Installing digital certificates

June 25, 2014

Digital certificates bind the identity of a user or computer to a pair of keys that can be used to encrypt and sign digital information. Certificates are issued by a certification authority (CA) that vouches for the identity of the certificate holder, and they enable secure client communications with websites and services.

Certificates in Windows Phone 8.1

Certificates in Windows Phone 8 are primarily used in the following scenarios:

  1. To create a secure channel using Secure Sockets Layer (SSL) between a phone and a web server or service.

  2. To authenticate a user to a reverse proxy server that is used to enable Microsoft Exchange ActiveSync (EAS) for email.

  3. For installation and licensing of applications (from the Windows Phone Store or a custom company distribution site).

Installing certificates via Internet Explorer

A certificate can be posted on a website and made available to users through a device-accessible URL that they can use to download the certificate. When a user accesses the page and taps the certificate, it opens on the device. The user can inspect the certificate, and if they choose to continue, the certificate is installed on the Windows Phone 8.1 device.

Installing certificates via email

The Windoiws Phone 8.1 certificate installer supports .cer, .p7b, .pem, and .pfx files. To install certificates via email, make sure your mail filters do not block .cer files. Certificates that are sent via email appear as message attachments. When a certificate is received, a user can tap to review the contents and then tap to install the certificate. Typically, when an identity certificate is installed, the user is prompted for the password (or passphrase) that protects it.

Installing certificates via mobile device management (MDM)

Windows Phone supports root, CA, and client certificate to be configured via MDM. Using MDM an administrator can directly add, delete, or query root and CA certificates, and configure the device to enroll a client certificate with a certificate enrollment server that supports Simple Certificate Enrollment Protocol (SCEP). SCEP enrolled client certificates are used by Wi-Fi, VPN, email, and browser for certificate based client authentication. An MDM server can also query and delete SCEP enrolled client certificate (including user installed certificates), or trigger a new enrollment request before the current certificate is expired.

Process of installing certificates via mobile device management

  1. The MDM server generates the initial cert enroll request including challenge password, SCEP server URL, and other enrollment related parameters.

  2. The policy is converted to the OMA DM request and sent to the device.

  3. The trusted CA certificate is installed directly during MDM request.

  4. The device accepts certificate enrollment request.

  5. The device generates private/public key pair.

  6. The device connects to Internet facing point exposed by MDM server.

  7. MDM server creates a certificate that is signed with proper CA certificate and returns it to device.

    Important note

    The device supports the pending function to allow server side to do additional verification before issuing the cert. In this case, a pending status is sent back to the device. The device will periodically contact the server, based on preconfigured retry count and retry period parameters. Retrying ends when either:

    • A certificate is successfully received from the server

    • The server returns an error

    • The number of retries reaches the preconfigured limit

  8. The cert is installed in the device. Browser, Wi-Fi, VPN, Email, and other first party applications have access to this certificate.

    Security note

    If MDM requested private key being stored in Trusted Process Module (TPM) (configured during enrollment request), the private key will be saved in TPM. Note that SCEP enrolled cert protected by TPM isn’t guarded by a PIN.

Certificates and Windows Phone apps

Windows Phone applications are signed with certificates that are unique to the application and that establish a license for the application. Only signed applications are allowed to run on Windows Phone 8.1.

The only sources of apps for Windows Phone 8 are the Windows Phone Store (windowsphone.com/store) and company sites that offer line-of-business apps that are signed with enterprise certificates. A company can sign and distribute its own apps by acquiring an enterprise certificate from Symantec, following the procedures outlined in Company app distribution for Windows Phone.

Applications and games can be submitted for availability in the Windows Phone Store through the Windows Phone Dev Center. All submissions are reviewed for compliance with Store policies. Approved applications and games are signed with VeriSign certificates.

Certificates and SSL

Organizations might prefer to establish connections between devices and a Microsoft Exchange Server through reverse proxy communications that use SSL to securely encrypt the traffic. For more information about digital certificates, SSL, and reverse proxies, see Digital Certificates and Proxying in Understanding Digital Certificates and SSL.

Certificates and user authentication

Basic authentication

Basic authentication is the simplest method of authentication: the server requests that the client submit a user name and password, which are sent in plaintext over the network. The server verifies that the supplied user name and password are valid and grants the client access to the server.

Basic authentication is enabled by default for EAS. However, we recommend that you disable Basic authentication unless you also deploy SSL. When using Basic authentication over SSL, the user name and password are still sent in plaintext, but the communication channel is encrypted.

Certificate-based authentication

Certificate-based authentication uses digital certificates to verify identities. This approach uses another form of credentials, in addition to the user name and password, to prove the identity of the user who is trying to access the protected resources.

In a certificate-based authentication scenario, the device has a valid client certificate that was created for user authentication. In addition, the device has a trusted root certificate for the server to which it establishes an SSL connection. Deploying certificate-based authentication prevents users who have only a user name and password from synchronizing with Exchange.

Installing certificates via mobile device management (MDM)

Windows Phone supports root, CA, and client certificate to be configured via MDM. Using MDM an administrator can directly add, delete, or query root and CA certificates, and configure the device to enroll a client certificate with a certificate enrollment server that supports Simple Certificate Enrollment Protocol (SCEP). SCEP enrolled client certificates are used by Wi-Fi, VPN, email, and browser for certificate based client authentication. An MDM server can also query and delete SCEP enrolled client certificate (including user installed certificates), or trigger a new enrollment request before the current certificate is expired.