Adding Root Certificates to Windows Mobile 2003 Pocket PC
How can I add a Root Certificate to my Windows Mobile 2003 Pocket PC?
Windows Mobile 2002 and 2003 based Pocket PCs use Root Certificates to allow access to SSL-enabled applications such as Microsoft Pocket Internet Explorer, Microsoft ActiveSync (when it is configured to synchronize directly with Microsoft Exchange 2003 Server), L2TP-based VPN connections and 3rd-party programs.
When working with the server-side of these applications you can use commercial certificate authorities (such as Verisign, Thawte and others) to obtain Digital Certificated for the SSL connections (see Configure SSL on Your Website with IIS for an example).
Windows Mobile 2003 is already configured with Root Certificates that represent the following certificate authorities:
However, in order to save money on Digital Certificates many enterprises might want to use their own, internally configured certificate authorities (one example of such a CA would be the built-in CA in Windows Server 2003 – See Install Windows Server 2003 CA for more info). Although such CAs can issue various certificates for many uses (for example EFS encryption, IPSec, E-Mail encryption and so on), the biggest problem with using internally-issued and non-commercial certificates is the fact that computers outside your organization will not trust these certificates. This is due to the fact that these “outside” computers and devices do not automatically trust the root certificate of the your internal certificate authority, thus any certificate issued by it will be treated as signed by a non-trusted CA.
In Windows-based computers this can be easily fixed by adding the Root Certificate for the internal CA to the Trusted Root Certificates store on the computers. This can be achieved either by manually importing the Root Certificate to each computer, or by using GPOs and Active Directory.
In Windows Mobile-based Pocket PCs you also need to add the Root Certificate to the Trusted Root Certificates store inside the PPC. However, these devices can be configured to temporarily stop checking the validity of the Root Certificate by using the following tool:
Download Disable Cert Check (376kb)
In order to add the Root Certificate to your Windows Mobile 2003 Pocket PC follow these steps:
Export the Root Certificate
Export the Root Certificate in DER encoded binary X.509 format with a .CER file name extension.
If using a Windows 2000 or Windows Server 2003 CA you can easily export the Root Certificate from the CA website at http://servername/certsrv:
You should now have a .CER file.
Install Smart Phone Add Cert tool
First, you’ll need to obtain the SPAddCert.exe tool and install it to your Windows Mobile Pocket PC.
- Download the SPAddCert.exe tool that will allow you to add the Root Certificate to your PPC device:
Download SPAddCert.exe (182kb)
- Connect your PPC to the computer. On your computer, start ActiveSync, and then click Explore.
- Next, extract the contents of the downloaded file to a temporary folder.
- From that folder, copy the SPAddCert.exe file, and paste to the following path on your PPC:
Note: I’m not sure if this is a must, I’ve tested with other paths and it still worked. Test it on yourself if you want.
Install the Root Certificate on the PPC
Next, you’ll need to transfer the Root Certificate to your Windows Mobile Pocket PC.
- Copy the exported Root Certificate file to one of the following location:
The \Storage root of the Pocket PC device
The root of the memory card installed on the Pocket PC device
- On the PPC, click Start, click Accessories, and then click SPAddCert.
- Select the certificate from the Available Certificates list, and then click OK. The certificate details will appear.
- Click OK when you are prompted to add the certificate \IPSM\smartphone.cer.
- Restart your PPC.
You can now use any application that uses Root Certificates to allow access to SSL-enabled applications such as Microsoft Pocket Internet Explorer, Microsoft ActiveSync and others.
You may find these related articles of interest to you:
- Configuring Forms-Based Authentication in OWA and Exchange 2003
- Configure ISA to Publish OWA
- Configure OMA in Exchange 2003
- Configure SSL on OMA
- Configure SSL on OWA
- Configure SSL on Your Website with IIS
- Disable Spell Checking in OWA 2003
- Download ActiveSync 4.2
- Enable Password Changing through OWA in Exchange 2003
- Install Windows Server 2003 CA
- Problems with Forms-Based Authentication and SSL in ActiveSync
- Reset OWA 2000/2003 Language
- Test OMA in Exchange 2003
Download ActiveSync 4.1 (7119kb)