Personal Certificate Import Utility for Pocket PC 2003 and Windows Mobile

eXTReMe Tracker
Last update: May 2, 2008


Bugfix: if you have previously downloaded P12imprt.zip v0.1, get the latest version!

1.1 Introduction

I have made P12imprt, a free program for Pocket PC 2003, Windows Mobile 5.0 and Windows Mobile 6. It allows you to import: Once an X.509 personal certificate is installed, you can use it to for user authentication on the Windows Mobile device. The imported certificate can be used in the following scenarios:
(Skip the smalltalk, get me straight to the installation procedure!)

The page that you are now reading describes how you can import a PKCS#12 certificate file to Pocket PC 2003,  Windows Mobile 5.0 and Windows Mobile 6. A PKCS#12 file contains a personal certificate and its corresponding private key, a root certificate and optionally a number of intermediate CA certificates. PKCS#12 files are stubbornly called "PFX" files by Microsoft. PFX was actually a predecessor to PKCS#12, as this PKCS#12 FAQ explains.

The reason I made the P12imprt program was that I wanted to connect with Windows Mobile to a Linux VPN Server. It turns out that P12imprt can be used for other purposes too. I have also made two similar programs: Crtimprt and PFXimprt.

You do not need P12imprt in the following scenarios:

Problem
Solution (which does not require P12imprt)
You want to import a personal certificate on a Windows Mobile 6 device.
These devices already ship with a certificate import tool. You can still use P12imprt though.
You want to access a webserver or a mail server (e.g. Sendmail or Exchange) over a secure SSL connection. You need a root certificate, not a personal certificate. Import the root certificate with File Explorer. (Note: for sending and receiving encrypted e-mail you do need a personal certificate; see this page).
You want to access an 802.1x wireless network with PEAP, EAP-FAST, EAP-TTLS or LEAP authentication. These particular EAP protocols do not require client certificates. Use the built-in PEAP client included with Windows Mobile (first import the root certificate with File Explorer). Or buy/download a third-party 802.1x client such as Alfa & Ariss SecureW2 (Open Source!), Cisco Secure Services Client (formerly Meetinghouse Aegis) or Juniper Odyssey Access Client.
You want to use EAP-TLS (which requires a personal certificate) but you do not want to use the built-in EAP-TLS client included with Windows Mobile. Buy a third-party 802.1x client with EAP-TLS support such as Juniper Odyssey Access Client.
You want to use a PPTP VPN.
PPTP does not require certificates, so you do not need P12imprt.
You want to use a VPN but you do not want to use the built-in VPN client included with Windows Mobile.
Buy or download a third-party VPN client. Most third-party VPN clients have their own support for importing certificates.
You need a personal certificate but you prefer to use web enrolment instead of importing a PKCS#12 file. See this section about web enrolment.
You want to import a personal certificate and you own a Toshiba Pocket PC or a Qtek 9100. These particular models already ship with a certificate import tool. You can still use P12imprt though.
You want to import a personal certificate and you own a wireless adapter (Socket, Cisco, etc.). These adapters already ship with a certificate import tool. You can still use P12imprt though.
You want to import a personal certificate and you own a Windows CE device.
Some Windows CE devices already ship with a certificate import tool for PVK and CER files. (Note: Windows Mobile based Pocket PC devices usually do not ship with this tool). You may be able to use P12imprt on some Windows CE devices.
You use a third-party browser such as NetFront or Thunderhawk and you want to use it for web client authentication See this section.

I do not own a Windows Mobile device so I could only test P12imprt on an emulator. I'm interested in both positive and negative feedback. Let me know if it worked or not!

1.2 Author

The author of this document is Jacco de Leeuw (contact me). Corrections, additions, extra information etc. are much appreciated.



2. Contents

3. Background information

The official name of Pocket PC 2003 is Windows Mobile 2003 for Pocket PC, which is often abbreviated to WM2003 or PPC2003. Windows Mobile 5.0 for Pocket PC is often abbreviated to WM5.0 and likewise for Windows Mobile 6. These are based on a light-weight variant of Windows called Windows CE.

3.1 When is a personal certificate required?

In the introduction I already listed a number of applications that use personal certificates. However, the three main applications for which you can use P12imprt are: L2TP/IPsec, EAP-TLS and web client authentication.

3.2 Installing a root certificate

As mentioned in the introduction, there are several applications that require a root certificate but not a personal certificate. So, how do you install a root certificate on Windows Mobile based devices? For Pocket PC 2002 you had to use a separate program available from Microsoft: AddRootCert.exe. You copied the certificate file to your PPC2002 device, ran the AddRootCert.exe utility and the certificate was added to the Certificate Store. On Windows Mobile 2003 Smartphone and to Windows Mobile 2002 Smartphone you use a similar routine.

On Pocket PC 2003 and Windows Mobile it is much easier to import a root certificate. In most cases you don't have to use a separate utility. Root certificates can be installed using the File Explorer application (to be more precise: the ShellExecute function which on its turn calls the built-in program certinst.exe). The procedure for importing a root certificate is as follows. You copy the certificate file to the device, you start File Explorer and then simply tap the filename. Make sure that the certificate filename has the extension .cer. On Pocket PC 2003 and Windows Mobile 5.0 the file has to be in DER format. DER is a binary format. Another common format is PEM, which is a text based format in Base64 encoding (first line starts with: -----BEGIN CERTIFICATE-----). PEM certificates are not supported by Pocket PC 2003 and Windows Mobile 5.0: you will have to convert them to DER with OpenSSL, or import the PEM certificate on a desktop Windows computer and then re-export it to DER. Windows Mobile 6 supports both DER and PEM. More information can also be found on this page.

In some cases it is a bit more difficult to install a root certificate in Pocket PC 2003 or Windows Mobile. For example, when the root certificate store of your device is "locked", like many Smartphones. See this section.

In rare cases (depending on the "grant manager policy" on the Windows Mobile device) you cannot use File Explorer to import a root certificate. As a workaround you would need to create a CAB file that installs the root certificate. The same routine can also be used to install intermediate certificates on those particular devices.

3.3 Installing a personal certificate

On Pocket PC 2003 and Windows Mobile 5.0 you can use File Explorer to install "Root" (CA) certificates, but not "Personal" certificates. A personal certificate has an associated private key which also has to be installed (see "Public Key cryptography" for the basics on this). There are basically two methods of installing a personal certificate: certificate enrolment and certificate import. Pocket PC 2003 and Windows Mobile 5.0 do not support importing personal certificates File Explorer, unlike desktop Windows and Windows Mobile 6.

3.3.1 Certificate enrolment

You can only install a personal certificate on Pocket PC 2003 and Windows Mobile 5.0 through the use of Windows 2000/2003 Server's Certificate Services. This method is called "web enrolment". Web enrolment is fairly easy to do on desktop Windows PCs. Internet Explorer and ActiveX are required to request, download and install a certificate. An undocumented proprietary protocol called Xenroll is used by Microsoft for web enrolment. Pocket PC 2003 and Windows Mobile do not support this type of ActiveX web enrolment. Instead, you use a special "enrolment" program.

"Certificate enrolment" allows you to obtain a certificate from a webserver. So, where do you obtain an enrolment program?
The "Certificates" applet in the Settings->System menu of the Windows Mobile device can only view and delete(!) certificates, not install them. The built-in VPN client is very user unfriendly and little documentation is available from Microsoft. Installing a certificate on Pocket PC 2003 and Windows Mobile 5.0 through web enrolment is not for the faint of heart (especially if you have to compile the ENROLL sample code yourself!).

3.3.2 Certificate import

The problem with web enrolment is that the Windows Mobile device must obtain the certificate from an (internal or external) webserver. Only Windows 2000/2003 Server is supported: the webserver must be IIS and the CA must be Microsoft Certificate Services. It probably also requires Active Directory (read: Client Access Licences!). Being a Linux user myself, I wanted to generate my certificates on a non-Windows CA and use a non-Windows VPN server, so I made P12imprt instead.

Importing a certificate is an alternative to certificate enrolment. PKCS#12 files are often used to distribute personal certificates. PKCS#12 is a standard format for storing private keys and certificates. It is supported by many vendors, including Microsoft. Most VPN clients support PKCS#12. Unfortunately, Microsoft supports importing PKCS#12 files only on Windows Mobile 6, not on Pocket PC 2003 and Windows Mobile 5.0. So you need a "certificate import" program for the latter. So, where do you obtain a certificate import program?
For a comparison of these program, see this page. I am not aware of any other Pocket PC program that can import a PKCS#12 certificate from a file to the standard Pocket PC certificate stores.

Back to Contents


4. Obtaining a personal certificate in a PKCS#12 certificate file

The minimum you need is a personal certificate and the corresponding private key. These are unique for every user. Usually you also need one or more CA (root or intermediate) certificates. These certificates are shared by all users. In many cases the certificates are issued by your organisation's CA and not by one of the "well-known" CAs such as Verisign or Thawte: using your own CA is less expensive and third-party CAs cannot be implicitly trusted for in-house applications such as VPNs.

In most cases the user credentials (private key plus certificates) are distributed in a PKCS#12 file. This file is handed to you by your system administrator. The PKCS#12 file is encrypted with a password, which is also supplied to you. Alternatively, if you already have a certificate with private key on your desktop (Windows) PC, you can export it from that PC to a PKCS#12 file. You will be asked to enter a password to protect the PKCS#12 file. If you have multiple PCs or PDAs, you actually do not have to request different certificates. You can import the same certificate to all these devices, if you want. In fact, if you obtained your certificate from a well-known CA such as Verisign, exporting to PKCS#12 is probably the only way to get this certificate installed on Pocket PC because these CAs only support desktop PCs for requesting certificates. Instructions for exporting your personal certificate from your browser (Internet Explorer, Mozilla or Netscape) to a PKCS#12 file can be found on this page (note: if you export from IE you should select the option "Include all certificates in the certification path if possible". This will add all intermediate certificates in the PKCS#12 file. This is required because Windows Mobile does not have the ability to automatically retrieve intermediate certificates from a server).

If you are a system administrator you need a CA to generate the keys and certificates for your users. You can for instance use OpenSSL (with or without front-ends such as OpenCA, TinyCA or IDX-PKI) or you could use Windows 2000/2003 Certificate Services. (Note: I don't think it makes sense to generate certificates with RSA keys larger than 1024 bits. Windows Mobile supports 3DES encryption and I don't think it supports AES. Using a 2048 bit key is not very useful because the 3DES encryption would be the weakest link and the size of the RSA key may slow down the Pocket PC).

Back to Contents



5. Download P12imprt

"P12imprt" consists of a Pocket PC 2003 executable called p12imprt.exe and a few other files. The executable also runs on Windows Mobile 5.0 and Windows Mobile 6. The files are distributed in a zip file. The zip file also contains a sample certificate file user.pfx. If you are interested you can also download the source code: All zip files have been signed with my PGP key. Here is the ChangeLog. The previous version, v0.2 released on 15-Mar-2006, can be downloaded here (sig). V0.3 fixes a problem where imported personal certificates could not be used with S/MIME secure e-mail. The problem was solved by using AT_KEYEXCHANGE instead of AT_SIGNATURE as the key spec, in combination with a patch for PVK support that I had overlooked in OpenSSL's CVS.

(Warning: do not use my sample certificate on a live network and expect things to be secure. You have the private key, but so does everybody else!)

Back to Contents



6. Using P12imprt on Pocket PC 2003, Windows Mobile 5.0 and Windows Mobile 6


Here is how to use P12imprt to import private keys and certificates to the Pocket PC:
View the certificates that have been imported to the Windows Mobile device:
If you have installed my sample root certificate ("TESTCA") and personal certificate ("TESTUSER") you will probably want to delete them afterwards, if only for security reasons. On Pocket PC 2003 SE and Windows Mobile you can use the "Certificates" applet in Settings->System. Tap and hold the name of the certificate with your stylus. A context menu will pop up. Select "Delete" to delete the certificate. On Pocket PC 2003 (first edition) you can view the details of the certificate by tapping its name. In the details window that pops up you will find a "Delete" button. You will need to delete both the personal certificate and the root certificate.

Unfortunately, on Pocket PC 2003 (First and Second Edition) you cannot delete root certificates that have been imported with P12imprt version 0.1. This is due to a bug that has been corrected in version 0.2. If you want to delete the "TESTCA" certificate you can use this workaround.

Back to Contents



7. Status of P12imprt

The current status of P12imprt is as follows. I received reports that P12imprt works on (at least) the following Pocket PC 2003, Windows Mobile 5.0, Windows Mobile 6 and Windows CE devices:
Problems have been reported with the following model(s):
If P12imprt does or does not work on your Windows Mobile device it would be great if you could contact me and let me know, especially if your model is not listed above! I am also interested to learn if there are any problem with the program running in landscape or portrait mode, or with a high-resolution (VGA) or square display. Windows Mobile and Windows CE are modularised which means that vendors are free to leave out support for certain features. If you are out of luck, P12imprt won't run because of this. Note that some Windows Mobile based Smartphones are software locked, so I suspect that P12imprt will not work on Smartphones, even if your generic model is listed above. Please state the Windows Mobile version and your cellular network if you contact me to report success or failure!

Back to Contents



8. Troubleshooting

In case the program reports an error: here is a list of Windows CryptoAPI error codes. These are probably not very helpful if you are not a programmer. Contact me by e-mail if you really can't get it working.

8.1 Root certificate cannot be deleted

There is a bug in P12imprt v0.1 which was corrected in v0.2. The bug is that imported root certificates cannot be deleted on Pocket PC 2003 using the Certificates applet in Settings->System. This problem does not occur on Windows Mobile devices. It was a stupid mistake and I would like to apologise for the inconvenience. You get the following error:

"The certificate issued by TESTCA was not deleted. You do not have sufficient permissions, or the certificate was installed by the device's manufacturer and cannot be deleted."

The bug was that certificates were imported to CERT_SYSTEM_STORE_LOCAL_MACHINE instead of CERT_SYSTEM_STORE_CURRENT_USER.

Root certificates that have already been imported with v0.1 cannot be deleted. This is only a bit of a nuisance if you have imported your own root certificates. But if you have imported the sample certificate ("TESTCA") you would probably want to delete it for security reasons. I have made a program that can delete imported root certificates:

I would have liked a more user friendly graphical interface but this would have taken more time. I don't know enough about programming GUIs on Pocket PC. Any help on this is gladly accepted (e.g. how to make a scrollable list on Windows Mobile and how to select an entry from the list) .

8.2 Problems running P12imprt on Smartphone

There are a number of usability problems with P12imprt on Smartphone. I have not spent much time on this. There are a couple of reasons behind this:
That said, P12imprt should work (with a few quirks) on your Smartphone as long as the root certificate store has not been locked. There are a few usability problems. Here is how you can work around them.
If you can improve support for Smartphones then I would gladly accept your suggestions and source code.

8.3 Problem: "CertOpenStore Root (locked? Smartphone?)"

This error probably means that your root certificate store is "application locked". Is it a Smartphone? The error code 0x5 ("ERROR_ACCESS_DENIED") may be returned. Note that Windows Mobile devices can be "locked" in several ways (read this overview).

Especially Smartphones are prone to this problem: adding a root certificate is a "privileged operation". This means that your Smartphone may not only have a hardware lock (SIM lock, provider lock) but also a software lock! Telecom operators and Smartphone manufacturers do not want you to install applications that are not approved by them. They claim that it is for your own good, so that viruses cannot run on your device and run up your phone bill. This is all part of the whole Digital Rights Management / Trusted Computing situation that you already see on the Xbox and Windows Vista as well. In the future you can expect to see this problem more and more if vendors get their way with this. To solve your problem, you may have to contact your operator to unlock your device. For instance, Orange has an unlock page for their SPV. The AudioVox SMT5600 and equivalents can be unlocked as well. More information can be found on the Smartphone2000 website. Microsoft has a Knowledge Base article Q841060 where you can download a utility called SPAddCert, but they too refer you to your mobile operator if the Smartphone happens to be software-locked. Some device manufacturers do not supply an unlock utility but a (digitally signed) Registry editor has been leaked for a number of models, for instance the HTC models (i-mate, Qtek, XDA etc.). You can unlock the device with this leaked registry editor. Normally an alternative would be to buy a personal certificate from one of the 'standard' root CAs in the certificate store. Unfortunately this alternative will not work because those Certificate Authorities only issue server certificates, not personal certificates...

Windows Mobile based Smartphones won't even run executables or .cab files unless they are signed. That means you will not be able to install your own root certificate or use run P12imprt on these Smartphones. In an MSDN blog entry called "How can I add root certs to my Windows Mobile 5.0 device?", Microsoft writes: "We have definitely gotten the message that a lot of customers find themselves in this situation and we feel your pain." Ha! We feel your pain... what a right bunch of hypocrites! They fixed the problem with the release of Windows Mobile 6 but that means forking out more money for a WM6 update or you will have to buy a completely new device.

WARNING: if you have unlocked your Windows Mobile 5.0 based Smartphone with a (leaked) registry editor and you install the MSFP (AKU2) update, it will lock your Smartphone again! And there is a big chance that you won't be able to run the registry editor again because your vendor may have blacklisted it in the MSFP update! (Mental note to self: stay away from Windows based Smartphones).

Version 0.2 of P12imprt will not abort when the root certificate store is locked, but will continue to import just the personal certificate. Of course without the corresponding root certificate it will probably not have much use but I thought the program should continue anyway.

A related problem is that the Smartphone emulator image is locked. Microsoft has released emulator images containing the MSFP (AKU2) update for Pocket PCs and Smartphones. I could install personal certificates and root certificates on the emulated Windows Mobile 5.0 MSFP devices but it failed on the emulated Smartphone. For some reason Microsoft decided to lock the root certificate store of the emulated(!) Smartphone: with P12imprt I could only install a personal certificate on this emulated Smartphone and not a root certificate. I managed to work around this problem by relaxing the 'Grant Manager policy' with the Security Configuration Manager Powertoy for Windows Mobile to 'unlock' the virtual device. Alternatively, I could have converted the root certificate to an XML document and then used RapiConfig to install the certificate through the use of a CAB file.

8.4 Known problem with Smartphone 2003

(This may or may not be relevant to Windows Mobile 5.0 based Smartphones. It depends on whether Microsoft fixed the problem. I guess they have had plenty of time by now).

You managed to import a personal certificate on Smartphone 2003 but when you use Pocket Internet Explorer (PocketIE) to connect to a website that requires certificate authentication, you get an HTTP error ("403.7 Forbidden: Client certificate required").

This is a known issue in the Internet support functionality (WININET) in Smartphone 2003, according to Marcus Perryman from Microsoft. I take it that the personal certificate can still be used for EAP-TLS and L2TP/IPsec VPNs but I am not sure because I do not own a Smartphone. There is also a Usenet discussion about this problem.

Back to Contents



9. Advantages and disadvantages

Advantages of web enrolment:

Disadvantages of web enrolment:

Advantages of P12imprt:

Disadvantages of P12imprt:

Back to Contents



10. P12imprt source code

10.1 Licensing details

P12imprt was written in C/ C++ using MFC. The source code of P12imprt is available above. It is licensed as Free Software under the GNU Public License.

10.2 Using the source code

The following software is needed to compile P12imprt:
Windows Mobile 5.0 and higher support the PFXImportCertStore() function. This means that it can import PKCS#12 files directly. There are two problems however: Windows Mobile 5.0's Certificates applet in "Settings->System" still does not have an option to import PKCS#12 certificates (screenshot 1, screenshot 2, screenshot 3). The PKCS#12 API is there, but Microsoft just does not use it. The other problem is that PFXImportCertStore() is not available on Pocket PC 2003 (Windows CE 4.2) and earlier. This is why I wrote P12imprt. My idea was to use the PKCS#12 routines included with OpenSSL to parse the PKCS#12 file, convert it to something acceptable to Microsoft's CryptoAPI implementation and then import these datastructures using the regular API, such as CryptImportKey().

I used OpenSSL 0.9.8a which was the current released version when I started working on P12imprt. I then used the patch by Steve Henson which adds support for some Microsoft CryptoAPI datastructures. I simply did not want to wait for the upcoming OpenSSL 0.9.9 and I could not use the CVS version of OpenSSL because it is a work in progress and at the time it did not compile under Windows CE. To compile OpenSSL for Pocket PC (read: Windows CE) I used the WCECOMPAT compatibility library by Steven Reddie. This library compiled correctly for the ARM target but unfortunately not for the emulator target. Perhaps I should recompile P12imprt with a more current version of OpenSSL with native Windows CE support.

For your convenience I have included the (slightly modified) source code of WCECOMPAT and OpenSSL 0.9.8a in the p12imprt_src.zip file. I encountered several other obstacles while compiling these libraries which I had to correct in the code. Put the \wcecompat, \openssl-0.9.8a and \p12imprt directories in the root directory of your drive.

To compile the WCECOMPAT and OpenSSL libraries from the Command Prompt, read \openssl-0.9.8a\INSTALL.WCE. I have added the commands that I use myself at the top of that file. The two main files that are produced by the compilation process are wcecompat\lib\wcecompat.lib and openssl-0.9.8a\out32_ARMV4\libeay32.lib. The p12imprt project depends on these two libraries and the corresponding header files. After compiling the WCECOMPAT object files you may to rename \wcecompat\include\time.h to some other name when linking P12imprt with wcecompat.lib because of clashes with the regular Windows include files. I have not looked into this yet.

When you double click the file p12imprt\p12imprt.vcw it should start eVC++ and open the P12imprt project. Select "Pocket PC 2003 ARM" and "Pocket PC device" (if not already selected) and then "Build all" from the menu to generate the Pocket PC executable. I have modified the default project settings so that eVC++ can find the additional headers and .lib files of the WCECOMPAT and OpenSSL libraries (see the "C++ Preprocessor" and "Linker" tab pages in the Project Settings).

The code will not compile under Visual Studio 2005 or 2008 because the WCECOMPAT and OpenSSL libraries do not yet support Visual Studio. However, for testing purposes you can configure the P12imprt source code to not use these libraries (you will need to read the public key and private key from a file instead of a PKCS#12 file) but I have not yet tested this on Visual Studio. You would need at least the Standard edition of Visual Studio 2005 which will set you back about US$249, or the Professional edition of Visual Studio 2008 which is even $799. Visual C++ 2005/2008 Express Edition (which is a free download from the Microsoft website) can not be used to build Windows Mobile executables. This is a damn shame!

I used the ARM emulator included with the "Microsoft Device Emulator 1.0" and v2.0 because I don't own a Pocket PC and I could not compile WCECOMPAT for the (non-ARM based) Pocket PC 2003 emulator that ships with eMbedded Visual C++ 4.0. Fortunately this ARM emulator can be installed alongside eVC++ and its own non-ARM based emulator. An inconvenience is that you cannot use the debugger included with eVC++ with this ARM emulator. If you want to use that debugger, you need to use the emulator included with eVC++. Unfortunately, WCECOMPAT and OpenSSL will not compile for the emulator target. For testing purposes there is a workaround: comment out the line "#define WCECOMPAT_OPENSSL 1" in p12imprtDlg.cpp and select "Pocket PC 2003 emulator", then P12imprt will be built without WCECOMPAT/OpenSSL support. You will not be able to import a PKCS#12 file but you can read in a private key and public key from other files (PRIVATEKEYBLOB and personal certificate in DER format).

It's just a quick and dirty hack. Is there anyone with Windows CE / Mobile programming skills who is willing to clean it up?

Back to Contents



11. Web enrolment

If you don't want to import your certificate from a file you can use the web enrolment technique that is recommended by Microsoft. I mention it here only for the sake of completeness, because I find it a bit too limited and much too convoluted.

Web enrolment on Windows Mobile 6 with ActiveSync 4.5 works fine, but I have not been able to get it working on older versions of Windows Mobile.Check out my other webpage for information on web enrolment in general.

Back to Contents



12. Certificates and L2TP/IPsec

Some versions of Windows CE (including Pocket PC 2003 and Windows Mobile) contain a built-in VPN client. This VPN client supports the PPTP protocol and (with most variants of Windows Mobile) also the more secure L2TP/IPsec protocol. L2TP/IPsec supports authentication through X.509 certificates and Preshared Keys (PSKs). Certificates provide better security than PSKs and they do not require static IP addresses or a 'Group Secret' (PSK) that has to be shared by all users. If you want to use certificate authentication with L2TP/IPsec on Windows Mobile you will need to install a personal certificate and a root certificate. (On Windows 2000/XP you install a 'machine certificate' for use with L2TP/IPsec but Windows Mobile devices are mostly single-user so you install a personal certificate). If you would like to know more about the built-in L2TP/IPsec client, read my other webpage.

I imported a personal certificate to the emulator and then proceeded to connect to L2TP/IPsec VPN servers. I could make an L2TP/IPsec connection with the Pocket PC 2003 and Windows Mobile emulators to Openswan and Windows Server 2003 (Windows 2000 Server not yet tested).

Back to Contents



13. Certificates and EAP-TLS

Personal certificates can also be used for EAP-TLS. This is a protocol that is often used to authenticate users in wireless 802.1x networks, including those that are based on WPA or WPA2. Other authentication protocols such as PEAP (Microsoft), LEAP (Cisco), TTLS (Funk) and EAP-FAST (Cisco) use a password for user authentication and a certificate for server authentication. For these protocols you do not need P12imprt. In most cases you would want to buy a server certificate from one of the "trusted" root certification authorities that are present in Windows Mobile devices (mainly Cybertrust, Geotrust, GlobalSign, Entrust, Thawte, Verisign). Or, you would use File Explorer on the Windows Mobile device to install your own CA certificate. In the latter case you would save some money, but it may turn out to be a bit of a hassle if you have a large number of Windows Mobile clients.

EAP-TLS is more secure than PEAP et al. because it uses certificates for both user and server authentication. Plus, EAP-TLS is supported by many vendors and ratified by the IETF in RFC 2716, whereas the other proposed EAP standards are currently still in draft phase. Therefore EAP-TLS is often used by enterprises with strong security requirements. The drawback of EAPl-TLS is that personal certificates are more difficult to distribute and manage than passwords or PSKs.

If you attempt to use EAP-TLS without installing a personal certificate, you might get the following message: "Cannot log on to the wireless network. This network requires a personal certificate to positively identify you. Contact your network administrator". (Note: if you are using PEAP, the other EAP protocol supported out of the box by Windows Mobile, and you are still getting this warning, then just ignore the warning. Personal certificates are not required for PEAP and things should work without them. The warning does not make sense).

Personal certificates that are used in EAP-TLS should contain the "Client Authentication" Extended Key Usage purpose (EKU), which has the value "1.3.6.1.5.5.7.3.2".

I have been told that the wireless client may also prompt for a username and a domainname (not a password) to access the wireless network. I don't know the details because I have not been able to use EAP-TLS myself on a Windows Mobile device. I do not own one myself and the Windows Mobile emulator does not emulate wireless interfaces. However, I have received several reports that EAP-TLS works after you installed a personal certificate with P12imprt. There are reports that you may need to soft reset your device before the personal certificate can be used with EAP-TLS.

Back to Contents



14. Certificates and web client authentication

As you probably know, webbrowsers can secure their connections with the SSL protocol. Most SSL websites use a server certificate to authenticate the server and  usernames and passwords for clients that wish to authenticate. The advantage is that this is easy to use. However, some websites (for instance, Internet banking sites) may require personal certificates instead because these are more secure than usernames and passwords.

Pocket Internet Explorer supports personal certificates for web client authentication. It will prompt "The Web site you want to view requests identification. Select the certificate to use when connecting" (as shown in this screenshot). Never mind Microsoft who say this is not possible. One limitation is that Pocket IE on Pocket PC 2003 and Windows Mobile 5.0 do not support server certificates which contain a wildcard (e.g. *.example.com). This limitation has been resolved in WM6. Another limitation is that Windows Mobile cannot retrieve intermediate certificates if the (web)server does not send the chain of intermediate certificates on its own initiative. These two limitations do not exist on desktop Windows.

If you would like to test client side certificate authentication with Windows Mobile, you can obtain a free personal certificate from CAcert.org, install it with P12imprt on your Windows Mobile device and use it to connect to the CAcert "Cert Login" website.

Back to Contents



15. Certificates and Microsoft Office Communicator Mobile Client

The Microsoft Office Communicator Mobile Client is available here. It was announced in April, 2005. If I understand correctly, this is a Windows Mobile client for Microsoft Office Live Communications Server 2005. A business version of the MSN Messenger client with stronger authentication, if you like.

I have received a report that personal certificates installed with P12imprt can be used with (the beta version of) this client.

Back to Contents



16. Certificates and ActiveSync (Exchange)

ActiveSync connections between Windows Mobile and Exchange can be secured with SSL. In fact, this is highly recommended when clients connect over a hostile network such as the Internet. As with any other SSL server, this requires a server certificate to be installed on the IIS / Exchange server. The server presents this server certificate to authenticate itself to clients (you may also need to install the root certificate of your CA on the Windows Mobile device, if it is not already there). Then the clients authenticate to the server. On SSL webservers, there are two options for client authentication: basic authentication (usernames/passwords) and certificate based authentication (personal certificates). Personal certificates provides stronger authentication than usernames and passwords. But usernames and passwords are probably easier to use.

I have described my Exchange ActiveSync setup on my other page. See also this webpage by Daniel Petri on using Windows Mobile with Exchange. There is a screencast by Microsoft employee Daniel Melanchthon which shows how to configure Exchange 2003 SP2 and Windows Mobile 5.0 with the MSFP update for direct push e-mail and Exchange Activesync. He shows how to export the root certificate from the Exchange server to the Windows Mobile client. The audio is spoken in German but the video is in English so you should probably get the idea.

If you don't want to install a root certificate, you could disable certificate verification on Windows Mobile. But only do this when you are testing over a secure network, e.g. on your own LAN! Don't disable certificate verification when the client connects over the Internet, otherwise a "Man-In-The-Middle" attack is possible. So, if you are really confident that you can do without certificate verification, you change a setting on your Windows Mobile device. On Windows Mobile 2003 you have to use the CERTCHK utility from Microsoft (read this article by Daniel Petri). For Windows Mobile 5.0 devices you have to change the registry (read this article by Ben Winzenz).

Now, let's assume that you want clients to authenticate to an Exchange Server with personal certificates, and not with usernames and password. According to this Microsoft Knowledge Base article you cannot use personal certificates to connect to Microsoft Exchange ActiveSync (EAS). But that article is a few years old and it mentions Pocket PC 2003. It does not appear to be the case for Windows Mobile 5.0 and 6. By the way, the article claims that "the Pocket Internet Explorer component does not support the use of client certificates" but that is incorrect.

Certificate based authentication for Exchange ActiveSync can be enabled as follows. Start IIS Manager.  Open the Default Web Site folder. Open the properties of the /Microsoft-Server-Activesync virtual website. Go to "Directory Security". At "Secure communications", select "Edit". You will probably already have ticked the checkbox "Require secure channel (SSL)". I would also recommend ticking the checkbox "Require 128-bit encryption". Now here is what's new: select "Require client certificates". Then select "Enable client certificate mapping". Save this configuration. On your Windows Mobile device, go to Start -> Settings -> Memory -> Running programs and make sure that ActiveSync is not running. Then go to Start -> Programs and start ActiveSync. Tap "Sync". The Windows Mobile device should now use the personal certificate to authenticate the ActiveSync connection to the Exchange server. You can verify that by tapping Menu -> Configure server. Tap Next. Now you should not see the usual username / password window but a client certificate window (yeah, client certificates are personal certificates, somebody should tell Microsoft to use consistent terminology). If the Windows Mobile device does not contain a suitable personal certificate, an error 85030027 will be reported.

There is a known problem in Windows Mobile 5.0 AKU2 when client certificate authenticated ActiveSync is used. Reportedly this has been fixed in some versions of AKU3 and higher. But most Windows Mobile 5.0 devices won't have this fix.

Windows Mobile 6 supports AES encryption with SSL/TLS, but (at the time of this writing) IIS on Windows Server 2003 does not. Therefore, Windows Mobile 6 cannot use AES with Exchange ActiveSync (EAS) because EAS is built on IIS. AES may be supported by IIS on Windows Server 2008, but I have not tried.

Back to Contents



17. Certificates and e-mail encryption (Exchange)

P12imprt v0.1 and v0.2 could not be used with S/MIME (secure e-mail). This problem has been resolved in v0.3. Alternatively, you can use PFXimprt or WM6's built-in certificate installer. For more details about using S/MIME with Windows Mobile, see this page.

Back to Contents


18. Third-party web browsers

Pocket Internet Explorer is included with Windows Mobile. It supports clients certificates for authentication to webserver. There are other web browsers available as well.

18.1 NetFront browser

The NetFront browser for Pocket PC ships with a built-in certificate manager. You can access it under the menu 'Tools -> Browser Setting -> Security'. The NetFront certificate manager can import PKCS#12 files, single (root) certificates in DER format, multiple (root) certificates in PKCS#7 format and private keys (not sure what format). NetFront is commercial but a time-limited and crippled version can be downloaded for free.

The NetFront certificate manager is separate from the Windows Mobile native certificate applet. So if you import a (personal or root) certificate with NetFront, the certificate can only be used by NetFront itself. The certificate cannot be used by Pocket IE, L2TP/IPsec or EAP-TLS.

The NetFront certificate manager can be a great alternative to P12imprt if you are already unhappy with Pocket IE and you only want to use web client authentication.

18.2 ThunderHawk

ThunderHawk by Bitstream Inc. is licensed on a subscription basis (US$5.95/month or US$49.95/year). It supports SSL with 128-bit encryption (but is it RC4 or AES?). They also have a trial version. See also this review.

18.3 Mozilla Minimo

Minimo is a small, simple, powerful, innovative, web browser for mobile devices. Because it is a spin-off from the Mozilla project, it is Open Source and free to use. It supports SSLv3 and TLS. Minimo uses the certificates installed in the Windows Mobile native certificate applet. At the time of this writing the current version does not seem to support client certificate authentication, only server authentication.

Back to Contents


19. Discussion

19.1 Protecting the private key of your personal certificate

On desktop Windows you can protect the private key of your personal certificate with a password. Unfortunately this does not appear to be possible on Windows Mobile. So if your Windows Mobile device is lost or stolen, adversaries will be able to read your encrypted e-mail, send signed e-mail, connect to your organisation wireless network etc. You may need to implement other countermeasures to prevent unauthorised use of your certificate. For example, your device may be equipped with access controls such as a PIN or a fingerprint reader. This will probably deter casual hackers but not skilled ones with a lot of time and money on their hands such as certain government agencies and PhD students (well, perhaps not money).

One solution might be to store the private key on a smart card. This will require a small change to the P12imprt source where PROVIDER_NAME and PROVIDER_TYPE are set to the use the "driver" of the particular smart card. A problem with this solution is that most Windows Mobile devices do not ship with a smart card reader.

If you use a personal certificate for L2TP/IPsec access, adversaries can only connect to your VPN if they also have your PPP password. If you don't like that, don't type your logon password in the VPN settings. Leave the field empty. You will be prompted for the password every time that you connect. It's less convenient but more secure.

P12imprt does not set the CRYPT_EXPORTABLE flag on private keys that are imported. This is the safer choice. When an adversary has physical access to your devices and he tries to export your private key using the function CryptExportKey() the function should fail with an error NTE_BAD_KEY_STATE (which translates to: "You do not have permission to export the key. That is, when the hKey key was created, the CRYPT_EXPORTABLE flag was not specified."). I have not actually wrote a program to test this but I have no reason to disbelieve Microsoft's documentation. Another reason for not setting the CRYPT_EXPORTABLE flag is that the (legitimate) user is importing from a file. In other words, he already has a (password protected) copy of the certificate. Thus there should be no reason for the legitimate user for re-exporting the private key. If, for any reason, you do need to re-export the private key, you can use the source code of P12imprt and compile a custom version of P12imprt which does set the CRYPT_EXPORTABLE flag.

19.2 Restoring certificates after cold boot

I have been contacted a few times about a problem with Windows Mobile based devices, in particular devices made by Symbol. These handheld devices use a personal certificate for access to EAP-TLS wireless networks. But after a cold boot (e.g. a battery failure) everything is wiped, including personal certificates that were stored on the device. The question is: how does one make personal certificates persistent on the device?

I am not too familiar with Symbol devices. One option would be to create a command line version of P12imprt so that people can run a script or something like that to restore the personal cert. In theory this should not be too difficult: removing features (such as a GUI) from a program is easier than adding new features. A second option is my other program Crtimprt. It is almost a command-line program. There is a minimal GUI and with a little bit of effort even that GUI can be removed. Both solutions would mean that parameters and passwords are fixed or configured through a text file.

The following solution is suggested by Symbol (thanks to Timothy M. for forwarding this):
  1. Get everything working so you can successfully get on the network (i.e. install certificate, configure wireless profile, etc.).
  2. Export the wireless settings for the profile you are using by going into the radio options and selecting Options->Export. Click on both the "Export Options" and "Export All Profiles" button and save both using the default REG file that is displayed.
  3. Place both files in the ZIP file supplied by Symbol*) into the \Application folder on your Symbol device
  4. Open up Windows Explorer and run SymScript.EXE
  5. Click on the "Run a Script" button
  6. Click on "Browse for a script"
  7. Navigate to the \Application folder and select the CertCapture.spt script file
  8. Click on the "Autostart script on startup" button
  9. Click on the "Yes" button
  10. Warm boot the unit.
  11. The script should automatically run when the device boots up. It will ask if the certificates are set up properly. Click on "Yes".
  12. The script should say that the certificates have been saved.
  13. Cold boot the unit.
  14. After the unit boots up, the script should restore the certificates and then warm boot the unit.
*) This ZIP file can be requested from Symbol. If you are a customer it should be free and a relatively painless procedure.

I understand that Symbol is going to include a PKCS#12 import tool in Fusion version 2.5.5. I don't know the status of this but if they provide their own import tool it would mean that P12imprt is no longer needed on Symbol devices.

19.3 Misc. remarks


I get the impression that Pocket PC 2003 and possibly also Windows Mobile 5.0 do not actually delete the private key when you use the Certificates applet to delete a particular certificate from the "Personal" certificate store. If this is true, it might be a security problem. Note that Microsoft has removed the "Delete" button in Pocket PC 2003 Second Edition and higher. In these new Windows Mobile versions you can delete a (personal or root) certificate by tapping and holding the name in the list.

You can use P12imprt to import personal certificates, root certificates and "intermediate" CA certificates. Unfortunately, intermediate certificates are not shown by the "Certificates" applet in the Control Panel (this has been resolved in WM6). So you cannot view or delete them through the Certificates applet. Windows Mobile cannot retrieve other recipient's certificates through LDAP. I don't know if it checks the revocation status of certificates (e.g. through OCSP or a CRL specified in the certificate) but I suspect it does not.

Back to Contents


20. Importing certificates on Blackberry and PalmOS

20.1 PalmOS based devices

I have been asked if a similar program exists for other platforms such as Blackberry, PalmOS and Symbian. First off, my certificate import program run only on Windows Mobile devices. Palm makes a Windows Mobile device (the Treo 'w' models) and P12imprt runs on those devices. P12imprt does not run on Symbian devices such as the N70/N80/N95, nor does it run on PalmOS devices such as the Tungsten or the TX. I'm sympathetic to PalmOS and Symbian but I do not own a current device nor is there a free emulator. Otherwise I would have researched the options more thoroughly. I did manage to collect the following information.

It appears that on PalmOS each application requires its own support for certificates:

20.2 Blackberry

Blackberry supports client certificates for use with S/MIME secure e-mail. It requires Blackberry Enterprise Server (BES) and Exchange Server.

Back to Contents


21. Importing certificates on Symbian

This section has been moved to a separate page.

Back to Contents

22. Acknowledgements and disclaimers

Thanks go to:
And to everyone who helps by reporting success or failure with their device!

My crack team of lawyers advised me to include the following text. This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit. This product includes cryptographic software written by Eric Young (eay@cryptsoft.com). This product includes software written by Tim Hudson (tjh@cryptsoft.com). This page shows screenshots of a device resembling an iPAQ but this does not necessarily mean an endorsement of, or by, HP/Compaq or any other company. I disclaim everything anyway :-). Windows, Windows Mobile, Pocket PC and Windows CE are trademarks of Microsoft Corporation. The author of this webpage is not associated with Microsoft or any other company mentioned on the page. All trademarks are owned by their respective companies. 

Back to Contents



23. Revision history

Oct 1, 2007: Added more on Symbian.
Jun 6, 2007: P12imprt v0.3 released. Imported certificates can now be used with S/MIME.
Oct 26, 2006: Added info on PalmOS and Symbian devices.
Oct 17, 2006: PGP Mobile may be re-released, according to PGP representatives.
May 23, 2006: Sending/signing e-mail with the MSFP update requires Exchange. Bummer!
May 23, 2006: Emulator for Windows Mobile released. Pocket PC images with the MSFP update.
Mar 15, 2006: Bug reported and fixed: imported root certs could not be deleted. v0.2 released. If you have downloaded P12imprt.zip before, please replace it with the latest version.
Feb 9, 2006: First report of P12imprt running on an actual Pocket PC device.
Feb 8, 2006: P12imprt runs on Pocket PC 2003 and Windows Mobile 5.0 (on the emulators, at least).
May 18, 2005: Some Windows CE 5.0 devices apparently do ship with a certificate panel utility. But Windows Mobile 5.0 Pocket PC devices do not.
May 12, 2005: Windows Mobile 5.0 announced. Supports PFXImportCertStore()! New emulator released.

Jacco de Leeuw