How can I temporarily disable Root Certificate checking on my Windows Mobile 2002/2003 Pocket PC?
When performing a synchronization between your Windows Mobile 2002 and 2003 based Pocket PC and your Exchange server (as described in How to Synchronize a Pocket PC with Exchange 2003?) you can obtain additional security by using SSL instead of plain-text HTTP.
For an SSL connection to properly work, the client (in this case – your PPC) needs to download the server’s (in this case – your Exchange server) public key in form of a Digital Certificate.
In order to obtain this Digital Certificate you can either use commercial certificate authorities (such as Verisign, Thawte and others), or your own, internally configured certificate authorities – or CA (one example of such a CA would be the built-in CA in Windows Server 2003 – See Install Windows Server 2003 CA for more info). The biggest problem with using internally-issued and non-commercial certificates is the fact that computers outside your organization will not trust these certificates. This is due to the fact that these "outside" computers and devices do not automatically trust the root certificate of the your internal certificate authority, thus any certificate issued by it will be treated as signed by a non-trusted CA.
In Windows-based computers this can be easily fixed by adding the Root Certificate for the internal CA to the Trusted Root Certificates store on the computers. This can be achieved either by manually importing the Root Certificate to each computer, or by using GPOs and Active Directory.
In Windows Mobile-based Pocket PCs you also need to add the Root Certificate to the Trusted Root Certificates store inside the PPC. Follow the Adding Root Certificates to Windows Mobile 2003 Pocket PC article for more info on this issue.
However, these devices can be configured to temporarily stop checking the validity of the Root Certificate by using the following tool:
Download Disable Cert Check (376kb)
The Disable Certification Verification tool enables users with Windows mobile devices to connect to Exchange servers without verifying the root certificate authority against the certificate trust list on the device.
The device still uses Secure Sockets Layer (SSL) to connect to Exchange, however, the Exchange certificate check allows only certificates from untrusted certificate authorities to be used without generating errors.
Needless to say this should not be regarded as best practice, however it could be used as a temporary method to bypass the Root Certificate check until you manage to obtain a trusted certificate from a trusted Root Certificate (for example, one of the CAs listed in the Adding Root Certificates to Windows Mobile 2003 Pocket PC article).
In order to add the Root Certificate to your Windows Mobile 2003 Pocket PC follow these steps:
Windows Mobile for PocketPC 2002 and 2003
Smartphone 2002 and 2003
Download the DisableCertChk.exe file to your desktop, and double-click the file to run the extraction process. Select a folder or location to which you want to extract the file, and name it CertChk.exe.
Note: You can also use WinZip or similar to extract the tool.
Ensure that your device is connected to your desktop and that Microsoft ActiveSync is installed. A partnership is not necessary. You can connect as Guest.
The tool uses a command-line interface. To disable certificate checking, type:
To enable certificate checking, type:
To verify if certificate checking is currently enabled or disabled, type:
To get syntax help for the command, type:
Be sure to re-enable certificate checking on the device after you have completed testing and have installed a signed certificate.
You can now use any application that uses Root Certificates to allow access to SSL-enabled applications such as Microsoft Pocket Internet Explorer, Microsoft ActiveSync and others.
You may find these related articles of interest to you:
Download ActiveSync 4.2 (6.9mb)