What are the Certificate Stores?


What are the different Certificate stores on Windows Mobile?

ROOT
This store contains root certificates. They are primarily used for SSL chain validation. This store can be inspected via the Certificates Control Panel page.This store has NOTHING to do with code execution.


MY

This store contains the user's client certs. They typically have associated private keys, and are used for client authentication to web sites, the Exchange server, S/MIME, etc. This store can also be inspected via the Control Panel.

CA
This store contains intermediate certs for chaining. It's not currently exposed via UI, and no certificates ship in it by default.

The following are the code execution certificate stores:

Privileged Execution Trust Authorities and
Unprivileged Execution Trust Authorities

These certificate stores are used by the security loader to control code execution. If an executable can be chained up to a cert in either of these stores, it is considered "signed" by the security loader and is assigned a trust level depending on the device security policies. If a binary is Authenticode signed but cannot be chained up to a certificate in these stores, it is considered unsigned by the security loader. (and there will likely be a prompt to state that)

SPC
This store governs cab installation. The cab installer tries to chain the signature on a cab up to a certificate in this store, following similar rules as described above for other binaries. All code execution certificates in the above two stores should also be in this store. For instance, if the device has the M2M certificates, they will also be in this store for application installation. Certificates in the SPC store contain an additional property which lets the cab installer know what privilege level to use when installing the application.


The biggest area of confusion I have seen here is regarding the ROOT store - it is absolutely not a code signing store.

Scott

Comments (23)
  1. jwhwang says:

    Hi Scott

    Could you kindly explain the different and definition about "Privileged Execution Trust Authorities" and "Unprivileged Execution Trust Authorities"? Is there any best pratice to apply these two authorities for application signing?

    Thanks!

  2. mattc says:

    Is there a way to query or view the Privileged and Unprivileged Execution Trust Authorities stores on a device to see what certificates are contained in each of those stores

  3. Alex Kac says:

    One thing I’d like to know is if there is a way to get an unsigned CAB to have the publisher name associated with it. Right now the unsigned CABs say "unknown publisher" and at least I’d like to have our company name associated with it.

  4. roberth says:

    Scott, how do these certificate stores relate to the eas protocol and ssl setting on the iis/exchange microsoft-server-activesync, oma, public, rpc vdir’s?  On single server exchange (fe&be) setups with its own ca server, where an external mail domain (and hence the fqdn) is different than the internal domain, how can one get past the ca common name differences (error 0x80072f06 in wm05)?

  5. scyost says:

    jwhang: The difference between those two stores is that on a two-tier device (smartphone default), the application will run at a different trust level based on which store it chains to. For PPC there is not really a difference – any signed app will run with the maximum privilege level. More info here: http://blogs.msdn.com/windowsmobile/archive/2005/11/09/491160.aspx

  6. scyost says:

    mattc:

    Yes, but it’s more difficult than I’d like it to be.

    To do it via XML, there is documentation and samples here: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/DevGuideSP/html/sp_wce51oricertificatestorecspexamplesozup.asp

    Unfortunately, that typically won’t work over RAPI or on most Smartphones, because of a limitation of our XML system. In most cases, the access control checks doesn’t differentiate between reads and writes to an entity, so since the certificate stores aren’t writable without a higher privilege level, you can’t query them either. I’d like to make it so you can always query certificate stores and security policies over RAPI but we don’t yet have that.

    Otherwise, if you are writing code on the device, you can use the Cert* APIs to enumerate and examine the certificates. CertOpenStore, CertEnumCertificatesInStore, etc. It’s the same as on the desktop.

    One question for you – what information are you looking for that you want to query the stores? It seems like a lot of people want to query the cert stores as a first troubleshooting step for ode signing problems, but I don’t see that as so helpful.

  7. scyost says:

    Alex Kac: Not currently. There’s a little more information about your question on this post: http://blogs.msdn.com/windowsmobile/archive/2005/12/17/security_model_faq.aspx

  8. scyost says:

    Roberth: The ROOT and CA stores are the ones used for verifying chains for EAS. But if your URL doesn’t match the host name on the cert then we won’t ever trust it for a SSL sync connection. Server configuration isn’t my area of expertise but I’d guess you would need a cert for your internal URL and one for the external as well.

  9. Vasu says:

    Also, is there any documentation to clarify if the certificate stores (ROOT and USER) are automatically cold boot/battery drain persistent?

  10. scyost says:

    Vasu, I’m not sure what you mean. If the device gets reset via cold boot, everything returns to factory settings. No certs that were added at runtime to any store will persist. There are some certs that come preinstalled in the ROM – those will still be there.

  11. dang says:

    Hi scyost,

    Like matt, I’m interested in seeing the when running a query on the stores is to determine if the device supports M2M certs in the priv or unpriv store.

    Currently, we are working on acquiring a priv M2M cert as we need it for some/most carriers, but would be nice to be able to do a quick query of other devices as well….

    Thanks,

    dang

  12. scyost says:

    The Device Security Manager is the best tool for that purpose – it has friendly names for most of the well-known certificates so it’s very easy to see if the M2M certs are on the device.

    http://blogs.msdn.com/windowsmobile/archive/2006/06/22/643027.aspx

  13. Samuel says:

    Hi All,

    I have a situation whereby i use my own ca root cert as well as code signing cert to sign my provisioning cab. Based on the readings in this blog, i came to know that i need to store my root cert in the SPC store (Please correct me if i’m wrong) in order for authenticate my signed cab (signed using code signing cert).

    is it possible to install the root cert into the SPC store without the operator permission ? Is it the only way to get the provisiong cab running by getting the provisioning cab sign by M2M ?

  14. Morten Knudsen says:

    We have got a Thawte code-signing certificat, and have signed a CAB-file for a Windows Mobile 5 device with the certifat, but apparantly I need to install the Thawte Code-Signing CA certificat into the SPC store – and NOT the root-store, but how do I do this ? Out problem is, that now we get a prompt when trying to install the CAB file (unknown publisher)

    Is it possible to accomplish this by a command line util on Windows Mobile 5. I’m doing a large project, where I need to do this on thousands of devices automatically, both the devices have allready been delivered to the customer.

  15. Manohar says:

    Can any body tell me path where the certificates will be stored physically.

    Thx in advance

  16. Emilio says:

    Hi! excellent topic. Very good explanations.  

    I have a question now.

    This is my scene: first I created a provisioning xml to add a new ROOT certificate to my smartphone.

    Then I configured a Tomcat server to use SSL with the same certificate.

    Everything works perfect (I can navigate the website from my device), but, although I can see the certificate is in the root store (through the “Settings” icon, then security, certificates, and finally, root) the first time I access the web site with my smartphone I get a message prompting me to allow the connection. Why is this happening? An url name problem with the certificate perhaps? I would like it to be transparent for the user, I mean, if the certificate is there, don’t prompt!

    Thanks in advance!

  17. scyost says:

    Hi Emilio – it could definitely be a problem with the url name – the server name has to match the subject name in the cert for the connection to succeed in most cases.

  18. Emilio says:

    Hi Scyost, yes you are right, it is a problem with the URL name. I did some coding in C and when I tried to use the function HttpOpenRequest it was unsuccesful until I passed the flag INTERNET_FLAG_IGNORE_CERT_CN_INVALID and then it worked. The flag is used when you need to ignore the mismatching of certificate name. I guess the problem will be gone when I change the certificate I’m currently using to one with the subject equals to the server name.

    Good Bye!

  19. david scott says:

    Are you able to shed some light on how the client certificates are stored?

    I’m proposing two-factor authenication for WM5 and exchange based on certs. The solution depends largely on how tamper resistant the the MY store is, not just from within WM5 but from offline attack, i.e. someone removing the memory and decoding it.

    Thanks for a great website.

  20. scyost says:

    I’d suggest you go the smartcard route to protect the client keys. The keys are encrypted when they’re persisted to the registry using CryptProtectData, but the master keys for that API are in the filesystem of the device, so it’s not resistant to offline attack.

  21. selvaraj says:

    I have a very basic question. How can i create my own root certificate.

    Thanks in advance.

  22. Emilio says:

    Hi Scyost, I have a new question and I’m afraid it isn’t related to the Certificates Stores, but as in the previous occasion it was very helpful to me the information you posted, I’m confident you could help me again. Here is my question (now about the UI): Regarding the personalization of the menu entries in the contacts/dialer screens, is there any way to take the “beam” menu out from the user interface? Thank you in advance, best regards. Emilio

  23. Dan says:

    This is not strictly a Windows Mobile question but perhaps somebody here can help me. I am trying to write a Java program and I don’t think the (Java Application Loader) code responsible for certificate authentication checks the Privileged Execution Trust Authorities and Unprivileged Execution Trust Authorities stores. I think it is looking somewhere else. Does anyone know if this is correct, and if so, where would it be looking?

Comments are closed.

Skip to main content