Personal Certificate Import Utility for Windows Mobile 5.0 and 6
Last update: Jun 8, 2008
There is now a similar program that works on both Pocket PC 2003,
Windows Mobile 5.0 and Windows Mobile 6. You can import a
certificate directly
from a PKCS#12 or PFX file ("P12imprt"). Source
code available under the GNU Public License. I will probably not be
able to do further work on PFXimprt because Microsoft's development
platform for Windows Mobile 5.0 and 6 is no longer
free...
|
1.1 Introduction
I have made PFXimprt, a free program for Windows Mobile 5.0 and
Windows Mobile 6. The program allows you to import:
- A "Personal Certificate" issued by any Certificate Authority (CA).
- A private key which corresponds to this certificate.
- One, zero or more "Root Certificates".
- One, zero or more "Intermediate CA Certificates".
Once an X.509 personal certificate is installed, you can use it to for
user
authentication on the Windows Mobile device. The imported certificate
can be used
in the following
scenarios:
- User authentication in L2TP/IPsec VPNs (more
info).
- Web client authentication in Pocket Internet Explorer (SSL,
HTTPS) (more
info).
- User authentication in 802.1x wireless networks (EAP-TLS only) (more
info).
- Exchange ActiveSync certificate-based authentication (more info).
- Microsoft Office Communicator Mobile Client (more
info).
- Sending and receiving encrypted e-mail (more
info).
- Other third-party applications that happen to support Personal
certificates.
(Skip the smalltalk, get me straight to the
installation
procedure!)
The page that you are now reading describes how you can import a
PKCS#12 certificate
file to Windows Mobile 5.0 or Windows Mobile 6. Such a PKCS#12 file
typically contains a
personal certificate and its corresponding private key, a root
certificate and optionally a number of intermediate CA certificates.
The reason I
made the PFXimprt program was that I wanted to connect
with Windows Mobile to a Linux VPN Server. It turns out
that PFXimprt can be used for other purposes too. I have also made a
program called Crtimprt
for Windows
Mobile
2003-based Pocket
PCs.
You do not need PFXimprt (or Crtimprt or P12imprt) in the scenarios
that are listed here.
Make sure that what you want to achieve is not listed there, to avoid
any unneccessary work. In particular, PFXimprt works fine on Windows
Mobile 6 but WM6 already has built-in
support for importing PKCS#12 files.
I do not own a Windows Mobile device so currently I
could only test PFXimprt on an emulator. I'm
interested in both positive and negative feedback. Let me know if
it worked or not!
1.2 Author
The author of this document is Jacco de Leeuw (contact me).
Corrections, additions, extra information etc. are much appreciated.
2. Contents
3. Background information
Windows
Mobile 6 and Windows
Mobile 5.0 for Pocket PC (often abbreviated to WM6 and WM5.0,
respectively), are
based on a light-weight variant of Windows called
Windows CE.
As
mentioned in the introduction, there are three main applications of
Personal Certificates: L2TP/IPsec, EAP-TLS and web
client
authentication.
(Read this
section of the
P12imprt webpage for more background information).
Back to Contents
4. Obtaining a PKCS#12 certificate file
Read this
section on the
P12imprt webpage if you don't know how to obtain or create a personal
certificate and corresponding private key.
Back to Contents
5. Download PFXimprt
"PFXimprt" consists of a Windows Mobile 5.0 ARMV4 executable called
pfximprt.exe
and a few other files.
The executable also runs on WM6. The files
are distributed in a zip file. This zip file also contains a sample
certificate file user.pfx. The source code is included .
All zip files have been signed with my PGP
key. Here is the ChangeLog.
(Warning: never use my sample certificate on a live
network and expect things to be secure. You have the private key, but
so does everybody else!)
Back to Contents
6. Using PFXimprt on Windows Mobile 5.0 or
6
Here is how to use PFXimprt to import private keys and certificates to
the Windows Mobile device:
- Copy the pfximprt.exe executable to the Windows Mobile
device. You can use any method to do the transfer: ActiveSync, a
flash
memory
card, network share, Bluetooth, infrared etc. (The pfximprt.exe
file is a
Windows Mobile executable, not a Win32 executable. You can't use it on
your desktop Windows computer).
- Copy the certificate file (in PKCS#12 format) to your Windows
Mobile device.
- Execute pfximprt.exe by tapping it in File Explorer.
(Note: File Explorer does not show extensions, so the file should show
up as 'pfximprt').
- Enter the location of the PKCS#12 file or use the 'Browse'
button. By default, pfximprt will look for the file "user.pfx"
in your
"My Documents" folder. (The actual pathname of that folder
depends on the language version of your Windows Mobile device.
In the English version, it is "\My Documents", the German
version uses "\Meine Dokumente", etc.)
- Enter the password that was used to encrypt the PKCS#12 file.
(Don't tap the "Enter" key in the virtual keyboard, otherwise the
program will exit).
- The certificates included in the file will be imported. If an
equivalent certificate (i.e. with the same name) already exists on your
Windows Mobile device, PFXimprt will ask if you want to overwrite the
existing
certificate. You can respond by tapping Yes, No or Cancel. If you tap
Cancel this certificate and any remaining certificates will not be
imported
but certificates that were already imported will not be removed.
- You should see a message reporting the total number of (Personal,
Root, Intermediate CA) certificates that has been imported.
- Exit PFXimprt by tapping "Ok".
View the certificates that have been imported to the Windows Mobile
device:
- In the Settings menu, tap the "System" tab. Then tap "Certificates".
- Select the "Personal" tab if it has not been selected already.
The top of the page should say: "Use personal certificates to
positively identify yourself to others."
- You should see the newly
added certificate.
- If you tap on the name of this personal certificate, you should
see its details.
Tap "OK" to return to the previous window.
- Tap on the "Root" tab. You should now see the new root
certificate that you
added. If you tap on the name of this root certificate, you should see
its details.
If you have installed my sample root certificate ("TESTCA") and
personal
certificate ("TESTUSER") you will probably want to delete them
afterwards. On Windows Mobile 5.0 you can use the "Certificates" applet
in Settings->System. Tap and hold the name of the certificate.
A context menu will pop up. Select "Delete" to delete the certificate.
Back to Contents
7. Status of PFXimprt
The current status of PFXimprt is as follows. I received reports that
PFXimprt works on (at least) the following Windows
Mobile 5 and Windows
CE devices:
- Dell Axim X51v
- HP iPAQ rx5900
- HTC
Apache (Sprint PPC-6700 / UT-Starcom PPC6700 / Audiovox
PPC6700).
- HTC Prophet (Qtek S200 / Dopod 818 Pro /
O2 Xda neo / Orange SPV M600 / i-mate Jamin).
- HTC TyTN 9600
- HTC Universal (i-mate Jasjar / Qtek 4040 / Qtek 9000
/ O2 XDA Exec
/ T-Mobile MDA Pro / Vodafone VPA IV / Vodafone V1640 / Orange SPV
M5000 / Dopod 900 / Grundig
GR980).
- HTC Wizard (Cingular 8125 / i-Mate KJAM / Qtek 9100 / O2
Xda Mini S / T-Mobile MDA
Vario).
- Mitac Mio A701
- Motorola Q
- The "Microsoft
Device Emulator 1.0"
- The "Microsoft
Device Emulator 2.0"
- The device emulator included with Visual Studio 2005.
- (Contact me to get your device listed here!)
Problems have been reported with the following model(s):
- Qtek 2020: for some reason Qtek did not include the "Certificates"
applet on this model. So be warned that you cannot view or delete
certificates, unless you are prepared to use a registry editor (Hkey_current_user/comm/security/system
certificates/my/certificates).
- Symbol MC9090G (Windows CE 5.0): PFXimprt does not start,
possibly because of missing libraries.
- T-Mobile Dash: certificate store appears to be locked. The Dash
is an OEM model of the HTC Excalibur.
If PFXimprt does or does not work on your Windows Mobile device it
would be great
if you could contact
me and let me
know, especially
if your model is not listed above! I am also interested to learn if
there are any problem with the program running in landscape or portrait
mode, or with a high-resolution (VGA) or square display. Windows Mobile
and Windows CE are modularised which means that vendors are free to
leave
out support for certain features. In most cases PFXimprt should run but
with a bit of bad luck, PFXimprt
may not run because of this modularisation. Note that some
Windows Mobile based Smartphones are software locked, so I suspect
that PFXimprt will
not work
on your Smartphone, even if the generic model is listed above. Please
state
your
cellular network if you contact me to report success or failure!
Back to Contents
8. Troubleshooting
In case the program reports an error code: here is a list of Windows CryptoAPI
error codes. Write down the error code and contact me by e-mail if
you can't get it working.
8.1 Problem: "PFXImportCertStore failed:
0x00000005"
(See also this section on my
P12imprt page).
This error probably means that your root certificate store is
"applicaton locked". Is it a Smartphone? The error code 0x5
("ERROR_ACCESS_DENIED") may be returned. Note that Windows Mobile
devices can be "locked" in several ways (read this
overview).
The function PFXImportCertStore() copies the contents of the PKCS#12
file to a convenient datastructure that Windows Mobile knows how to
handle (a "Certificate Store"). The private key included in the PKCS#12
file is copied to memory under the "Current User" key in
the registry. However, it seems that on devices such as Smartphone this
part of the registry is application-locked.
8.2 Problem: "Unable to add Root Cert to Root
Cert store"
This is probably the same problem as mentioned above, only you got a
little bit further... The Personal Certificate was imported but
the Root
Certificate was not. This happens when the Root Certificate
Store is locked by the device vendor. The Personal Certificate is
installed but without a matching root certificate it will not be valid.
8.3 Problem: "PFXImportCertStore failed:
0x00000056"
You probably entered an incorrect password for the PKCS#12 file
("ERROR_INVALID_PASSWORD").
8.4 Known problem with Smartphone
2003
(This may or may not be relevant to Windows Mobile 5.0 based
Smartphones. It depends on whether Microsoft fixed the problem. I guess
they have had plenty of time by now).
You managed to import a Personal Certificate on
Smartphone 2003 but when you use Pocket Internet Explorer (PocketIE) to
connect to a website that requires certificate authentication, you get
an HTTP error ("403.7 Forbidden: Client certificate required").
This is a known issue in the Internet support functionality (WININET)
in Smartphone 2003, according
to Marcus Perryman from Microsoft. I take it that the Personal
Certificate can still be used for EAP-TLS and L2TP/IPsec VPNs but I am
not sure because I do not own a Smartphone. There is also a Usenet
discussion about this problem.
8.5 Trustcenter bug
There is a bug in PFXimprt which pops up with free
personal certificates issued by Trustcenter.
The root certificate of "TC TrustCenter Class 1 CA" expired on
31-12-2005 13:56:33 GMT. PFXimprt incorrectly installs the root
certificate as a personal certificate. If this occurs, remove the
spurious
root certificate from the personal certificate store and try again with
P12imprt.
I can probably
fix this bug in PFXimprt but my beta copy of Visual Studio expired, and
I don't want to spend any money on it. So I am
stuck with eMbedded
Visual C++ which is a free download (P12imprt is developed with it).
Back to Contents
9. Advantages
and
disadvantages
PFXimprt has the same advantages
and
disadvantages as P12imprt, with one exception: PFXimprt's
executable is much smaller than the P12imprt and PFXimprt but it does
not run
on Windows Mobile 2003.
Back
to Contents
10. PFXimprt source code
10.1 Licensing details
PFXimprt was written in C/ C++ using MFC. The source code of PFXimprt
is available above. It is licensed as Free
Software under the
GNU Public License.
10.2 Using the source code
To compile the source code you will need Visual Studio (I
used Visual Studio 2005 Beta 2 which was free). Unfortunately, you will
need at least the Standard
edition which will set you back about $249. Visual C++ 2005 Express Edition (which is a free
download from the Microsoft website) cannot
be used to build Windows Mobile executables.
This is a
damn
shame! The PFXimprt project was created with Visual Studio 2005 but
presumably you can import it in Visual Studio 2008 as well. However, the
situation is even worse for Visual Studio 2008. To develop Windows
Mobile apps you need at least the Visual Studio 2008 Professional
edition which is listed at $799. (In Euros or British Pounds this is
even more). I believe there are free Windows CE / Pocket PC versions of
the
GNU CC compiler but I don't know if they can be used.
The PFXimprt source code is located in the directory pfximprt/source/
of the zip
file. When you open the file pfximprt1.sln it should start
Visual Studio and open the project. Select "Build solution" from the
menu to
generate the executable for either the emulator or the device.
I will not be able to work on PFXimprt anymore because my beta version
of Visual Studio 2005 expired on May 1, 2006. The prices of Visual
Studio 2005 Standard and Visual Studio 2008 Professional are a bit too
steep for me, especially since I don't make any money off PFXimprt.
Back to Contents
11. Web enrolment
If you don't want to import your certificate from a file you can use
the web enrolment technique that is recommended by Microsoft. I
mention it here only for the sake of completeness, because I find it a
bit too limited and much too
convoluted.
Web
enrolment on Windows Mobile 6 works fine, but I have not been able
to get it working on older versions of Windows Mobile.Check out my other
webpage
for information on web enrolment in general.
Back to Contents
13. NetFront browser
See the remarks
about the NetFront
browser on the P12imprt webpage.
Back to Contents
14. Discussion
14.1 Importing PKCS#12 files directly
Windows
Mobile 5.0 was released in 2005 and it supports the PFXImportCertStore()
function. This means that it can import PKCS#12
files directly. This programming interface was absent in
all
previous versions of Windows Mobile.
Unfortunately, Windows Mobile 5.0 does not have an option to
import PKCS#12 certificates (Screenshot
1, screenshot
2, screenshot
3). That is why I wrote PFXimprt. Windows Mobile 6 does support
importing PKCS#12 files using File Explorer.
14.2 Misc. remarks
See the remarks
on the P12imprt
webpage.
Back to Contents
15.
Acknowledgements and disclaimers
Thanks go to:
And to everyone who helps by reporting success or failure with their
device!
My crack team of lawyers advised me to include the following text. This
page shows screenshots of a device resembling a Windows Mobile device
but this does
not
necessarily mean an endorsement of or by any company. I disclaim
everything anyway :-). Windows,
Windows Mobile, Pocket PC and Windows CE are trademarks of Microsoft Corporation.
The author of this webpage is not associated with Microsoft or any
other company mentioned on the page. All
trademarks are owned by their respective companies.
Back to Contents
16. Revision history
Jun 8, 2008: Forgot to mention a bug with Trustcenter
certificates.
May 23, 2007: Moved S/MIME info to seperate page.
Jan 17, 2007: Tested with Exchange, added info on S/MIME.
Mar 16, 2006: v0.2 released. Small bugfix, which did not
actually lead to a problem on Windows Mobile 5.0.
Jan 29, 2006: First report of PFXimprt running on an actual
Windows Mobile device.
Jan 17, 2006: PFXimprt runs on Windows Mobile 5.0 (on
the emulator, at least).
May 18, 2005: Some Windows
CE 5.0 devices apparently do
ship with a certificate
panel utility. But Windows
Mobile 5.0 Pocket PC devices do not.
May 12, 2005: Windows
Mobile 5.0 announced. Supports PFXImportCertStore()!
New emulator
released.
Jacco de Leeuw