Certificate Improvements in Windows Mobile 6


As faithful blog readers already know, there were several limitations related to certificates that caused tons of customer pain on WM5. Now that WM6 is public, it gives me great pleasure to announce the following changes that we made in WM6:



  • Certificate Installer built into the platform

    • Installs CER, P7B, and PFX files

    • No more Access Denied messages.

    • Installs certs to the ROOT, Intermediate, and MY store

  • Wildcard Certificate support for SSL

 


Thanks for all your input and feedback on these issues. Several of the work items and design decisions involved in this were shaped or prioritized directly due to your feedback.


 


Some other minor tidbits:



  • The Intermediate ("CA") store shows up in the control panel now

  • Even more root certs installed by default

  • Delete will work from the control panel on any user-installed certs

Technical crunchy bits:


We added HKCU versions of the ROOT and CA stores where previously there was only the HKLM version. These stores don't require special trust to access - they can be accessed via unsigned code,  RAPI or any other method. The new certificate installer (CertInstaller.exe) installs certs into those stores.


 


Scott

Comments (63)

  1. Jason K. says:

    Please Help!

    I’ve been trying to determine whether I should even upgrade my iPAQ to WM 5.0, and now I feel even more confused when I see your reference to WM 6.  I have visited the Windows Mobile portion of Microsoft’s website many times looking to get basic questions answered and can never find the information I need.  As a basic user of an iPAQ hx2415 running 2003 SE I feel like Microsoft has just decided to ignore users of the "old" OS as there is almost no information for basic users who want to understand their options for upgrading to WM 5.0.  

    I understand that whether a user can upgrade depends upon the individual device and whether the device manufacturer provides an upgrade.  I visited HP’s website and they do sell an upgrade for my exact device model number, however when you go to purchase the upgrade HP gives the following warning:

    "Many HP iPAQ users have reported performance issues after upgrading their devices to Windows Mobile 5.0.  Please read Microsoft’s detailed explanation by clicking here: http://blogs.msdn.com/windowsmobile/archive/2006/03/16/552996.aspx".  HP’s own website does not make any mention of the specific models for which problems have been reported.

    So I followed the link to view Microsoft’s "detailed explanation" and I find a blog entry by Mike Calligaro ("What’s a compaction thread?", March 2006) that explains the technical reason for the performance issues some users have experienced after upgrading.  Even though my technical understanding is very limited I did read the entire posting and understood the information well.  But the explanation of why the problem occurs did not solve my problem of needing to know whether my specific device was one of the devices affected.

    Mike Calligaro states in his March, 2006 posting, "To be clear, we’ve only heard reports of this happening on two upgrade devices, and not on any of the devices designed specifically for WM5".

    Okay, so what are the two upgrade devices to which he’s referring???  I have checked the responses from people within the March thread and only one user specifically refers to having had a problem with the exact device model that I own (May 19 by John Curry).  In his response he simply asks if there is any way he can buy a copy of 2003 SE to reinstall on his device because the upgrade caused performance problems.  He says Microsoft and HP do not sell copies of 2003 for re-installation and goes so far as to say he would pay for a copy.  ***No one responded to his question from what I can tell.

    Can you please tell me the specific devices for which Microsoft acknowledges reported problems?  Are there really only two?  I have also done some general searching on the net and found a few references here and there from individual users but no official consensus.  If you do not have that information where do I go to find out the information?  Or, do you know if the cause of the problems has in fact been fixed?  

    Just as importantly, why doesn’t Microsoft or HP appear to sell copies of 2003 SE that would allow people to reinstall if 5.0 doesn’t work well (not that users should have to repay for software they already bought).  This just doesn’t make any sense.

    HP basically is telling people in their upgrade "warning" to refer to Microsoft about problems their products have encountered with the upgrade.  And the place to which they have directed their customers – this blog – doesn’t seem to provide any answers.  And as I stated at the beginning, Microsoft is basically mute on the Windows Mobile product website.  It’s almost like being made to go in circles.

    And finally, what the heck is Windows Mobile 6?  Interestingly, when I’ve visited the Mobile product website over the last few weeks I saw reference to 5.0 all over the site.  Now when I visit the site I don’t see a reference to any version number, neither 5.0 nor 6.  The only page I could find that makes reference to the number (version) 6 refers to ‘Windows Mobile Device Center 6 for Windows Vista’.  So is there an actual OS version 6.0 now, or are you referring to something else?

    Things just seem to get more and more ambiguous on the Mobile products site.  It really is very disheartening, especially when it doesn’t have to be that way.

  2. Allen says:

    Hey Jason,

    I have an HP iPaq 4700hx and while some performance issues were introduced after upgrading to WM5, they are nominal for the most part.  Additionally, the OS can be rolled back to 2003 SE whenever you like by running the WM5 upgrade installer. I personally feel that the periodic stalls in device responsiveness are worth the benefits provided by upgrading, especially the persistent storage, but this should be a decision you make yourself. As for the WM5 vs 6 issue, I believe the OS upgrade has to be offered by your OEM and with your device, it is unlikely HP will ever offer an upgrade to WM6 as generally the device is designed for one OS (possibly upgradeable once, as in this case). Unfortunately I can’t offer answers to your other questions nor can I offer device-specific experience as I don’t own that particular model, but I would suggest posting in the forums to see if anyone else is in the same situation.

  3. I’m still not allowed to say much about Windows Mobile 6 until next week, other than it exists, it’s

  4. Bill Blanke says:

    From what I can tell, WM6 runs on top of the same CE5 core

    as WM5, which means a device that can be upgraded to

    WM5 should be able to take WM6, no? It is mainly just

    changes to the apps and shell?

    Now when WMx runs on top of the CE6 core, then I can

    see older devices having issues with upgrading.

    BTW why the version # confusion between CE and WM?

  5. I've just bouth a new WM5 device for personal use and ops – Windows Mobile 6 was announced So what's

  6. Rich says:

    Will developers be able to use the same toolset for WM6?  I just invested in VS 2005 for WM5 development.

  7. scyost says:

    Hang on a little bit longer for the full launch of WM6 to get underway. Not everything has been rolled out publically yet, like the web page, etc.

  8. Vasu says:

    Thank goodness, now I can finally utilize whatever is left of my PKI to do some kind of mobile device/user authentication using certs.

    Wondering if you can elaborate on any auto enrollment features or is that still SDK or generate manually?

    –Vasu

  9. Vasu says:

    Also, Scott, Please tell me CertInstaller.exe is not a UI only program and can be called from the command line with appropriate parameters to install a cert that exists on the mobile device in some form

  10. scyost says:

    Yes, the app can be called from the command line if you so desire. That is a supported scenario. The parameters should be documented in the SDK when it ships.

  11. James Pratt [MSFT] says:

    Folks

    Yes, you can use Visual Studio 2005 to develop for Windows Mobile 6 so your investment in tools is safe!  Tune in to the blog and the Windows Mobile Dev Center (http://msdn.microsoft.com/windowsmobile) on Monday to learn more about Windows Mobile 6 development.

    James

  12. Congratulations on finally improving the certificate support. Nice to see that Microsoft responds once there is a third-party alternative. Some questions remain, though.

    – When will WM6 emulator images be available?

    – How about documentation for the web-based certificate enrollers in WM5+ and ActiveSync 4.5? Currently the web enrollment process is brittle. I don’t think that anyone got it to work, or at least I have not seen any success reports on the web.

    – Does L2TP/IPsec use the HKCU versions of the ROOT and CA stores? If it doesn’t then L2TP/IPsec won’t be much of an option, especially on fully locked-down Smartphones. I’ve always found it odd that on desktop Windows you need Administrator privileges to install a ‘machine’ certificate for what is essentially a roadwarrior (=personal) type of VPN.

  13. Eti says:

    I also upgraded to wm5 on an iPaq 2410, what a disaster. I now have less than 1MB free for storage, while the os says 35MB free for running programs.

    Any suggestions on how to free up more space

  14. Daivys says:

    can I upgrade my wm5 pocket pc to wm6? if so  how?

  15. Ryan says:

    This is great news, I am using S/MIME on my windows mobile 5 device now. Any word on the "disappearing personal cert" problem? Right not when my device loses power the personal certificate is wiped.

  16. Don Price says:

    I own an HP IPAQ 6925 running WM5.  I upgraded to Vista and since have not been able to get Windows Mobile Device to recognize the IPAQ more than once.  I get continual warnings saying it has been stopped due to conflict, and that it is nt working right, and then when it says to find solution nothing happens.  I need to get the IPAQ and Computer talking again, can someone help.  

  17. Glenn says:

    Can you tell me how to run CertInstaller.exe from the command line on Windows Mobile 6 Smartphone where no command line is available? I’m sure this is such an obvious issue that you’ve addressed it somewhere but I can’t seem to find documentation supporting how to do this?

  18. scyost says:

    Hi Glenn,

    I think that documentation is not live yet. The basic syntax is "certinstaller.exe [-p Password] [-silent] <filename>". The most common way to call it over the command line is probably either via CreateProcess or via rapistart across the sync connection. For normal day-to-day use there is a shellexecute handler, so you can just action on a cer/pfx from the file explorer to install it.

    Scott

  19. Michelle Coyle says:

    I am using WM6 now and am importing user certs with the new cert installer tool. I have been scripting this process using the CE Device Command Shell (to the emulator) to run the tool. I had been very hopeful about  the silent import feature. Unfortunately, when I use the ‘-silent’ option the certificate fails to import with no errors (of course because it is silent). If I don’t use silent everything is fine. Anyone else see this?

  20. scyost says:

    Hi Michelle,

    I’m interested to know what’s going wrong for you.

    If you check the exit code of the process you can get a clue as to what’s going on. I’m not sure if the command shell you’re using can do that – in the worst case you can write an app that calls CreateProcess and find the exit code that way.  One reason this might fail is if you’re adding a root certificate and it prompts for installation – if the prompt is never accepted then it will time out and the install will fail. If you need to script an install like that, use a signed cab file instead with wceload /silent. If you install it that way, there won’t be a prompt to install the certificate.

    Scott

  21. Anthony says:

    I upgraded to WM6 and cannot post on the Microsoft Xbox forums now. When I had version 5 this worked fine.

  22. Allan Kawakami says:

    I am currently using a Treo 750 using WM5 and cannot ActiveSynch back to our companies server.  Our company uses Wild Card Certificates which WM5 does not support.  I noticed that in WM6  There are 3 tabs under certificates.  Will i need to install the certificate into a specific area(Tab) in certificates in order to get WM6 to ActiveSynch with Exchange w/o errors?

  23. scyost says:

    Hi Allan,

    The certificate installer tries to figure out which store the certificate should go into. If you install the certificates for your server, it should put them into the right place.

  24. Ken P says:

    I just got a T-Mobile wing yesterday with WM6.  I have yet to figure out a way to install our "company root certificate" in the root store of the device.  The T-Mobile manual of course is no help.

    I tried copying the .cer file over to the device using the active sync program, but when I click on the cert to install it, it says there is no program associated with the extension.   Any ideas?   Or, do you think like I do, that TMO has removed the capability from the device?

  25. scyost says:

    Ken, your comments worry me. Let me try and dig up a Wing device and investigate.

  26. scyost says:

    Hey Ken,

    I couldn’t reproduce your problem on a Wing internally. Can you check this registry key and see if it is set correctly?

    [HKEY_CLASSES_ROOTcertificateShellOpenCommand]

    @="CertInstaller.exe "%1""

    Feel free to mail me through the contact form if you want to discuss further.

  27. Robert says:

    Following the WM6 upgrade, my T-Mobile DASH resets the home screen from the (preferred) setting of Windows Default to the T-Mobile Default following a soft reset.  I don’t recall WM5 ever doing this.  Is there a way to stop this?  Perhaps a registry modification?  Are others experiencing this?  Thanks in advance, Robert.

  28. willem van kesteren says:

    I got my htc s710 today and tried configuring Active sync with exchange 2003.

    I installed both the root cert voor my CA and the owa cert for the ssl site. which is working perfect with rpc over http, so the certiicates are ok.

    Too bad too bad, got the error that my servercertificate is invalid.

    Did i export in the wrong format? Can someone explain every step for both Root cert and webmail cert?

    I think it is still not working with wm6

  29. Chris Leiter says:

    I just started playing with the S/MIME features in Windows Mobile 6, and after installing my user certificate from my Windows Server 2003 CA, I can see that the certificate heirarchy has been correctly installed; but I can’t digitally sign or decrypt messages.

    When I look at the certificate properties, it ONLY shows Client Authentication as the intended purpose; whereas the same certificate on my Vista machine displays Secure Email and EFS as the other "intended purposes."

    This is on a T-Mobile Dash

  30. PocketPC 6800 says:

    Trying to gain access to a company work website that runs on java but everytime I try to acccess it goes nowhere. Other company webpages are available that use the same certificate so I dont undertsand. Can I down load this cert.

    Does windows mob 6 look for the cert automatically like it does with regular desk top versions of windows?

  31. James says:

    Does WM6 support client certificate authentication through a web service?  All windows based -CA, IIS, .asmx, etc.  Is the inability to use client certs really a .net compact framework issue that will not be fixed with WM6?  

  32. Dave Field says:

    James, Windows CE/Mobile wininet does support cert-based auth.  However, you do have to provide some code to configure the client cert to be used for authentication (if their are multiple certs in the MY cert store).  For instance, the cert-based auth feature for Exchange ActiveSync will loop through the certs in the store until it finds one that works or has tried all of them.  Authenticating a web service call (.asmx) does not have to require any special authentication if you jut use SSL.  However, I’d be interested to here more about WM support for WCF, Web Services cert auth.  It looks like .NET CF 3.5 will support this, but I’m not sure what you get with the native OS.

  33. Jeffrey Barnett says:

    I just got a new WM6 device and ran into a "root certificate not provided" error.  I’m guessing that what I need to do is install one, and according to the subject of the thread I can use "the Certificate Installer" to do that.  But nothing in the thread, or in my local "help" file describes *HOW*.  Is there a place where this is documented???

  34. scyost says:

    You need to get the certificate in CER format. One way to do that is by browsing to the site you’re trying to connect to via desktop IE and clicking through the lock icon, then saving the certificate from there. There are some screenshots of that approach here: http://blogs.msdn.com/windowsmobile/archive/2006/01/28/making_a_root_cert_cab_file.aspx

    You can skip the parts about XML. On WM6 you can just copy the CER to the device and then open it on the device via the file explorer.

  35. Jeffrey Barnett says:

    Thanks Scott, BUT:

    The end of the post says

    "Now install the cab file on the device. You’re done!"

    With NO DESCRIPTION of how to do that.

  36. scyost says:

    In your case on WM6, you don’t need to muck with XML or make a cab. once you’ve saved the CER file to your desktop, you can connect the device to activesync and drag the CER file from your desktop to the device. Open up File Explorer on the device, browse to where you dropped the file, and click/action on it. That should start up the certificate installer and install your cert.

  37. Janak says:

    I have an application which uses .Net CF 1.0.

    It establishes an SSL connection to a server. My root provider is already in the trusted list on the WM6 Emulator. But when my application tries to establish a connection I get the Untrusted Root Cert error. Any clues will be appreciated. This is only happening on WM6. It works fine on WM5.

  38. Stephen says:

    does anyone know if there is an equiv regestry key in WM6 to the one in WM5 "secure=0" to prevent checking of the Certificate? Long story but the certificate name doesn’t match the server name. This will change shortly . But for testing I need to sync as it is now. I won’t be using this is in a production enviroment.

  39. scyost says:

    No, there’s not.

  40. Hi I have imported a cert into my device. It has been placed into the intermidiate section and not the root section. OMA works fine. You have commented before that WM6 looks at the certs to see if they are vaild. does it look only at thr root?

  41. scyost says:

    It doesn’t look only at the root, but a root is required to make a successful SSL connection.

  42. HTC_Owner says:

    I just got the HTC 6800 from Sprint running Windows Mobile 6. I can not move, delete or even rename any of my files. I can only create. Does anyone know what’s going on. Please help! (my email is leapa777@yahoo.com)

  43. o2_owner says:

    i`ve got a WM 6 device from O2 (htc) and now i have the problem that i like to connect through dyndns to my sbs exchange server. That means my personal cert on the exchange server is different to the dyndns name. In WM 5 i’ve used "HKCUSoftwareMicrosoftAirsyncConnectionSecure=0" but this does not work with WM 6.

    Is there an other way?

  44. Jason says:

    Scott,

    I have a situation whereby my company use smartcard(Cert) to logon desktop. No password is available. Could you recommend a way to automatically enroll for personal cert by using logon credential and without using any password ?

    Thanks!!

  45. Niklas says:

    Ok. There is a lot of importing certificates, but how do I export it so I can import it on my new device?

    I need to move from one WM5 to another WM5 device. Everything is setup on the new WM5 device and I use that. The only thing that I need from the old device is the certificate. I haven’t found any backup utility for certifcates yet. Is there some way to do this or third party programs?

  46. SteveC says:

    OS2 guy, I used to do the same thing.  Did you find a way to get it to work on WM6?

  47. Melissa says:

    "I just got a T-Mobile wing yesterday with WM6.  I have yet to figure out a way to install our "company root certificate" in the root store of the device.  The T-Mobile manual of course is no help."

    I am experiencing a similar issue – I have the ‘company cert’ installed and it’s found under intermediate, however when I go to synch, I get an error that says "The security certificate on the server is not valid." I’m unsure if this is an issue related to T.Mo’s Shadow reading the cert? I don’t know how it can say cert on the server is not valid when it came from there. Sys admin assures me it is the correct cert.

  48. scyost says:

    @Melissa:

    It sounds like your admin gave you the intermediate cert when you really need to install the root cert. If your server is configured right then you won’t need the intermediate cert at all. Instructions here :http://blogs.msdn.com/windowsmobile/archive/2006/01/28/making-a-root-cert-cab-file.aspx will show you how to connect to your server and save the root cert so you can install it on the device. You install the root in the same way that you’ve been installing the intermediate.

  49. cwmobile says:

    We have a mobile application that uses the .NET compact frameworks on Windows Mobile 6.0.  However it appears that wildcard certificates are only supported on applications written natively to the OS.  We cannot get wildcard certificates to work on applications using the .NET compact framework.

  50. Jimbo Wilson says:

    Server:  W2K3 SP2 Standard (not R2)

    Desktop:  XP SP2

    ActiveSync:  4.5.0 (Build 5096)

    Device:  HTC 6800 running WM6

    Successfully added self-signed cert from certsrv on the server as seen elwhere on the web.

    Somewhere else on the net, I saw that AS Tools/Advanced Tools/Get Device Certificate should work.  Though it wasn’t specific as to certificate type, it did say to choose Active Directory (and I don’t have any reference on doing a Device selection).  So, I have tried User, Exchange User, ClientAuth and several others.

    In each case, AS reports "The certificate enrollment cannot be completed because of a certificate server problem".

    The ‘problem’ according to the server App log is:

    Certificate Services denied request 58 because The request subject name is invalid or too long. 0x80094001 (-2146877439).  The request was for CN="".  Additional information: Error Constructing or Publishing Certificate

    The CN is empty!  Is there some place in WM6 that AS seeks the CN that I need to fill in?

    Does this process require an Enterprise version of W2K3?

    I can’t find anything about this anywhere.

  51. Samo says:

    Has anyone successfully disabled cert. checking on WM6?

  52. Roald says:

    I have a HTC 710 running WM6. I’ve installed the our companies ROOT CA through cer and cab methods. Browsing to OWA works through SSL, however active-sync keeps throwing 0x80072F7D.

    Any tips?

  53. robertq says:

    i have a HP iPAQ 510 voice messenger… i cannot run some applications because it doesnot have a certificate… can someone helpt me?

  54. Ryan says:

    Can someone PLEASE tell me how I can specifically install a root cert on a Windows Mobile 6 device? The cert(s) that we had used for Windows Mobile 5 devices worked fine…but now trying to get those certs onto WM6 is not working…This is related to Citrix Web Interface – going through a Secure Gateway

    please e-mail me at ryan_e_sherman@hotmail.com

    THanks!

  55. Kenny says:

    I’ve been trying to install a root cert on a Windows Mobile 6 device for days but to no avail. The cert that i imported can only be installed to the personal tab but not to the root store can anyone tell me how?. I’ve tried using SPAddCert.exe and Addrootcert.exe but whenever i try using them , the following error will appear "The file ‘AddRootCert’ cannot be opened. Either it is not signed with a trusted certificate, or one of its components cannot be found. If the problem persists, try installing or restoring this file’" can anyone tell me whats wrong with it?.. and what can i do to install the root cert. Thank you

  56. Nev says:

    I was playing around with the P12 import capability on a WM6 emulator and managed to import the private key and certificate chain. I was surprised that I wasn’t asked to specify a passphrase or PIN when subsequently accessing the private key on the device like you can on standard Windows desktop with High Security protection of the key.

    It seems a little pointless to use S/MIME encrypted messaging for mobile devices if anyone who has possession of the device can decrypt sensitive messages.

    Did I miss something?

    Is there a way to better protect software private keys installed on Windows Mobile devices??

  57. scyost says:

    @Nev, no, we don’t have a private key protection feature right now. I suspect there probably are third parties that offer a add-on for that sort of thing. If I were planning this for enterprise, I’d depend on the PIN enforcement and remote wipe that you can do with exchange to protect the user’s mail certs.

  58. Joe says:

    Is there any way to disable certificate verification on wm 6.1?  the exchange certificate at out business is expired and my moto q9c will not connect to the server now.  our it dept is not in any hurry to renew the certificate.

  59. Bill says:

    I am new to windows mobile and have an exchange server with an internal cert: How in the world do I simply import the cert to this device?  It should not be so difficult.  I am missing something?

  60. wosully says:

    I am trying to simply add a certificate from my exchange server to the mobile 6 device and this is SOOOO frustrating. How in the world can I do this to connect to exchange? The documentation is lacking to say the least.  

  61. SpokaneDJ says:

    To import a Cert, first go to your OWA site like https://exchange.mysite.com/owa using IE.  When you get the login page, select view, Security Report.  On the little pop-up windows, select View Certificates. Go to the Certificate Path page.  You should see a copy certs, whereas the last is the actual page you are on.  

    For each cert ABOVE the page cert, click on the cert,and select view certificate. On the details page, select copy to a file, use the DER format, pick a file and save it. Repeat for other certs (ie, you have an intermediate cert).

    Copy that file(s) to your phone (I put it on my storage card so when I change phones or upgrade its easily accessible).  On your phone, double-click the file(s) from File Explorer.  It will ask to install the cert and your done.  

    You can doublecheck the cert(s) from settings, system, certificates on your phone.

  62. wosully says:

    Thank you, that was simple once I read correct and exact instructions!  You have saved me a ton of time!

    Thanks!

  63. Kevin says:

    I am having a problem connecting to our secure network via wifi.  The network requires a certificate.  I have downloaded it to the phone but it asks for my uswr name, password, and domain.  My it department says that I cannot use windows mobile to connect to the network with a certificate because it is a WPA-enterprise TKIP.  My gut is saying that they are wrong and that they are just not interested in researching issues related to mobile devices.  Can anyone help me with this?

Skip to main content