Share via

Certificate Improvements in Windows Mobile 6

  • Article

As faithful blog readers already know, there were several limitations related to certificates that caused tons of customer pain on WM5. Now that WM6 is public, it gives me great pleasure to announce the following changes that we made in WM6:

  • Certificate Installer built into the platform
    • Installs CER, P7B, and PFX files
    • No more Access Denied messages.
    • Installs certs to the ROOT, Intermediate, and MY store
  • Wildcard Certificate support for SSL

 

Thanks for all your input and feedback on these issues. Several of the work items and design decisions involved in this were shaped or prioritized directly due to your feedback.

 

Some other minor tidbits:

  • The Intermediate ("CA") store shows up in the control panel now
  • Even more root certs installed by default
  • Delete will work from the control panel on any user-installed certs

Technical crunchy bits:

We added HKCU versions of the ROOT and CA stores where previously there was only the HKLM version. These stores don't require special trust to access - they can be accessed via unsigned code,  RAPI or any other method. The new certificate installer (CertInstaller.exe) installs certs into those stores.

 

Scott

Comments

  • Anonymous
    February 08, 2007
    Please Help! I've been trying to determine whether I should even upgrade my iPAQ to WM 5.0, and now I feel even more confused when I see your reference to WM 6.  I have visited the Windows Mobile portion of Microsoft's website many times looking to get basic questions answered and can never find the information I need.  As a basic user of an iPAQ hx2415 running 2003 SE I feel like Microsoft has just decided to ignore users of the "old" OS as there is almost no information for basic users who want to understand their options for upgrading to WM 5.0.   I understand that whether a user can upgrade depends upon the individual device and whether the device manufacturer provides an upgrade.  I visited HP's website and they do sell an upgrade for my exact device model number, however when you go to purchase the upgrade HP gives the following warning: "Many HP iPAQ users have reported performance issues after upgrading their devices to Windows Mobile 5.0.  Please read Microsoft’s detailed explanation by clicking here: http://blogs.msdn.com/windowsmobile/archive/2006/03/16/552996.aspx".  HP's own website does not make any mention of the specific models for which problems have been reported. So I followed the link to view Microsoft's "detailed explanation" and I find a blog entry by Mike Calligaro ("What's a compaction thread?", March 2006) that explains the technical reason for the performance issues some users have experienced after upgrading.  Even though my technical understanding is very limited I did read the entire posting and understood the information well.  But the explanation of why the problem occurs did not solve my problem of needing to know whether my specific device was one of the devices affected. Mike Calligaro states in his March, 2006 posting, "To be clear, we've only heard reports of this happening on two upgrade devices, and not on any of the devices designed specifically for WM5". Okay, so what are the two upgrade devices to which he's referring???  I have checked the responses from people within the March thread and only one user specifically refers to having had a problem with the exact device model that I own (May 19 by John Curry).  In his response he simply asks if there is any way he can buy a copy of 2003 SE to reinstall on his device because the upgrade caused performance problems.  He says Microsoft and HP do not sell copies of 2003 for re-installation and goes so far as to say he would pay for a copy.  ***No one responded to his question from what I can tell. Can you please tell me the specific devices for which Microsoft acknowledges reported problems?  Are there really only two?  I have also done some general searching on the net and found a few references here and there from individual users but no official consensus.  If you do not have that information where do I go to find out the information?  Or, do you know if the cause of the problems has in fact been fixed?   Just as importantly, why doesn't Microsoft or HP appear to sell copies of 2003 SE that would allow people to reinstall if 5.0 doesn't work well (not that users should have to repay for software they already bought).  This just doesn't make any sense. HP basically is telling people in their upgrade "warning" to refer to Microsoft about problems their products have encountered with the upgrade.  And the place to which they have directed their customers - this blog - doesn't seem to provide any answers.  And as I stated at the beginning, Microsoft is basically mute on the Windows Mobile product website.  It's almost like being made to go in circles. And finally, what the heck is Windows Mobile 6?  Interestingly, when I've visited the Mobile product website over the last few weeks I saw reference to 5.0 all over the site.  Now when I visit the site I don't see a reference to any version number, neither 5.0 nor 6.  The only page I could find that makes reference to the number (version) 6 refers to 'Windows Mobile Device Center 6 for Windows Vista'.  So is there an actual OS version 6.0 now, or are you referring to something else? Things just seem to get more and more ambiguous on the Mobile products site.  It really is very disheartening, especially when it doesn't have to be that way.

  • Anonymous
    February 08, 2007
    Hey Jason, I have an HP iPaq 4700hx and while some performance issues were introduced after upgrading to WM5, they are nominal for the most part.  Additionally, the OS can be rolled back to 2003 SE whenever you like by running the WM5 upgrade installer. I personally feel that the periodic stalls in device responsiveness are worth the benefits provided by upgrading, especially the persistent storage, but this should be a decision you make yourself. As for the WM5 vs 6 issue, I believe the OS upgrade has to be offered by your OEM and with your device, it is unlikely HP will ever offer an upgrade to WM6 as generally the device is designed for one OS (possibly upgradeable once, as in this case). Unfortunately I can't offer answers to your other questions nor can I offer device-specific experience as I don't own that particular model, but I would suggest posting in the forums to see if anyone else is in the same situation.

  • Anonymous
    February 08, 2007
    I'm still not allowed to say much about Windows Mobile 6 until next week, other than it exists, it's

  • Anonymous
    February 08, 2007
    From what I can tell, WM6 runs on top of the same CE5 core as WM5, which means a device that can be upgraded to WM5 should be able to take WM6, no? It is mainly just changes to the apps and shell? Now when WMx runs on top of the CE6 core, then I can see older devices having issues with upgrading. BTW why the version # confusion between CE and WM?

  • Anonymous
    February 08, 2007
    I've just bouth a new WM5 device for personal use and ops - Windows Mobile 6 was announced So what's

  • Anonymous
    February 08, 2007
    Will developers be able to use the same toolset for WM6?  I just invested in VS 2005 for WM5 development.

  • Anonymous
    February 08, 2007
    Hang on a little bit longer for the full launch of WM6 to get underway. Not everything has been rolled out publically yet, like the web page, etc.

  • Anonymous
    February 08, 2007
    Thank goodness, now I can finally utilize whatever is left of my PKI to do some kind of mobile device/user authentication using certs. Wondering if you can elaborate on any auto enrollment features or is that still SDK or generate manually? --Vasu

  • Anonymous
    February 08, 2007
    The comment has been removed

  • Anonymous
    February 08, 2007
    The comment has been removed

  • Anonymous
    February 08, 2007
    Folks Yes, you can use Visual Studio 2005 to develop for Windows Mobile 6 so your investment in tools is safe!  Tune in to the blog and the Windows Mobile Dev Center (http://msdn.microsoft.com/windowsmobile) on Monday to learn more about Windows Mobile 6 development. James

  • Anonymous
    February 09, 2007
    Congratulations on finally improving the certificate support. Nice to see that Microsoft responds once there is a third-party alternative. Some questions remain, though.

  • When will WM6 emulator images be available?
  • How about documentation for the web-based certificate enrollers in WM5+ and ActiveSync 4.5? Currently the web enrollment process is brittle. I don't think that anyone got it to work, or at least I have not seen any success reports on the web.
  • Does L2TP/IPsec use the HKCU versions of the ROOT and CA stores? If it doesn't then L2TP/IPsec won't be much of an option, especially on fully locked-down Smartphones. I've always found it odd that on desktop Windows you need Administrator privileges to install a 'machine' certificate for what is essentially a roadwarrior (=personal) type of VPN.

  • Anonymous
    February 09, 2007
    I also upgraded to wm5 on an iPaq 2410, what a disaster. I now have less than 1MB free for storage, while the os says 35MB free for running programs. Any suggestions on how to free up more space

  • Anonymous
    February 12, 2007
    can I upgrade my wm5 pocket pc to wm6? if so  how?

  • Anonymous
    February 26, 2007
    This is great news, I am using S/MIME on my windows mobile 5 device now. Any word on the "disappearing personal cert" problem? Right not when my device loses power the personal certificate is wiped.

  • Anonymous
    March 07, 2007
    I own an HP IPAQ 6925 running WM5.  I upgraded to Vista and since have not been able to get Windows Mobile Device to recognize the IPAQ more than once.  I get continual warnings saying it has been stopped due to conflict, and that it is nt working right, and then when it says to find solution nothing happens.  I need to get the IPAQ and Computer talking again, can someone help.  

  • Anonymous
    March 26, 2007
    The comment has been removed

  • Anonymous
    March 26, 2007
    The comment has been removed

  • Anonymous
    May 22, 2007
    I am using WM6 now and am importing user certs with the new cert installer tool. I have been scripting this process using the CE Device Command Shell (to the emulator) to run the tool. I had been very hopeful about  the silent import feature. Unfortunately, when I use the '-silent' option the certificate fails to import with no errors (of course because it is silent). If I don't use silent everything is fine. Anyone else see this?

  • Anonymous
    May 22, 2007
    Hi Michelle, I'm interested to know what's going wrong for you. If you check the exit code of the process you can get a clue as to what's going on. I'm not sure if the command shell you're using can do that - in the worst case you can write an app that calls CreateProcess and find the exit code that way.  One reason this might fail is if you're adding a root certificate and it prompts for installation - if the prompt is never accepted then it will time out and the install will fail. If you need to script an install like that, use a signed cab file instead with wceload /silent. If you install it that way, there won't be a prompt to install the certificate. Scott

  • Anonymous
    May 25, 2007
    I upgraded to WM6 and cannot post on the Microsoft Xbox forums now. When I had version 5 this worked fine.

  • Anonymous
    May 29, 2007
    I am currently using a Treo 750 using WM5 and cannot ActiveSynch back to our companies server.  Our company uses Wild Card Certificates which WM5 does not support.  I noticed that in WM6  There are 3 tabs under certificates.  Will i need to install the certificate into a specific area(Tab) in certificates in order to get WM6 to ActiveSynch with Exchange w/o errors?

  • Anonymous
    May 29, 2007
    Hi Allan, The certificate installer tries to figure out which store the certificate should go into. If you install the certificates for your server, it should put them into the right place.

  • Anonymous
    June 08, 2007
    I just got a T-Mobile wing yesterday with WM6.  I have yet to figure out a way to install our "company root certificate" in the root store of the device.  The T-Mobile manual of course is no help. I tried copying the .cer file over to the device using the active sync program, but when I click on the cert to install it, it says there is no program associated with the extension.   Any ideas?   Or, do you think like I do, that TMO has removed the capability from the device?

  • Anonymous
    June 08, 2007
    Ken, your comments worry me. Let me try and dig up a Wing device and investigate.

  • Anonymous
    June 11, 2007
    Hey Ken, I couldn't reproduce your problem on a Wing internally. Can you check this registry key and see if it is set correctly? [HKEY_CLASSES_ROOTcertificateShellOpenCommand] @="CertInstaller.exe "%1"" Feel free to mail me through the contact form if you want to discuss further.

  • Anonymous
    June 12, 2007
    Following the WM6 upgrade, my T-Mobile DASH resets the home screen from the (preferred) setting of Windows Default to the T-Mobile Default following a soft reset.  I don't recall WM5 ever doing this.  Is there a way to stop this?  Perhaps a registry modification?  Are others experiencing this?  Thanks in advance, Robert.

  • Anonymous
    July 02, 2007
    The comment has been removed

  • Anonymous
    July 19, 2007
    I just started playing with the S/MIME features in Windows Mobile 6, and after installing my user certificate from my Windows Server 2003 CA, I can see that the certificate heirarchy has been correctly installed; but I can't digitally sign or decrypt messages. When I look at the certificate properties, it ONLY shows Client Authentication as the intended purpose; whereas the same certificate on my Vista machine displays Secure Email and EFS as the other "intended purposes." This is on a T-Mobile Dash

  • Anonymous
    July 22, 2007
    Trying to gain access to a company work website that runs on java but everytime I try to acccess it goes nowhere. Other company webpages are available that use the same certificate so I dont undertsand. Can I down load this cert. Does windows mob 6 look for the cert automatically like it does with regular desk top versions of windows?

  • Anonymous
    September 02, 2007
    Does WM6 support client certificate authentication through a web service?  All windows based -CA, IIS, .asmx, etc.  Is the inability to use client certs really a .net compact framework issue that will not be fixed with WM6?  

  • Anonymous
    September 18, 2007
    James, Windows CE/Mobile wininet does support cert-based auth.  However, you do have to provide some code to configure the client cert to be used for authentication (if their are multiple certs in the MY cert store).  For instance, the cert-based auth feature for Exchange ActiveSync will loop through the certs in the store until it finds one that works or has tried all of them.  Authenticating a web service call (.asmx) does not have to require any special authentication if you jut use SSL.  However, I'd be interested to here more about WM support for WCF, Web Services cert auth.  It looks like .NET CF 3.5 will support this, but I'm not sure what you get with the native OS.

  • Anonymous
    September 19, 2007
    I just got a new WM6 device and ran into a "root certificate not provided" error.  I'm guessing that what I need to do is install one, and according to the subject of the thread I can use "the Certificate Installer" to do that.  But nothing in the thread, or in my local "help" file describes HOW.  Is there a place where this is documented???

  • Anonymous
    September 19, 2007
    You need to get the certificate in CER format. One way to do that is by browsing to the site you're trying to connect to via desktop IE and clicking through the lock icon, then saving the certificate from there. There are some screenshots of that approach here: http://blogs.msdn.com/windowsmobile/archive/2006/01/28/making_a_root_cert_cab_file.aspx You can skip the parts about XML. On WM6 you can just copy the CER to the device and then open it on the device via the file explorer.

  • Anonymous
    September 20, 2007
    Thanks Scott, BUT: The end of the post says "Now install the cab file on the device. You're done!" With NO DESCRIPTION of how to do that.

  • Anonymous
    September 20, 2007
    In your case on WM6, you don't need to muck with XML or make a cab. once you've saved the CER file to your desktop, you can connect the device to activesync and drag the CER file from your desktop to the device. Open up File Explorer on the device, browse to where you dropped the file, and click/action on it. That should start up the certificate installer and install your cert.

  • Anonymous
    October 03, 2007
    I have an application which uses .Net CF 1.0. It establishes an SSL connection to a server. My root provider is already in the trusted list on the WM6 Emulator. But when my application tries to establish a connection I get the Untrusted Root Cert error. Any clues will be appreciated. This is only happening on WM6. It works fine on WM5.

  • Anonymous
    October 06, 2007
    does anyone know if there is an equiv regestry key in WM6 to the one in WM5 "secure=0" to prevent checking of the Certificate? Long story but the certificate name doesn't match the server name. This will change shortly . But for testing I need to sync as it is now. I won't be using this is in a production enviroment.

  • Anonymous
    October 06, 2007
    No, there's not.

  • Anonymous
    October 09, 2007
    Hi I have imported a cert into my device. It has been placed into the intermidiate section and not the root section. OMA works fine. You have commented before that WM6 looks at the certs to see if they are vaild. does it look only at thr root?

  • Anonymous
    October 10, 2007
    It doesn't look only at the root, but a root is required to make a successful SSL connection.

  • Anonymous
    October 29, 2007
    I just got the HTC 6800 from Sprint running Windows Mobile 6. I can not move, delete or even rename any of my files. I can only create. Does anyone know what's going on. Please help! (my email is leapa777@yahoo.com)

  • Anonymous
    November 06, 2007
    i`ve got a WM 6 device from O2 (htc) and now i have the problem that i like to connect through dyndns to my sbs exchange server. That means my personal cert on the exchange server is different to the dyndns name. In WM 5 i've used "HKCUSoftwareMicrosoftAirsyncConnectionSecure=0" but this does not work with WM 6. Is there an other way?

  • Anonymous
    November 28, 2007
    Scott, I have a situation whereby my company use smartcard(Cert) to logon desktop. No password is available. Could you recommend a way to automatically enroll for personal cert by using logon credential and without using any password ? Thanks!!

  • Anonymous
    December 06, 2007
    Ok. There is a lot of importing certificates, but how do I export it so I can import it on my new device? I need to move from one WM5 to another WM5 device. Everything is setup on the new WM5 device and I use that. The only thing that I need from the old device is the certificate. I haven't found any backup utility for certifcates yet. Is there some way to do this or third party programs?

  • Anonymous
    December 07, 2007
    OS2 guy, I used to do the same thing.  Did you find a way to get it to work on WM6?

  • Anonymous
    January 31, 2008
    "I just got a T-Mobile wing yesterday with WM6.  I have yet to figure out a way to install our "company root certificate" in the root store of the device.  The T-Mobile manual of course is no help." I am experiencing a similar issue - I have the 'company cert' installed and it's found under intermediate, however when I go to synch, I get an error that says "The security certificate on the server is not valid." I'm unsure if this is an issue related to T.Mo's Shadow reading the cert? I don't know how it can say cert on the server is not valid when it came from there. Sys admin assures me it is the correct cert.

  • Anonymous
    February 01, 2008
    @Melissa: It sounds like your admin gave you the intermediate cert when you really need to install the root cert. If your server is configured right then you won't need the intermediate cert at all. Instructions here :http://blogs.msdn.com/windowsmobile/archive/2006/01/28/making-a-root-cert-cab-file.aspx will show you how to connect to your server and save the root cert so you can install it on the device. You install the root in the same way that you've been installing the intermediate.

  • Anonymous
    February 18, 2008
    We have a mobile application that uses the .NET compact frameworks on Windows Mobile 6.0.  However it appears that wildcard certificates are only supported on applications written natively to the OS.  We cannot get wildcard certificates to work on applications using the .NET compact framework.

  • Anonymous
    February 22, 2008
    The comment has been removed

  • Anonymous
    March 11, 2008
    Has anyone successfully disabled cert. checking on WM6?

  • Anonymous
    March 18, 2008
    I have a HTC 710 running WM6. I've installed the our companies ROOT CA through cer and cab methods. Browsing to OWA works through SSL, however active-sync keeps throwing 0x80072F7D. Any tips?

  • Anonymous
    April 11, 2008
    i have a HP iPAQ 510 voice messenger... i cannot run some applications because it doesnot have a certificate... can someone helpt me?

  • Anonymous
    April 17, 2008
    Can someone PLEASE tell me how I can specifically install a root cert on a Windows Mobile 6 device? The cert(s) that we had used for Windows Mobile 5 devices worked fine...but now trying to get those certs onto WM6 is not working...This is related to Citrix Web Interface - going through a Secure Gateway please e-mail me at ryan_e_sherman@hotmail.com THanks!

  • Anonymous
    July 17, 2008
    The comment has been removed

  • Anonymous
    July 21, 2008
    The comment has been removed

  • Anonymous
    July 22, 2008
    @Nev, no, we don't have a private key protection feature right now. I suspect there probably are third parties that offer a add-on for that sort of thing. If I were planning this for enterprise, I'd depend on the PIN enforcement and remote wipe that you can do with exchange to protect the user's mail certs.

  • Anonymous
    August 05, 2008
    Is there any way to disable certificate verification on wm 6.1?  the exchange certificate at out business is expired and my moto q9c will not connect to the server now.  our it dept is not in any hurry to renew the certificate.

  • Anonymous
    September 30, 2008
    I am new to windows mobile and have an exchange server with an internal cert: How in the world do I simply import the cert to this device?  It should not be so difficult.  I am missing something?

  • Anonymous
    September 30, 2008
    I am trying to simply add a certificate from my exchange server to the mobile 6 device and this is SOOOO frustrating. How in the world can I do this to connect to exchange? The documentation is lacking to say the least.  

  • Anonymous
    October 01, 2008
    To import a Cert, first go to your OWA site like https://exchange.mysite.com/owa using IE.  When you get the login page, select view, Security Report.  On the little pop-up windows, select View Certificates. Go to the Certificate Path page.  You should see a copy certs, whereas the last is the actual page you are on.   For each cert ABOVE the page cert, click on the cert,and select view certificate. On the details page, select copy to a file, use the DER format, pick a file and save it. Repeat for other certs (ie, you have an intermediate cert). Copy that file(s) to your phone (I put it on my storage card so when I change phones or upgrade its easily accessible).  On your phone, double-click the file(s) from File Explorer.  It will ask to install the cert and your done.   You can doublecheck the cert(s) from settings, system, certificates on your phone.

  • Anonymous
    October 09, 2008
    Thank you, that was simple once I read correct and exact instructions!  You have saved me a ton of time! Thanks!

  • Anonymous
    December 16, 2008
    I am having a problem connecting to our secure network via wifi.  The network requires a certificate.  I have downloaded it to the phone but it asks for my uswr name, password, and domain.  My it department says that I cannot use windows mobile to connect to the network with a certificate because it is a WPA-enterprise TKIP.  My gut is saying that they are wrong and that they are just not interested in researching issues related to mobile devices.  Can anyone help me with this?