Deploying Certificates to Mobile Device Clients

Microsoft System Center Configuration Manager 2007 can be used to deploy certificates to mobile devices. Common scenarios for certificate deployment to mobile devices include the following:

• Deploying root certificates and any required intermediate certification authority certificates for native mode or server authentication mode mobile device client installation

• Deploying client certificates when migrating from mixed mode to native mode

• Deploying certificates for third-party applications

• Deploying the Configuration Manager 2007 site server signing certificate

Before deploying certificates, you must acquire exported certificates for your root certification authority and any intermediate certification authorities in the form of X.509 .cer files.

Configuration Manager 2007 can deploy certificates using the following methods:

• Certificate Installation configuration item

• Mobile device client installation or upgrade

For more information about certificate installation on mobile devices, see Deploying the PKI Certificates Required for Native Mode.

Deploying Certificate Using the Certificate Installation Configuration Item

Certificates can be deployed to Configuration Manager 2007 managed mobile device clients using the Certificate Installation configuration item. For more information about using the Configuration Items Wizard, see How to Create Configuration Items for Mobile Devices.

Certificate Stores on Mobile Devices

Windows Mobile devices include the following stores for certificates:

• Root—The root certificates for the mobile device. Root stores are primarily used to validate that a presented certificate successfully chains to a trusted root authority. This store is not used for code execution. A copy of the site server signing certificate is stored here.

• Software Publishing Certificate (SPC)—SPC certificates define the level of privilege for third-party software programs. There are two types of SPC certificates:

  • Privileged—Privileged certificates have manager rights on the mobile device and unrestricted access to the registry.

  • Unprivileged—Unprivileged certificates have restricted rights on the mobile device and cannot access certain portions of the registry.

• Intermediate—Intermediate certificates authenticate an uninterrupted chain of authority to the root authority.

Deploying Certificates During Mobile Device Client Installation or Upgrade

The Configuration Manager 2007 mobile device client installation or upgrade process uses an enroller program to deploy certificates to mobile devices. For more information about certificates required by mobile devices in native mode, see About Native Mode Certificates for Mobile Device Clients.

Deploying certificates during mobile device client installation or upgrade requires the following:

• If certificates are required and not already present on the mobile device, they can be deployed as part of the mobile device client installation. Include the .cer file or files in the mobile device management client deployment folder. These certificate files must be in Distinguished Encoding Rules (DER)-encoded binary X.509 format. Base64-encoded X.509 format is not supported for mobile devices. For more information, see How to Edit the DMCommonInstaller.ini File for Mobile Device Management or How to Edit the ClientSettings.ini File for Mobile Device Management.

• A properly configured DMCommonInstaller.ini file or ClientSettings.ini file. Set ImportCerts=True in the DMCommonInstaller.ini file or ClientSettings.ini file. For more information, see How to Edit the DMCommonInstaller.ini File for Mobile Device Management or How to Edit the ClientSettings.ini File for Mobile Device Management.

For more information about mobile device client installation or upgrade, see How to Install or Upgrade the Mobile Device Management Client.

Certificate Values in DMCommonInstaller.ini and ClientSettings.ini

The DMCommonInstaller.ini and ClientSettings.ini files define values for certificate deployment and must be edited for your specific environment. The following are categories of values for deploying certificates to devices:

• Certificate enroller

• Importing certificates

• Renewing the site server signing certificate

Certificate enroller values

The following values in the DMCommonInstaller.ini file or the ClientSettings.ini file are used to define certificate enrollment during client installation or upgrade. Define these values for the site environment if certificates are to be enrolled:

• CertEnrollAction=Enroll

• CertEnrollServer=certserver.contoso.com

• CertEnrollServerPort=80

  注意

  HTTPS is not supported by the Configuration Manager 2007 mobile device certificate enroller.

• CertRequestPage=/certsrv/certfnsh.asp

• CertDownloadPage=/certsrv/certnew.cer

• CertChainDownloadPage=/certsrv/certnew.p7b

If the CertEnrollAction value is Enroll, the enroller application (Enroll_ARM.exe, Enroll_WinCE5.0_x86.exe, or Enroll_WinCE5.0_ARM.exe) will check for a valid client authentication certificate on the mobile device in the personal store. If no client authentication certificate is found, the mobile device user will be prompted to authenticate and a client authentication certificate is enrolled in the personal store of the mobile device. Additional values in the DMCommonInstaller.ini file or ClientSettings.ini file define the parameters for the enrollment process. For more information, see How to Edit the DMCommonInstaller.ini File for Mobile Device Management or How to Edit the ClientSettings.ini File for Mobile Device Management.

Importing certificates values: ImportCerts

If the ImportCerts value in the DMCommonInstaller.ini file or ClientSettings.ini file is set to True, the setup program will import certificate files (.cer) located in the client transfer directory into the root store on the mobile device. This option is not required to set up native mode if the necessary certificates are already on the mobile device. Certificates to be imported must be in distinguished encoding rules (DER)-encoded binary X.509 format. Base64-encoded X.509 certificates are not supported.

Renewing site server signing certificates

The EnableSSSCRenewal value in the DMCommonInstaller.ini file or ClientSettings.ini file specifies whether a site server signing certificate should be downloaded and installed when a new certificate becomes available on the site server. If EnableSSCRenewal is set to false, the administrator will need to deploy an updated site server signing certificate manually.

See Also

Concepts

About Native Mode Certificates for Mobile Device Clients
Deploying the Intermediate Certification Authority Certificates to Configuration Manager Computers
How to Edit the ClientSettings.ini File for Mobile Device Management
How to Edit the DMCommonInstaller.ini File for Mobile Device Management
How to Install or Upgrade the Mobile Device Management Client

Other Resources

Certificate Installation Properties