Appendix D: Adding a Certificate to the Root Store of a Windows Mobile-based Device

  • Article

6/2/2010

To add a certificate to the Root store of a Windows Mobile-based device, you must have manager permission to the device or you must have the ability to run trusted code. The application security settings that are on your devices will determine whether or not you can add a root certificate. However, some devices are configured so that you get a prompt when you attempt install a .cab file. In this case, you can follow the procedure below to add a certificate to the Root store of your Windows Mobile-based device.

The following list shows the trusted certificate authorities whose root certificates are included with Windows Mobile 5.0-based devices:

  • Verisign
  • GTE Cyber Trust
  • Equifax
  • Entrust
  • GlobalSign
  • Thawte

It is highly recommended that you install a certificate that is issued by one of the trusted certificate authorities on this list, or a certificate that chains to one of the trusted certificate authorities.

To determine which certificates are included with your Windows Mobile-based device, check the Root certificate stores.

  • For a typical Windows Mobile-based Pocket PC, go to Start>Settings>System>Certificates>Root.
  • For a typical Windows Mobile-based Smartphone, go to Start>Settings>Security>Certificates>Root.

Creating the Provisioning XML to Install a Certificate to the Root Store

The provisioning code carries the certificate hash and instructions for placing it in the root store of a mobile device.

To create the provisioning code that is necessary for adding a certificate to the root store of a Windows Mobile-based device

  1. Create an XML file, and add the following text.
<wap-provisioningdoc>
   <characteristic type="CertificateStore">
     <characteristic type="ROOT">
       <characteristic type="<certhash>">
          <parm name="EncodedCertificate" value="<base64encodedcert>"/>
       </characteristic>
     </characteristic>
   </characteristic>
</wap-provisioningdoc>
  1. In Windows Explorer, double-click the root certificate that you need.
  2. Choose the Details tab.
  3. Choose Thumbprint in the Field list box.
  4. Select the text in the box that is below the list box, and then press CTRL+C.
  5. In the XML code, replace <certhash> with the copied text.
  6. In the thumbprint text in the XML code, delete the white spaces.
  7. In the Certificate dialog box, choose OK to close the dialog box.
  8. In Windows Explorer, open the exported root certificate by using a text editor.
  9. Delete the lines with BEGIN CERTIFICATE and END CERTIFICATE.
  10. Remove line breaks from the remaining text. This text is the encoded contents of the root certificate.
  11. Select the text, and then press CTRL+C.
  12. In the XML code, replace <base64encodedcert> with the copied text. The completed provisioning XML document will appear as shown in the following example.
<wap-provisioningdoc>
   <characteristic type="CertificateStore">
      <characteristic type="ROOT">
         <characteristic type="{hash of certificate}">
            <parm name="EncodedCertificate" value="{encoded hash of certificate}"/>
         </characteristic>
      </characteristic>
   </characteristic>
</wap-provisioningdoc>
  1. Save the XML document as an ASCII file named _setup.xml.

Note

You must name the file _setup.xml, because that is the name that the loader will recognize.

Creating a .cab File that Contains the Provisioning XML

The _setup.xml file that you created in step 14 must be processed as a .cab file before it is transferred and installed on the Windows Mobile-based device.

From the Windows command line prompt, run the following text:

makecab _setup.xml <filename>.cab

Distributing the CAB Provisioning File

The .cab file that contains the provisioning XML can be distributed to a Windows Mobile-based device that is cradled to a desktop PC, or to a variety of storage cards that can be inserted into the Windows Mobile-based device, such as a MultiMedia Card (MMC), a Secure Digital I/O (SDIO) card, and a CompactFlash card.

Note

If the ActiveSync wizard appears when you connect the device to a desktop computer, click Cancel. It is recommended that you use Windows Explorer and File Explorer to transfer the .cab file to the device.

To copy the .cab file from the desktop to the device by using File Explorer

  1. Copy the .cab file to the device.

  2. On the device, locate the .cab file by using File Explorer.

  3. Click the .cab file icon to initiate the installation.

  4. Notification of successful installation will appear. If you get a prompt, you must say yes to let the installation process execute.

  5. Check the Root certificate store of the Windows Mobile-based device to verify successful installation.