DisableCertChk.Exe – Disabling Certificate Verification on Windows Mobile 5


I’ve had a number of emails from customers asking where they can locate the DisableCertChk.Exe tool from for Windows Mobile 5.   The Windows Mobile 2003 version is at http://www.microsoft.com/downloads/details.aspx?FamilyID=D88753B8-8B3A-4F1D-8E94-530A67614DF1&displaylang=en and is used to allow users with Windows Mobile devices to connect to Exchange servers without verifying the root certificate authority against the certificate trust list on the device. The device still uses SSL to connect to Exchange, but the Exchange Certificate check allows certificates from un-trusted certificate authorities to be used without generating errors.


Unfortunately I’m not aware of a version for Windows Mobile 5 however in the meantime – you can get certificates for $149 for a year from Geotrust Europe (http://www.geotrusteurope.com/quickssl/index.htm) and that price reduces if you buy multiple years.


 If this is just a short term trial look at something like the Verisign free trial (http://www.verisign.co.uk/products-services/security-services/ssl/buy-ssl-certificates/free-trial/index.html )

I’ll post here if I do find one 🙂


Final point – The DisableCertChk.exe tool should be used only for testing purposes. Do not use this tool in your normal production environment.


 


Comments (9)
  1. Hi Jason,

    The problem here is that WM5 defines adding a trusted root certificate as a trusted operation that requires a trusted signed version of certinst.exe. Not all WM5 devices today carry a trusted version which makes installing your own certificate virtually impossible. You have to hack your devices security policy to make it work.

    For the certificate part. I got my trusted SSL certificate from http://www.instantssl.com. 3 years for $139! Make sure you get the certificate signed by the GTE Trusted Root otherwise the certificate will not work on WM5.

    My 2 cents

    Ray

  2. MSDNArchive says:

    Ray – good points well made – the OEM or Operator controls the setting of that policy when the device is shipped so it’s something they can perhaps help with in configuration

  3. rodger says:

    Thanks for posting this Jason. This problem is absolutely ludicrous and obviously a nod to the vestigial certificate peddlers.

    My public multi-national company has been using it’s own CA servers for all internal services trouble free for many years. Now people can’t synchronize their contacts with Exchange because of this. There better be a fix for installing root certs coming soon or else we will all move to RIM.

    What is really the problem with having cert checking disabled on a PDA? I mean real-life situations here.

  4. Dave Field says:

    Why do customers want this tool? Is it really strictly for test or are any of them really considering this for a deployment? Can’t they just use self-signed certs for testing? I would really like to find a way to not have to expose this functionality.

    Removing trust validation for the server cert is insecure on many levels. The most obvious threat is that it would allow a malicious server to phish your credentials.

  5. Raymond says:

    Ok this might sound repetitive but I have to ask,

    Is there going to be a tool like DisableCertChk.Exe for MS Mobile 5 to disable cert’s?

    Is there a way to achieve this on the device by any other means(editing reg)?

  6. MSDNArchive says:

    Raymond – Dave Field – one of my colleagues asked – Why do customers want this tool? Is it really strictly for test or are any of them really considering this for a deployment? Can’t they just use self-signed certs for testing? I would really like to find a way to not have to expose this functionality.

    Removing trust validation for the server cert is insecure on many levels. The most obvious threat is that it would allow a malicious server to phish your credentials.

    Are you able to help him understand your need for the app?

  7. Raymond says:

    Jason, every time I read the blog again I didnt realise you replied to me. my customers are currently using about 1000 units of the PPC 6600 with the DisableCert tool. they dont care about the security aspect. they are about to migrate to the 6700 using windows M 5, and if they cant disable the certs thats a big no go for them.

    I have given them alternatives to getting it to work by installing root certs and modifying the server, but aparently they dont like that option. So it would be awesome if you can realease a similar tool as DisableCertChk.Exe for mobile 5. after all the customer should have the option to take any direction they want.

Comments are closed.

Skip to main content