Windows Mobile PKI Hierarchy

  • Article

4/8/2010

Microsoft provides the Windows Mobile software and Microsoft applications such as Word Mobile, Excel Mobile, and Outlook Mobile. As a platform software vendor and an application software vendor, Microsoft also operates a PKI hierarchy for code signing.

As the platform software vendor, Microsoft is similar to the OEM and operator with the following differences:

  • Microsoft does not create the final run-time image for the devices, therefore Microsoft does not sign applications from third parties and ship them in the platform.
  • Most of the platform software are installed in the firmware before the devices reach the user.
  • Updates are shipped by the OEM or operator.

For cases when an update or a service pack may require a signed package, Microsoft operates two certificate authorities roots. These certificates must be in the Windows Mobile devices for the update or service pack to run on the devices. The following table shows the Windows Mobile software PKI hierarchy.

Certificate Included in the device?

Windows Mobile Device Privileged Component PCA

Yes

Included in the Privileged Certificate Store.

Included in the SPC with role mask = 222.

Windows Mobile Device PCA

Yes

Included in the Normal Certificate Store.

Included in the SPC with role mask = 16.