please replace it with the latest version. Feb 9, 2006: First report of P12imprt running on an
Pocket PC device. Feb 8, 2006: P12imprt runs on Pocket PC 2003
and Windows Mobile 5.0 (on
the emulators, at least). May 18, 2005: Some Windows
CE 5.0 devices apparently do
ship with a certificate
panel utility. But Windows
Mobile 5.0 Pocket PC devices do not. May 12, 2005:Windows
Mobile 5.0 announced. Supports PFXImportCertStore()!