Installing certificates on Windows Mobile 6

Last update: Dec 13, 2007

1.1 Introduction

Windows Mobile 6 has improved support for installing certificates. There are two methods for installing a certificate on your device: you can either import a certificate from a file or you can "enrol" at a Certificate Authority using HTTP. Previous versions of Windows Mobile could only import root certificates. Windows Mobile 6 now also supports importing a personal certificate from a PKCS#12 file. Windows Mobile 6 is also the first version to support the certificate enrolment feature in ActiveSync 4.5. Once an X.509 personal certificate is installed, you can use it to for user authentication on the Pocket PC. The imported certificate can be used in the following scenarios:
1.2 Author

The author of this document is Jacco de Leeuw (contact me). Corrections, additions, extra information etc. are much appreciated.

2. Contents

3. Background information

Windows Mobile 6 for Pocket PC, which is often abbreviated to WM6 is based on a light-weight variant of Windows called Windows CE. As mentioned in the introduction, there are three main applications of Personal Certificates: L2TP/IPsec, EAP-TLS and web client authentication.

A number of things are new in WM6:

(Read this section of the P12imprt webpage for more background information).

Back to Contents

4. Obtaining a PKCS#12 certificate file

Read this section on the P12imprt webpage if you don't know how to obtain or create a personal certificate and corresponding private key.

Back to Contents

5. Importing a certificate on Windows Mobile 6

You can import root certificates and personal certificates. Root certificates need to be in PEM (text, Base64 encoded) or DER (binary) format. Root certificate files have the extension .cer or .p7b and contain a single certificate or a PKCS#7 certificate chain. Personal certificates need to be in PKCS#12 format and have the extension .pfx or .p12.  PKCS#12 files typically contain a personal certificate and its corresponding private key, a root certificate and optionally a number of intermediate CA certificates.

Here is how to import a file containing one or more certificates on the Windows Mobile device:
View the certificates that have been imported to the Pocket PC device:
If you have installed my sample root certificate ("TESTCA") and personal certificate ("TESTUSER") you will probably want to delete them afterwards. Use the "Certificates" applet in Settings->System. Tap and hold the name of the certificate. A context menu will pop up. Select "Delete" to delete the certificate.

Back to Contents

6. Importing a personal certificate with PFXimprt or P12imprt

Both my programs P12imprt and PFXimprt work on WM6. But unlike WM6's built-in certificate installer, they will cause WM6 to display a popup. I would recommend P12imprt over PFXimprt.
If you tap "Block", WM6 will not allow the certificate to be installed. However, there is something odd with WM6. If the root certificate already exists, P12imprt / PFXimprt asks you if you want to overwrite the certificate or not. If you select "Overwrite", WM6 asks if you want to block or install the root certificate. If you tap "Block", the root certificate will not be overwritten but for some reason WM6 deletes the existing root certificate instead of leaving it alone. Looks like a bug to me. You would expect the CertAddEncodedCertificateToStore(CERT_STORE_ADD_REPLACE_EXISTING) call to be an atomic operation.

On some locked devices such as Smartphones the root certificate may fail to install, even if you allow WM6 to continue. In such cases it is recommended to use WM6's built-in certificate installer.

Older versions of P12imprt and Crtimprt did not import certificates correctly for use with S/MIME. This has been resolved in updated versions.

Back to Contents

7. Web enrolment

Web enrolment is an alternative to importing a certificate from a file. Clients "enrol" at a webbased Certificate Authority. Enrolment means that you contact a certificate server and request the server to issue a certificate. The server will ask for your credentials, such as a username and password, before issuing the certificate. Enrolment requires a web enrolment utility on the Windows Mobile device, and on the server Microsoft Certificate Services is required (no other CA is supported). Web enrolment is (somewhat) documented on the Microsoft website.

7.1 Web enrolment with ActiveSync

Windows XP and earlier use ActiveSync for web enrolment.

Some vendors ship an enrolment utility for previous versions of Windows Mobile but Windows Mobile 6 now contains a built-in support for web enrolment. But this only works in combination with ActiveSync 4.5. Older versions of Windows Mobile such as WM5 are not supported by the enroller included with ActiveSync 4.5: the menu option "Get Device Certificates" will remain ghosted.

This is not a tutorial on web enrolment. If you encounter problems, contact the vendor of your device (or try contacting Microsoft Support).

First, you need to configure your Windows Server to web enrolment:

Then, you use ActiveSync on your PC to enrol at the CA server:
7.2 Web enrolment with Windows Vista Mobile Device Center

Windows Vista requires the Vista Mobile Device Center. Apparently there is already some kind of rudimentary Mobile Device Center included with Windows Vista, but you still need to download and install the full Mobile Device Center from the Microsoft website. Microsoft provides some instructions but these are minimal. See the section "Setting up your device for certificate enrolment". I have not tried it myself but this document claims that enrolment is "automatic" and that it requires Exchange server. I could not find a place to enter the Exchange server's address in Vista Mobile Device Center, so I assume that Outlook is also required on the desktop PC. Mind you, ActiveSync 'only' required IIS / Microsoft Certificate Services but not Exchange server or Outlook. So, migrating to Vista means buying into Microsoft's other product offerings as well, if you insist on using web enrolment. This increases the cost of ownership.

UPDATE: a new version of the Windows Mobile Device Center is available. It appears to support certificate enrolment with WM6 devices, but it requires Exchange Server. This increases the cost of ownership significantly.

Back to Contents

8. Acknowledgements and disclaimers

My crack team of lawyers advised me to include the following text. This page shows screenshots of a device resembling a Pocket PC but this does not necessarily mean an endorsement of or by any company. I disclaim everything anyway :-). Windows, Windows Mobile, Pocket PC and Windows CE are trademarks of Microsoft Corporation. The author of this webpage is not associated with Microsoft or any other company mentioned on the page. All trademarks are owned by their respective companies.

Back to Contents

9. Revision history

May 21, 2007: Initial version. WM6 emulator images available.

Jacco de Leeuw