Certificate Management in Windows Mobile Devices
4/8/2010
OEMs, mobile operators, and application developers use certificates to sign applications and files that run on Windows Mobile. Certificates are contained in certificate stores in the registry of the device.
On Windows Mobile Version 5.0 devices, the certificate stores ROOT and CA are locked to everyone except those with the Manager role, to ensure the integrity of the digital certificates.
In Windows Mobile 6, the certificate stores ROOT and CA were expanded to include separate user stores that allow device users with the AuthenticatedUser role to install or enroll digital certificates. The system ROOT and CA stores remain locked to those without the Manager or Enterprise role.
In Windows Mobile 6.1, the MY certificate store has been expanded to include a separate system store that allows those with the Manager role to install or enroll certificates.
The following table shows the certificate stores and their uses and permissions.
| Logical Store | Physical Store | Description |
|---|---|---|
Privileged Execution Trust Authorities |
HKEY_LOCAL_MACHINE |
Contains trusted certificates. Applications signed with a certificate from this store will run with privileged trust level (Trusted). |
Unprivileged Execution Trust Authorities |
HKEY_LOCAL_MACHINE |
Contains normal certificates. On a 1-tier device, an application signed with a certificate in this store will run with privileged trust level (Privileged). On a 2-tier device, applications signed with a certificate from this store will run with normal level (Normal). |
SPC |
HKEY_LOCAL_MACHINE |
Contains Software Publishing Certificates (SPC) used for signing .cab or .cpf files and assigning the correct role mask to the file installation. |
ROOT (system) |
HKEY_LOCAL_MACHINE |
Contains root, or self-signed, certificates. These certificates are used for SSL server authentication. These cannot be changed without Manager role permissions. |
ROOT (user) |
HKEY_CURRENT_USER |
Contains root, or self-signed, certificates that can be installed by the authenticated device user. > [!NOTE] > This is new for Windows Mobile 6. |
CA (system) |
HKEY_LOCAL_MACHINE |
Contains certificates from intermediary certification authorities. They are used for building certificate chains. |
CA (user) |
HKEY_CURRENT_USER |
Contains certificates, including those from intermediary certification authorities, which can be installed by the device user with AuthenticatedUser role permissions. They are used for building certificate chains. > [!NOTE] > This is new for Windows Mobile 6. |
MY (system) |
HKEY_LOCAL_MACHINE |
Contains end-user personal certificates used for certificate authentication or S/MIME. These cannot be changed without Manager role permissions. |
MY (user) |
HKEY_CURRENT_USER |
Contains end-user personal certificates used for certificate authentication or S/MIME. |
The certificate stores are located in two areas of the registry:
- HKEY_CURRENT_USER\Comm\Security\SystemCertificates
- HKEY_LOCAL_MACHINE\Comm\Security\SystemCertificates
It is important to understand that HKEY_LOCAL_MACHINE\Comm is a protected registry key. This means that only privileged or trusted applications can read and write to these locations. Normal applications can only read from these locations and they cannot write.
See Also
Concepts
Certificate Management and Application Signing for Mobile Operators
Certificate Management and Application Signing for Application Developers
Windows Mobile PKI Hierarchy
Mobile2Market Program
Removing Test and Development Certificates