Installing certificates on Windows Mobile 6

Last update: Dec 13, 2007

1.1 Introduction

Windows Mobile 6 has improved support for installing certificates. There are two methods for installing a certificate on your device: you can either import a certificate from a file or you can "enrol" at a Certificate Authority using HTTP. Previous versions of Windows Mobile could only import root certificates. Windows Mobile 6 now also supports importing a personal certificate from a PKCS#12 file. Windows Mobile 6 is also the first version to support the certificate enrolment feature in ActiveSync 4.5.

Once an X.509 personal certificate is installed, you can use it to for user authentication on the Pocket PC. The imported certificate can be used in the following scenarios:

User authentication in L2TP/IPsec VPNs (more info).
Web client authentication in Pocket Internet Explorer (SSL, HTTPS) (more info).
User authentication in 802.1x wireless networks (EAP-TLS only) (more info).
Exchange ActiveSync certificate-based authentication (more info).
Microsoft Office Communicator Mobile Client (more info).
Sending and receiving encrypted e-mail (more info).
Other third-party applications that happen to support Personal certificates.

1.2 Author

The author of this document is Jacco de Leeuw (contact me). Corrections, additions, extra information etc. are much appreciated.

2. Contents

Introduction
Contents
Background information
Obtaining a PKCS#12 certificate file
Importing a certificate on Windows Mobile 6
Importing a personal certificate with PFXimprt or P12imprt
Web enrolment
Acknowledgements and disclaimer
Revision history

3. Background information

Windows Mobile 6 for Pocket PC, which is often abbreviated to WM6 is based on a light-weight variant of Windows called Windows CE. As mentioned in the introduction, there are three main applications of Personal Certificates: L2TP/IPsec, EAP-TLS and web client authentication.

A number of things are new in WM6:

PKCS#12 files can now be imported directly with File Explorer. Previously you needed an application such a P12imprt or PFXimprt.
The "Certificates" applet in the System menu shows "Intermediate" certificates. Previous versions of Windows Mobile already supported intermediate certificates, but they were not displayed by the "Certificates" applet. So you could not view or delete them.
Certificate web enrolment is supported when used with ActiveSync 4.5.
The built-in certificate installer will install root certificates even if your device is locked. On previous versions of Windows Mobile this was a privileged operation which failed on locked devices.
Wildcard certificates (e.g. CN=*.example.com) are supported with SSL.
WM6 ships with a few more root certificates: AAA Certificate Services, AddTrust External CA Root, Baltimore CyberTrust Root, GeoTrust Global CA, Go Daddy Class 2 Certification Authority, www.valicert.com, Starfield Class 2 Certification Authority (see also this page).

(Read this section of the P12imprt webpage for more background information).

Back to Contents

4. Obtaining a PKCS#12 certificate file

Read this section on the P12imprt webpage if you don't know how to obtain or create a personal certificate and corresponding private key.

Back to Contents

5. Importing a certificate on Windows Mobile 6

You can import root certificates and personal certificates. Root certificates need to be in PEM (text, Base64 encoded) or DER (binary) format. Root certificate files have the extension .cer or .p7b and contain a single certificate or a PKCS#7 certificate chain. Personal certificates need to be in PKCS#12 format and have the extension .pfx or .p12. PKCS#12 files typically contain a personal certificate and its corresponding private key, a root certificate and optionally a number of intermediate CA certificates.

Here is how to import a file containing one or more certificates on the Windows Mobile device:

Copy the certificate file to your Windows Mobile 6 device. You can use any method to do the transfer: ActiveSync, a flash memory card, Bluetooth, infrared etc.
Tap "Start", "Programs" and "File Explorer".
Tap the certificate file that you want to import. (Note: File Explorer does not show extensions, so make sure you select the correct file, for example by checking the file size).
Enter the password that was used to encrypt the PKCS#12 file. No password have to be entered for importing root certificate files.
The certificate(s) included in the file are imported: "One ore more certificates were installed successfully.". If an equivalent certificate (i.e. with the same name) already exists on your Windows Mobile device, it will be silently overwritten. So make sure you tap the correct certificate file.
Exit File Explorer.

View the certificates that have been imported to the Pocket PC device:

In the Settings menu, tap the "System" tab. Then tap "Certificates".
Select the "Personal" tab if it has not been selected already. At the top of the page the following text is displayed: "Use personal certificates to positively identify yourself to others."
If you imported a PKCS#12 file, you should see the newly added personal certificate. If you tap the name of this personal certificate, you should see its details. Tap "OK" to return to the previous window.
Tap the "Root" tab. You should now see the new root certificate that you added. If you tap on the name of this root certificate, you should see its details.
Tap the "Intermediate" tab. If there were any intermediate certificates in the PKCS#12 or PKCS#7 file you should see them here. If you tap on the name of an intermediate certificate, you should see its details.

If you have installed my sample root certificate ("TESTCA") and personal certificate ("TESTUSER") you will probably want to delete them afterwards. Use the "Certificates" applet in Settings->System. Tap and hold the name of the certificate. A context menu will pop up. Select "Delete" to delete the certificate.

Back to Contents

6. Importing a personal certificate with PFXimprt or P12imprt

Both my programs P12imprt and PFXimprt work on WM6. But unlike WM6's built-in certificate installer, they will cause WM6 to display a popup. I would recommend P12imprt over PFXimprt.

In general, follow the instructions on my P12imprt page.
Run P12imprt.exe, enter the password and tap "Import certificate".
You will see a popup asking whether you want to block or install the root certificate in the file: "Your device is being asked to install a security certificate."
Tap "More". There will be another popup with yet another warning.
Tap "Install". (Optionally you can tap "Requester" for verification. This will display the SHA-1 thumbprint of the certificate, its issuer and its subject).

If you tap "Block", WM6 will not allow the certificate to be installed. However, there is something odd with WM6. If the root certificate already exists, P12imprt / PFXimprt asks you if you want to overwrite the certificate or not. If you select "Overwrite", WM6 asks if you want to block or install the root certificate. If you tap "Block", the root certificate will not be overwritten but for some reason WM6 deletes the existing root certificate instead of leaving it alone. Looks like a bug to me. You would expect the CertAddEncodedCertificateToStore(CERT_STORE_ADD_REPLACE_EXISTING) call to be an atomic operation.

On some locked devices such as Smartphones the root certificate may fail to install, even if you allow WM6 to continue. In such cases it is recommended to use WM6's built-in certificate installer.

Older versions of P12imprt and Crtimprt did not import certificates correctly for use with S/MIME. This has been resolved in updated versions.

Back to Contents

7. Web enrolment

Web enrolment is an alternative to importing a certificate from a file. Clients "enrol" at a webbased Certificate Authority. Enrolment means that you contact a certificate server and request the server to issue a certificate. The server will ask for your credentials, such as a username and password, before issuing the certificate. Enrolment requires a web enrolment utility on the Windows Mobile device, and on the server Microsoft Certificate Services is required (no other CA is supported). Web enrolment is (somewhat) documented on the Microsoft website.

7.1 Web enrolment with ActiveSync

Windows XP and earlier use ActiveSync for web enrolment.

Some vendors ship an enrolment utility for previous versions of Windows Mobile but Windows Mobile 6 now contains a built-in support for web enrolment. But this only works in combination with ActiveSync 4.5. Older versions of Windows Mobile such as WM5 are not supported by the enroller included with ActiveSync 4.5: the menu option "Get Device Certificates" will remain ghosted.

This is not a tutorial on web enrolment. If you encounter problems, contact the vendor of your device (or try contacting Microsoft Support).

First, you need to configure your Windows Server to web enrolment:

Install IIS on your Windows Server.
Install Certificate Services CA and Certificate Services Web Enrollment (screenshots) on your Windows Server.
According to the Windows Help file, if you installed IIS after installing CA services, you need to run "certutil -vroot".
The Windows Server must be configured to immediately issue certificates (no human interaction required), otherwise the client will abort the web enrolment procedure. Open Certificate Authority (mmc certsrv.msc), open the properties of your CA, click the tab "Policy module ", click Properties, pick "Follow the setting in the certificate template, if applicable. Otherwise, automatically issue the certificate". This obviously means that you don't have manual control over what certificates are issued to whom, but that's the way it is.
You may have to load the Authenticated Session and User Signature Only templates.
Test your certificate web enrolment setup by using a browser on a desktop PC. Obtain a "User" certificate by surfing to:
http://exchange.example.com/certsrv where exchange.example.com is the hostname of your Windows Server. You will be asked for your account credentials (a valid username and password) to enrol for a certificate. Depending on your IIS settings you may need to use HTTPS instead.
Verify in Certificate Authority (mmc certsrv.msc) that the test certificate has been issued. It should be in the "issued" folder, not in "pending", "revoked" or "failed". You should now be able to pick up and install the certificate on the desktop PC.

Then, you use ActiveSync on your PC to enrol at the CA server:

Download and install ActiveSync 4.5 or higher on your Windows 2000/2003/XP desktop PC.
Cradle your Windows Mobile device.
Start ActiveSync.
Click on the menu "Tools -> Configure Server Source".
Enter the server's hostname and your account credentials.
Click on the menu "Tools -> Advanced Tools -> Get Device Certificates".
A window called "Get Device Certificates" will be displayed. Initially there will be no certificate types shown.
Select "Certificate types from Active Directory".
Select the "User" certificate type.
Click "Enroll".
A window will be displayed: "A security certificate is being requested for your device. You should continue only if you trust this certificate server." The hostname of the server is displayed in the windows.
However, I found that the domain name was not appended and for some reason WM6 could not reach this server by its hostname alone. I resolved this by adding a new certificate type:

I selected "Certificate types from device".
I clicked "Add".
I entered the hostname of the server, plus a name for the certificate type. I selected "User" as the Certificate Template Name. I also enabled "SSL" because I had already installed a root certificate on the Windows Mobile device.
I clicked "OK" and selected the certificate type that was just created. At this stage I could click "Enroll" and continue with the remaining steps of the procedure.

ActiveSync displays this message: "You must approve the request on the currently connected device." The Windows Mobile device displays this popup: "You should continue only if you started a certificate enrolment from the PC that is connected to your device."
Enter your account credentials.
The enrolment will be in progress.
If all goes well, the enrolment should succeed.

7.2 Web enrolment with Windows Vista Mobile Device Center

Windows Vista requires the Vista Mobile Device Center. Apparently there is already some kind of rudimentary Mobile Device Center included with Windows Vista, but you still need to download and install the full Mobile Device Center from the Microsoft website. Microsoft provides some instructions but these are minimal. See the section "Setting up your device for certificate enrolment". I have not tried it myself but this document claims that enrolment is "automatic" and that it requires Exchange server. I could not find a place to enter the Exchange server's address in Vista Mobile Device Center, so I assume that Outlook is also required on the desktop PC. Mind you, ActiveSync 'only' required IIS / Microsoft Certificate Services but not Exchange server or Outlook. So, migrating to Vista means buying into Microsoft's other product offerings as well, if you insist on using web enrolment. This increases the cost of ownership.

UPDATE: a new version of the Windows Mobile Device Center is available. It appears to support certificate enrolment with WM6 devices, but it requires Exchange Server. This increases the cost of ownership significantly.

Back to Contents

8. Acknowledgements and disclaimers

My crack team of lawyers advised me to include the following text. This page shows screenshots of a device resembling a Pocket PC but this does not necessarily mean an endorsement of or by any company. I disclaim everything anyway :-). Windows, Windows Mobile, Pocket PC and Windows CE are trademarks of Microsoft Corporation. The author of this webpage is not associated with Microsoft or any other company mentioned on the page. All trademarks are owned by their respective companies.

Back to Contents

9. Revision history

May 21, 2007: Initial version. WM6 emulator images available.

Jacco de Leeuw