Personal Certificate Import Utility for Windows Mobile 5.0 and 6

Last update: Jun 8, 2008

There is now a similar program that works on both Pocket PC 2003, Windows Mobile 5.0 and Windows Mobile 6.
You can import a certificate directly from a PKCS#12 or PFX file ("P12imprt"). Source code available under the GNU Public License. I will probably not be able to do further work on PFXimprt because Microsoft's development platform for Windows Mobile 5.0 and 6 is no longer free...

1.1 Introduction

I have made PFXimprt, a free program for Windows Mobile 5.0 and Windows Mobile 6. The program allows you to import: Once an X.509 personal certificate is installed, you can use it to for user authentication on the Windows Mobile device. The imported certificate can be used in the following scenarios:
(Skip the smalltalk, get me straight to the installation procedure!)

The page that you are now reading describes how you can import a PKCS#12 certificate file to Windows Mobile 5.0 or Windows Mobile 6. Such a PKCS#12 file typically contains a personal certificate and its corresponding private key, a root certificate and optionally a number of intermediate CA certificates. The reason I made the PFXimprt program was that I wanted to connect with Windows Mobile to a Linux VPN Server. It turns out that PFXimprt can be used for other purposes too. I have also made a program called Crtimprt for Windows Mobile 2003-based Pocket PCs.

You do not need PFXimprt (or Crtimprt or P12imprt) in the scenarios that are listed here. Make sure that what you want to achieve is not listed there, to avoid any unneccessary work. In particular, PFXimprt works fine on Windows Mobile 6 but WM6 already has built-in support for importing PKCS#12 files.

I do not own a Windows Mobile device so currently I could only test PFXimprt on an emulator. I'm interested in both positive and negative feedback. Let me know if it worked or not!

1.2 Author

The author of this document is Jacco de Leeuw (contact me). Corrections, additions, extra information etc. are much appreciated.

2. Contents

3. Background information

Windows Mobile 6 and Windows Mobile 5.0 for Pocket PC (often abbreviated to WM6 and WM5.0, respectively), are based on a light-weight variant of Windows called Windows CE. As mentioned in the introduction, there are three main applications of Personal Certificates: L2TP/IPsec, EAP-TLS and web client authentication.

(Read this section of the P12imprt webpage for more background information).

Back to Contents

4. Obtaining a PKCS#12 certificate file

Read this section on the P12imprt webpage if you don't know how to obtain or create a personal certificate and corresponding private key.

Back to Contents

5. Download PFXimprt

"PFXimprt" consists of a Windows Mobile 5.0 ARMV4 executable called pfximprt.exe and a few other files. The executable also runs on WM6. The files are distributed in a zip file. This zip file also contains a sample certificate file user.pfx. The source code is included .
All zip files have been signed with my PGP key. Here is the ChangeLog.

(Warning: never use my sample certificate on a live network and expect things to be secure. You have the private key, but so does everybody else!)

Back to Contents

6. Using PFXimprt on Windows Mobile 5.0 or 6

Here is how to use PFXimprt to import private keys and certificates to the Windows Mobile device:
View the certificates that have been imported to the Windows Mobile device:
If you have installed my sample root certificate ("TESTCA") and personal certificate ("TESTUSER") you will probably want to delete them afterwards. On Windows Mobile 5.0 you can use the "Certificates" applet in Settings->System. Tap and hold the name of the certificate. A context menu will pop up. Select "Delete" to delete the certificate.

Back to Contents

7. Status of PFXimprt

The current status of PFXimprt is as follows. I received reports that PFXimprt works on (at least) the following Windows Mobile 5 and Windows CE devices:
Problems have been reported with the following model(s):
If PFXimprt does or does not work on your Windows Mobile device it would be great if you could contact me and let me know, especially if your model is not listed above! I am also interested to learn if there are any problem with the program running in landscape or portrait mode, or with a high-resolution (VGA) or square display. Windows Mobile and Windows CE are modularised which means that vendors are free to leave out support for certain features. In most cases PFXimprt should run but with a bit of bad luck, PFXimprt may not run because of this modularisation. Note that some Windows Mobile based Smartphones are software locked, so I suspect that PFXimprt will not work on your Smartphone, even if the generic model is listed above. Please state your cellular network if you contact me to report success or failure!

Back to Contents

8. Troubleshooting

In case the program reports an error code: here is a list of Windows CryptoAPI error codes. Write down the error code and contact me by e-mail if you can't get it working.

8.1 Problem: "PFXImportCertStore failed: 0x00000005"

(See also this section on my P12imprt page).

This error probably means that your root certificate store is "applicaton locked". Is it a Smartphone? The error code 0x5 ("ERROR_ACCESS_DENIED") may be returned. Note that Windows Mobile devices can be "locked" in several ways (read this overview).

The function PFXImportCertStore() copies the contents of the PKCS#12 file to a convenient datastructure that Windows Mobile knows how to handle (a "Certificate Store"). The private key included in the PKCS#12 file is copied to memory under the "Current User" key in the registry. However, it seems that on devices such as Smartphone this part of the registry is application-locked.

8.2 Problem: "Unable to add Root Cert to Root Cert store"

This is probably the same problem as mentioned above, only you got a little bit further...  The Personal Certificate was imported but the Root Certificate was not. This happens when the Root Certificate Store is locked by the device vendor. The Personal Certificate is installed but without a matching root certificate it will not be valid.

8.3 Problem: "PFXImportCertStore failed: 0x00000056"

You probably entered an incorrect password for the PKCS#12 file ("ERROR_INVALID_PASSWORD").

8.4 Known problem with Smartphone 2003

(This may or may not be relevant to Windows Mobile 5.0 based Smartphones. It depends on whether Microsoft fixed the problem. I guess they have had plenty of time by now).

You managed to import a Personal Certificate on Smartphone 2003 but when you use Pocket Internet Explorer (PocketIE) to connect to a website that requires certificate authentication, you get an HTTP error ("403.7 Forbidden: Client certificate required").

This is a known issue in the Internet support functionality (WININET) in Smartphone 2003, according to Marcus Perryman from Microsoft. I take it that the Personal Certificate can still be used for EAP-TLS and L2TP/IPsec VPNs but I am not sure because I do not own a Smartphone. There is also a Usenet discussion about this problem.

8.5 Trustcenter bug

There is a bug in PFXimprt which pops up with free personal certificates issued by Trustcenter. The root certificate of "TC TrustCenter Class 1 CA" expired on 31-12-2005 13:56:33 GMT. PFXimprt incorrectly installs the root certificate as a personal certificate. If this occurs, remove the spurious root certificate from the personal certificate store and try again with P12imprt. I can probably fix this bug in PFXimprt but my beta copy of Visual Studio expired, and I don't want to spend any money on it. So I am stuck with eMbedded Visual C++ which is a free download (P12imprt is developed with it).

Back to Contents

9. Advantages and disadvantages

PFXimprt has the same advantages and disadvantages as P12imprt, with one exception: PFXimprt's executable is much smaller than the P12imprt and PFXimprt but it does not run on Windows Mobile 2003.

Back to Contents

10. PFXimprt source code

10.1 Licensing details

PFXimprt was written in C/ C++ using MFC. The source code of PFXimprt is available above. It is licensed as Free Software under the GNU Public License.

10.2 Using the source code

To compile the source code you will need Visual Studio (I used Visual Studio 2005 Beta 2 which was free). Unfortunately, you will need at least the Standard edition which will set you back about $249. Visual C++ 2005 Express Edition (which is a free download from the Microsoft website) cannot be used to build Windows Mobile executables. This is a damn shame! The PFXimprt project was created with Visual Studio 2005 but presumably you can import it in Visual Studio 2008 as well. However, the situation is even worse for Visual Studio 2008. To develop Windows Mobile apps you need at least the Visual Studio 2008 Professional edition which is listed at $799. (In Euros or British Pounds this is even more). I believe there are free Windows CE / Pocket PC versions of the GNU CC compiler but I don't know if they can be used.

The PFXimprt source code is located in the directory pfximprt/source/ of the zip file. When you open the file pfximprt1.sln it should start Visual Studio and open the project. Select "Build solution" from the menu to generate the executable for either the emulator or the device.

I will not be able to work on PFXimprt anymore because my beta version of Visual Studio 2005 expired on May 1, 2006. The prices of Visual Studio 2005 Standard and Visual Studio 2008 Professional are a bit too steep for me, especially since I don't make any money off PFXimprt.

Back to Contents

11. Web enrolment

If you don't want to import your certificate from a file you can use the web enrolment technique that is recommended by Microsoft. I mention it here only for the sake of completeness, because I find it a bit too limited and much too convoluted.

Web enrolment on Windows Mobile 6 works fine, but I have not been able to get it working on older versions of Windows Mobile.Check out my other webpage for information on web enrolment in general.

Back to Contents

13. NetFront browser

See the remarks about the NetFront browser on the P12imprt webpage.

Back to Contents

14. Discussion

14.1 Importing PKCS#12 files directly

Windows Mobile 5.0 was released in 2005 and it supports the PFXImportCertStore() function. This means that it can import PKCS#12 files directly. This programming interface was absent in all previous versions of Windows Mobile. Unfortunately, Windows Mobile 5.0 does not have an option to import PKCS#12 certificates (Screenshot 1, screenshot 2, screenshot 3). That is why I wrote PFXimprt. Windows Mobile 6 does support importing PKCS#12 files using File Explorer.

14.2 Misc. remarks

See the remarks on the P12imprt webpage.

Back to Contents

15. Acknowledgements and disclaimers

Thanks go to:
And to everyone who helps by reporting success or failure with their device!

My crack team of lawyers advised me to include the following text. This page shows screenshots of a device resembling a Windows Mobile device but this does not necessarily mean an endorsement of or by any company. I disclaim everything anyway :-). Windows, Windows Mobile, Pocket PC and Windows CE are trademarks of Microsoft Corporation. The author of this webpage is not associated with Microsoft or any other company mentioned on the page. All trademarks are owned by their respective companies.

Back to Contents

16. Revision history

Jun 8, 2008: Forgot to mention a bug with Trustcenter certificates.
May 23, 2007: Moved S/MIME info to seperate page.
Jan 17, 2007: Tested with Exchange, added info on S/MIME.
Mar 16, 2006: v0.2 released. Small bugfix, which did not actually lead to a problem on Windows Mobile 5.0.
Jan 29, 2006: First report of PFXimprt running on an actual Windows Mobile device.
Jan 17, 2006: PFXimprt runs on Windows Mobile 5.0 (on the emulator, at least).
May 18, 2005: Some Windows CE 5.0 devices apparently do ship with a certificate panel utility. But Windows Mobile 5.0 Pocket PC devices do not.
May 12, 2005: Windows Mobile 5.0 announced. Supports PFXImportCertStore()! New emulator released.

Jacco de Leeuw