How to add your own root cert via CAB file

  • Article

This post will explain how to install a root cert on a one tier device via a CAB file. For explanations of why you would want to add a root cert and alternate methods of doing so, see the discussion of root certs with Exchange ActiveSync. This method will work for any one-tier prompt device, including the Treo 700W and Motorola Q.

[8/11/06] An even easier way to create this XML is to use the tool here.

Open up the cert in explorer. You can do this by double clicking the .cer file, using the MMC snapin, or clicking through the SSL lock UI in IE.

If this is a certificate chain, then examine the root cert. Adding the leaf cert to the root store will not work.

Look at the thumbprint of the certificate. Save this string because you will need it later.

If you don't have the certificate on disk already, select "Copy Certificate" to export the certificate to the filesystem in Base-64 format.

Construct certificate XML using the store, thumbprint, and base64 encoded certificate blob. The XML for our example case would look like this:

<wap-provisioningdoc>
<characteristic type="CertificateStore">
<characteristic type="ROOT" >
<characteristic type="97817950d81c9670cc34d809cf794431367ef474">
<parm name="EncodedCertificate" value="
MIICWjCCAcMCAgGlMA0GCSqGSIb3DQEBBAUAMHUxCzAJBgNVBAYTAlVTMRgwFgYD
VQQKEw9HVEUgQ29ycG9yYXRpb24xJzAlBgNVBAsTHkdURSBDeWJlclRydXN0IFNv
bHV0aW9ucywgSW5jLjEjMCEGA1UEAxMaR1RFIEN5YmVyVHJ1c3QgR2xvYmFsIFJv
b3QwHhcNOTgwODEzMDAyOTAwWhcNMTgwODEzMjM1OTAwWjB1MQswCQYDVQQGEwJV
UzEYMBYGA1UEChMPR1RFIENvcnBvcmF0aW9uMScwJQYDVQQLEx5HVEUgQ3liZXJU
cnVzdCBTb2x1dGlvbnMsIEluYy4xIzAhBgNVBAMTGkdURSBDeWJlclRydXN0IEds
b2JhbCBSb290MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCVD6C28FCc6HrH
iM3dFw4usJTQGz0O9pTAipTHBsiQl8i4ZBp6fmw8U+E3KHNgf7KXUwefU/ltWJTS
r41tiGeA5u2ylc9yMcqlHHK6XALnZELn+aks1joNrI1CqiQBOeacPwGFVw1Yh0X4
04Wqk2kmhXBIgD8SFcd5tB8FLztimQIDAQABMA0GCSqGSIb3DQEBBAUAA4GBAG3r
GwnpXtlR22ciYaQqPEh346B8pt5zohQDhT37qw4wxYMWM4ETCJ57NE7fQMh017l9
3PR2VX2bY1QY6fDq81yx2YtCHrnAlU66+tXifPVoYb+O7AWXX1uw16OFNMQkpw0P
lZPvy5TYnh+dXIVtx6quTx8itc2VrbqnzPmrC3p/"/>
</characteristic>
</characteristic>
</characteristic>
</wap-provisioningdoc>

Save the XML file as _setup.xml and make it into a cab file: makecab _setup.xml rootcert.cab

Now install the cab file on the device. You're done!