Adding Root Certificates for Exchange Activesync

How can I add root certs to my Windows Mobile 5.0 device?

 

In WM 5.0, the certchk tool no longer works for disabling SSL certificate verification on the Exchange ActiveSync connection. What are the options for secure connections to the server?

 - Buy a SSL certificate from a major vendor. You should be able to get one for < $100. If you do this, the connections will just work. Launchpad page to find a SSL cert vendor here.

- If you have management access to the device, you can add your self-signed cert to the ROOT store directly via rapiconfig, a CAB file, or the certinst.exe tool. This depends on the security configuration of the device. On a Pocket PC in the default configuration this will be possible, but on a default Smartphone, you cannot. In some cases you will need to add the intermediate certs as well. (details)

 - Some OEMs or mobile operators provide certificate installers for their platform.

If you can't buy a cert that chains to a major root, you can't manage the device, and there is no signed installer for your platform, there is not a good way to do this in WM 5. We have definitely gotten the message that a lot of customers find themselves in this situation and we feel your pain.

There is some more documentation and instructions around this process in the MSFP Deployment Guide.

edit: MSDN page about adding root certs here. The page also has a signed cert installer for Sprint and Verizon devices.

update 1/10: iMate provides a certificate installer application for the SP5 series of phones. Link here

update 3/8/06: Added link to MSDN page showing choices for where to buy root certs and which ones are supported on which OS versions.

update 4/4/06: Added link to creating a root cert CAB file inline. Linked forward to page about intermediate certs.

update 4/6/06: link to deployment guide