Monday, March 27, 2006

How to install root certificates on a Windows Mobile-based device - Updated KB 915840 article

It seems like everytime I'm playing with Windows Mobile devices and need to enable ActiveSync, I never can find the procedure for how to import "home grown" root server certificates on to a Windows Mobile device. I usually need this because almost always I'm messing with Mobile devices on test or lab servers and I'm too cheap to pay for a real certificate. :-) By the way, IMHO, using home-grown, untrusted certificates for OWA or ActiveSync is a bad practice. You don't want your users in the habit of ignoring "untrusted certificate" warnings. Just my opinion, though. But, hey is cheap, so you have no excuse for production stuff!

This may manifest itself on your mobile device with errors such as: INTERNET_45 or INTERNET_55. Microsoft just updated KB article 915840: "How to install root certificates on a Windows Mobile-based device" and I felt a link to this was blog-worthy. If nothing else, so it will make it easier for me to find.

Windows Mobile-based devices have the following trusted certificate authorities in their root certificate store already.
  • Class 2 Public Primary Certification Authority (VeriSign, Inc.)
  • Class 3 Public Primary Certification Authority (VeriSign, Inc.)
  • Certification Authority (2048)
  • Secure Server Certification Authority
  • Equifax Secure Certification Authority
  • GlobalSign Root CA
  • GTE CyberTrust Global Root
  • GTE CyberTrust Root
  • Secure Server Certification Authority (RSA)
  • Thawte Premium Server CA
  • Thawte Server CA
If you are going to implement ActiveSync to an Exchange Server 2003 mailbox, then you should use SSL and you must have trusted certificates on the Mobile device. If the certificate is not trusted, the device will not connect to the Exchange Server using ActiveSync.

See the KB article for instructions on where to download the SmartPhoneAddcert.exe utility and how to use it to install your certificate server's root certificate on to to your Windows Mobile device.

For Windows Mobile 2002 and Windows Mobile 2003, you can alterately use the DisableCertChk.EXE utility to simply stop the checking of the trusted certificate.

By the way, the Windows Mobile Team blogged this last fall in their blog entry: How can I add root certs to my Windows Mobile 5.0 device?


Post a Comment

<< Home