CertificateEnroller Configuration Service Provider

  • Article

4/8/2010

The CertificateEnroller Configuration Service Provider in Windows Mobile 6.5 enables you to generate certificates and associate them with a key pair to produce and install trusted certificates for your mobile devices. You can define each certificate type and publish them for other client devices and servers in your corporate network. The CertificateEnroller also provides management and certificate renewal features.

Using the CertificateEnroller Configuration Service Provider with the SECROLE_USER_AUTH role on a device, you can add, delete, or query certificates in the HKCU (User) CA and ROOT certificate stores. If SECROLE_USER_AUTH is granted the SECROLE_MANAGER or if you have SECROLE_MANAGER permissions on the device, you can also add certificates to the HKLM (system) certificate stores. For more information about the certificate stores on mobile devices, see Certificate Management in Windows Mobile Devices.

The CertificateEnroller Configuration Service Provider allows you to perform the following tasks:

  • Configure a certificate type
  • Configure a certificate type and trigger device enrollment
  • Securely enroll for a certificate using a pre-configured certificate type
  • Query for and renew existing certificate types

The CertificateEnroller will download the full chain of certificates including the root and any intermediates by requesting the .pb7 file from the certificate server. The path to the file is specified in ServerPickupPage parameter of the CertificateEnroller Configuration Service Provider.

The certificates can be used to establish certificate-based authentication. Your Windows Mobile 6.5 users can enroll for the certificate using Desktop Certificate Enrollment.

Note

This Configuration Service Provider can be managed over both the OMA Client Provisioning protocol and the OMA DM protocol.

Note

Access to this Configuration Service Provider is determined by Security roles. Because OEMs and Mobile Operators can selectively disallow access, ask them about the availability of this Configuration Service Provider. For more information about roles, see Security Roles and Default Roles for Configuration Service Providers.

Definition of a Certificate Type

A certificate type is given a friendly name and configured with the CertificateEnroller Configuration Service Provider specifying the following parms:

  • NoSSL
  • ServerName
  • ServerPickupPage
  • ServerRequestPage
  • Template
  • UIAccess

Note   The friendly name of each certificate type must be unique. If an existing friendly name is used, the certificate type file will be overwritten with the new parms.

The following image shows the Configuration Service Provider in tree format used by OMA DM.

Bb737636.ae261eb5-aeb4-4ed1-b298-a4b354ec6bb6(en-us,MSDN.10).gif

The following image shows the Configuration Service Provider in tree format as used by OMA Client Provisioning.

Bb737636.ea02d455-b173-4402-abf3-87bf0092e876(en-us,MSDN.10).gif

Characteristics

  • Configuration
    The data in the Configuration characteristic defines and provisions a Certificate Type for enrollment.

    The following table shows the default settings.

    Permissions

    Read Only

    Data type

    String

    Roles allowed to query and update setting

    Manager

    AuthenticatedUser

  • <CertificateTypefriendlyname>
    This is the unique friendly name used to identify each configured certificate type enrollment. If a friendly name specified in the Configuration characteristic already exists, the file will be overwritten with the new data. Each Certificate Type friendly name must be unique.

    The following table shows the default settings.

    Permissions

    Read/Write

    Data type

    String

    Roles allowed to query and update setting

    Manager

    AuthenticatedUser

  • Operation
    Use the Operation characteristic to enroll an existing Certificate Type or to renew an existing certificate with the Enroll or RenewOperation sub-characteristics. The Renew sub-characteristic allows querying for certificates in the store that need to be renewing.

    The following table shows the default settings.

    Permissions

    Read Only

    Data type

    String

    Roles allowed to query and update setting

    Manager

    AuthenticatedUser

  • Enroll
    One or more enrollment operations can be specified under this characteristic, each identified by a unique ID characteristic. The required CertificateTypeFriendlyName parameter identifies the certificate to be enrolled.

    The following table shows the default settings.

    Permissions

    Read Only

    Data type

    String

    Roles allowed to query and update setting

    Manager

    AuthenticatedUser

  • <Unique ID>
    The GUID used to identify the Enroll or RenewOperation for a specific configured certificate type.

    The following table shows the default settings.

    Permissions

    Read/Write

    Data type

    String

    Roles allowed to query and update setting

    Manager

    AuthenticatedUser

  • RenewOperation
    One or more renewal operations can be specified under the RenewOperation characteristic. The most important parameter under the unique ID characteristic for the RenewOperation action is the RenewCertificateHash parameter, which specifies the hex-encoded SHA-1 hash of the certificate to be renewed.

    The following table shows the default settings.

    Permissions

    Read Only

    Data type

    String

    Roles allowed to query and update setting

    Manager

    AuthenticatedUser

  • Renew
    Queries the device to get a list of all certificates that require renewal by performing a recursive query at the Renewal characteristic level.

    The following table shows the default settings.

    Permissions

    Read Only

    Data type

    String

    Roles allowed to query and update setting

    Manager

    AuthenticatedUser

  • CertificateHash
    Used in the Renew characteristic to specify the hex-encoded binary blob specifying the SHA-1 hash of the certificate in question.

    The following table shows the default settings.

    Permissions

    Read/Write

    Data type

    String

    Roles allowed to query and update setting

    Manager

    AuthenticatedUser

Parameters

  • ServerName
    The name of the CA server, without scheme (https://, https://).

    The following table shows the default settings.

    Permissions

    Read/Write

    Data type

    String

    Roles allowed to query and update setting

    Manager

    AuthenticatedUser

  • Template
    The template name of the certificate to enroll for (User, ClientAuth).

    The default is User.

    The following table shows the default settings.

    Permissions

    Read/Write

    Data type

    String

    Roles allowed to query and update setting

    Manager

    AuthenticatedUser

  • ServerPickupPage
    The virtual application root path of the page on the server where the certificate is to be picked up, usually part of the certificate service's Web interface. This path should point to a page that returns a PKCS#7 blob.

    The default is \certsrv\certnew.cer.

    The following table shows the default settings.

    Permissions

    Read/Write

    Data type

    String

    Roles allowed to query and update setting

    Manager

    AuthenticatedUser

  • ServerRequestPage
    The virtual application root path of the page on the server to which the Web enrollment request is sent, usually part of the certificate service's Web interface.

    The default is \certsrv\certfnsh.asp.

    The following table shows the default settings.

    Permissions

    Read/Write

    Data type

    String

    Roles allowed to query and update setting

    Manager

    AuthenticatedUser

  • UIAccess
    Specifies whether or not the user can modify parameters of the Certificate Type from any UI. The default value is 0.

    0 = user cannot modify Cert Type

    1 = user can modify Cert Type

    The following table shows the default settings.

    Permissions

    Read/Write

    Data type

    String

    Roles allowed to query and update setting

    Manager

    AuthenticatedUser

  • NoSSL
    Specifies whether or not SSL authentication is required. By default, SSL is used and https:// is prepended to the server name.

    0 = Use SSL

    1 = Do not use SSL

    The following table shows the default settings.

    Permissions

    Read/Write

    Data type

    String

    Roles allowed to query and update setting

    Manager

    AuthenticatedUser

  • CertificateTypeFriendlyName
    Specifies the friendly name of the Certificate Type to be used in this operation.

    The following table shows the default settings.

    Permissions

    Read/Write

    Data type

    String

    Roles allowed to query and update setting

    Manager

    AuthenticatedUser

  • DesktopProxyServer
    If specified, the engine connects to the desktop proxy, which handles all the required authentication and UI. On the device, the user will see only the initial security prompt.

    If not specified, the user will be prompted to supply credentials on the device and will see "in Progress" and "Results" notifications (if not performing a silent renewal).

    The following table shows the default settings.

    Permissions

    Read/Write

    Data type

    String

    Roles allowed to query and update setting

    Manager

    AuthenticatedUser

  • Username
    The username part of the user's domain credentials used to authenticate the user to the certificate service's Web interface. If Username and Password are specified in the XML, the engine will perform the enrollment silently without prompting the user for any information. User@Domain format is accepted for Username, so that the Domain need not be specified separately.

    The following table shows the default settings.

    Permissions

    Read/Write

    Data type

    String

    Roles allowed to query and update setting

    Manager

    AuthenticatedUser

  • Password
    The password part of the user's domain credentials used to authenticate the user to the certificate service's Web interface. See the Username parameter for more information.

    The following table shows the default settings.

    Permissions

    Read/Write

    Data type

    String

    Roles allowed to query and update setting

    Manager

    AuthenticatedUser

  • Domain
    The name of the user's domain. See the Username parameter for more information.

    The following table shows the default settings.

    Permissions

    Read/Write

    Data type

    String

    Roles allowed to query and update setting

    Manager

    AuthenticatedUser

  • NotificationParam
    The name of the named event to be set if a client wants to be notified of status changes.

    The following table shows the default settings.

    Permissions

    Read/Write

    Data type

    String

    Roles allowed to query and update setting

    Manager

    AuthenticatedUser

  • Status
    Returns a textual string indicating the status pertaining to this request type. A set operation with a client-specified status will result in an error.

    The following table shows the default settings.

    Permissions

    Read Only

    Data type

    String

    Roles allowed to query and update setting

    Manager

    AuthenticatedUser

  • OperationHresult
    The final HRESULT of the operation.

    The following table shows the default settings.

    Permissions

    Read Only

    Data type

    String

    Roles allowed to query and update setting

    Manager

    AuthenticatedUser

  • EnrolledCertificateHash
    This is the hex-encoded binary blob specifying the SHA-1 hash of the certificate that was obtained using this operation.

    The following table shows the default settings.

    Permissions

    Read Only

    Data type

    String

    Roles allowed to query and update setting

    Manager

    AuthenticatedUser

  • RenewCertificateHash
    This is the hex-encoded binary blob specifying the SHA-1 hash of the certificate that needs to be renewed.

    The following table shows the default settings.

    Permissions

    Read/Write

    Data type

    String

    Roles allowed to query and update setting

    Manager

    AuthenticatedUser

See Also

Concepts

CertificateEnroller DDF File

Other Resources

CertificateEnroller Configuration Service Provider Examples for OMA Client Provisioning