CertificateStore Configuration Service Provider

  • Article

Send Feedback

The CertificateStore Configuration Service Provider allows you to add security certificates and role masks to the device's certificate store.

Note   This Configuration Service Provider can be managed over both the OMA Client Provisioning (formerly WAP) and the OMA DM protocol.

Note   Access to this Configuration Service Provider is determined by Security roles. Because OEMs and Mobile Operators can selectively disallow access, ask them about the availability of this Configuration Service Provider. For more information about roles, see Security Roles and Default Roles for Configuration Service Providers.

To add or update the security roles for a specific certificate in the SPC store, in the provisioning XML, you must provide the Role parm and must provide the encoded certificate that is set by the EncodedCertificate parm.

****Note  ** **The CertificateStore Configuration Service Provider supports only SHA1 hashes in all of its operations. MD5 hashes are not supported.

The default metabase settings for the CertificateStore Configuration Service Provider are as follows:

  • Unprivileged Execution Trust Authorities\*

    Certificate store: Applications signed with a certificate belonging to this store will run with normal trust level. This setting is a string that has read/write permissions. The Manager role is allowed to query and update this setting.

    Note   This setting is available only for Windows Mobile-based Smartphones.

  • Privileged Execution Trust Authorities\*

    Certificate store: Applications signed with a certificate belonging to this store will run with privileged trust level. This setting is a string that has read write permissions. The Manager role is allowed to query and update this setting.

The following image shows the management object used by OMA DM.

The following image shows the Configuration Service Provider in tree format as used by OMA Client Provisioning.

These images show the default stores. You can create other certificate stores that can also be managed by this Configuration Service Provider.

For CertificateStore Configuration Service Provider examples, see CertificateStore Configuration Service Provider Examples for OMA Client Provisioning.

Characteristics

  • */<certificate hash>
    A second-level characteristic that specifies the SHA1 hash for the certificate. The 20-byte SHA1 hash of the certificate is specified in hexadecimal.

  • CA
    A certificate store that contains cryptographic information, including intermediary certification authorities.

    The following table shows the default settings

    Permissions Read/Write
    Data type String
    Roles allowed to query and update setting Manager

  • MY
    A certificate store that contains end-user personal certificates.

    The following table shows the default settings

    Permissions Read/Write
    Data type String
    Roles allowed to query and update setting Manager

    Authenticated User

  • Privileged Execution Trust Authorities
    A certificate store that contains priveleged trust certificates. Applications signed with a certificate belonging to this store will run with privileged trust level. The role mask does not matter for this store.

    The following table shows the default settings

    Permissions Read/Write
    Data type String
    Roles allowed to query and update setting Manager

  • ROOT
    A certificate store that contains root, or self-signed, certificates.

    The following table shows the default settings

    Permissions Read/Write
    Data type String
    Roles allowed to query and update setting Manager

  • SPC
    The Software Publishing Certificate (SPC) is used for signing .cab files and assigning the correct role mask to the .cab file installation.

    The following table shows the default settings

    Permissions Read/Write
    Data type String
    Roles allowed to query and update setting Manager

  • Unprivileged Execution Trust Authorities
    A certificate store that contains unpriveleged trust certificates. Applications signed with a certificate belonging to this store will run with normal trust level. The role mask does not matter for this store.

    Note   This setting is available only for Windows Mobile-based Smartphones.

    The following table shows the default settings

    Permissions Read/Write
    Data type String
    Roles allowed to query and update setting Manager

Parameters

  • EncodedCertificate.
    This parm is used in all CertificateStore characteristics to specify a Base64 Encoded X.509 certificate.

  • IssuedBy
    This read-only parm shows the name of the certificate issuer. This information is the Issuer member in the CERT_INFO structure.

    The following table shows the default settings.

    Permissions Read-only
    Data type String
    Roles allowed to query and update setting Manager

    AuthenticatedUser

  • IssuedTo
    This read-only parm shows the name of the certificate subject. This information is the Subject member in the CERT_INFO structure.

    The following table shows the default settings.

    Permissions Read-only
    Data type String
    Roles allowed to query and update setting Manager

    AuthenticatedUser

  • Role
    This parm is used in all CertificateStore characteristics to specify a four-byte bit mask that corresponds to the roles that can be assigned to the certificate. The role mask is only used for certificates in the SPC store. When no role parm is specified for certificates that are added to the store, the role mask defaults to 0.

  • TemplateName
    This read-only parm specifies the template name used to produce the certificate. This is a X.509 extension that is in szOID_ENROLL_CERTTYPE_EXTENSION.

    The following table shows the default settings.

    Permissions Read-only
    Data type String
    Roles allowed to query and update setting Manager

    AuthenticatedUser

  • ValidFrom
    This read-only parm shows the starting date of the certificate's validity. This information is in the NotBefore member in the CERT_INFO structure.

    The following table shows the default settings.

    Permissions Read-only
    Data type String
    Roles allowed to query and update setting Manager

    AuthenticatedUser

  • ValidTo
    This read-only parm shows the expiration date of the certificate. This information is in the NotAfter member in the CERT_INFO structure.

    The following table shows the default settings.

    Permissions Read-only
    Data type string
    Roles allowed to query and update setting Manager

    AuthenticatedUser

Microsoft Custom Elements

The following table shows the Microsoft custom elements that this Configuration Service Provider supports for OMA Client Provisioning.

Element Supported
parm-query Yes
noparm No
nocharacteristic Root level and first level: No
Second level: Yes
characteristic-query Root level: No
First and second levels: Yes
Recursive: No

Use these elements to build standard OMA Client Provisioning (formerly WAP) configuration XML. For information about specific elements, see MSPROV DTD Elements. For examples of how to generally use the Microsoft custom elements, see Provisioning XML File Examples.

For information about OMA Client Provisioning, see OMA Client Provisioning Files.

Remarks

Security roles are used with certificates to enforce security settings that were configured by using security policies.

To set a certificate in the SPC store, the provisioning message must have sufficient permissions. For example:

  • To set a manager certificate in the SPC store, the provisioning message must have the Manager role (8).
  • To set a User Authenticated certificate in the SPC store, the provisioning message must have the User Authenticated role (16).

See Also

Configuration Service Provider Reference for Windows Mobile-Based Devices | CertificateStore Configuration Service Provider Examples for OMA Client Provisioning

Send Feedback on this topic to the authors

Feedback FAQs

© 2006 Microsoft Corporation. All rights reserved.