Certificate stores

Certificate
stores contain the digital certificates of a mobile device. By default,
Windows Mobile-based devices have the following set of certificate
stores:

  • The ROOT store contains trusted root certificates which
    identify root certification authorities. This store typically contains
    certificates from a trusted public certification authority.
  • The CA store contains trusted intermediate certificates which identify intermediate certification authorities.
  • The MY store contains the user’s personal client certificates.

Notes To store root certificates securely on a Windows Mobile-based device, Windows Mobile uses the CryptoAPI certificate store.

Microsoft
Exchange ActiveSync is a program in Microsoft Exchange Server 2003 that
is used to examine the root certificate store on a Windows Mobile-based
device. Exchange ActiveSync is used to verify that the certificate on a
server to which a Windows Mobile-based device connects is issued by a
trusted authority.

Root certificates that are installed on a Windows Mobile-based device

The following root certificates are installed on a Windows Mobile-based device:

  • Class 2 Public Primary Certification Authority (VeriSign, Inc.)
  • Class 3 Public Primary Certification Authority (VeriSign, Inc.)
  • Entrust.net Certification Authority (2048)
  • Entrust.net Secure Server Certification Authority
  • Equifax Secure Certification Authority
  • GlobalSign Root CA
  • GTE CyberTrust Global Root
  • GTE CyberTrust Root
  • Secure Server Certification Authority (RSA)
  • Thawte Premium Server CA
  • Thawte Server CA

Note Windows Mobile 5.0 with AKU2(MSFP) has the following additional root certificate installed:

http://www.valicert.com/

We recommend that you install a certificate that is issued by an
authority that the device trusts. Alternatively, install a certificate
that is issued by a company that is chained to an authority that the
device trusts.


Known third-party Secure Sockets Layer (SSL)
certificates are issued by trusted root certification authorities that
have a root store presence in Windows Mobile-based devices.


Sometimes
you may have to issue a self-signed certificate or to obtain a
certificate from a certification authority that the device does not
trust. In this case, Exchange ActiveSync cannot use SSL certificates
unless the root certificate can be installed on the device. Whether a
root certificate can be installed on the device depends on how the
device was configured by the original equipment manufacturer (OEM) or
by the mobile operator.

How to install root certificates

Only
trusted processes can install certificates. On a two-tier device, only
privileged applications can run trusted processes. Therefore, the
device manager (the OEM or the mobile operator) must let you install a
certificate. Alternatively, the device manager must sign the
application with a certificate that is in the privileged execution
certificate store on the device.


When you are granted a device
manager role on a Windows Mobile-based device, you can install a root
certificate file by using the built-in certificate installer. To use
the built-in certificate installer, follow these steps:

  1. Connect the mobile device to the computer.
  2. On the computer, start ActiveSync 4.1, and then click Explore.
  3. Copy the root certificate file (.cer) to the device.
  4. On the device, run the .cer file that is associated with the built-in Certinst.exe file.

If the security policy on the Windows Mobile-based device
prevents the built-in certificate installer from working, try the
following steps to install the certificate:

  1. Download the SmartPhoneAddcert.exe tool to your computer.
    The following file is available for download from the Microsoft Download Center:

    Collapse this imageExpand this image

    Download

    Download the SmartPhoneAddCert.exe package now.
    (http://download.microsoft.com/download/0/3/b/03b3162a-c093-4434-917c-4b289d027ceb/smartphoneaddcert.exe)

    Note
    Some mobile operators provide a signed version of this tool. If a
    signed version is available for your device, download the signed
    version.

  2. Run SmartPhoneAddCert.exe to extract the contents to a folder on your computer.
  3. Copy SmartPhoneAddCert.exe to your device.
  4. On your device, create a folder that is named "Storage." SmartPhonePAddCert.exe searches for the certificate in this folder.
  5. Copy the root certificate (.cer file) to the Storage folder on your device.
  6. Run SmartPhoneAddCert.exe. Click to select the .cer file that
    you copied to the Storage folder, and then install the root
    certificate.