Pavel BГЎnskГЅ

I’am receiving lot’s of questions (internally and externally) regarding certificates and and applications or cab file signing in Windows Mobile. This small how-to describes how to install certificate into device and using it for files and applications signing in the future deployment.

All tools considered in this blogpost are available in the Windows Mobile SDK or other Microsoft’s resource kits. Please note that makecert.exe tool is only for demonstration and educational purposes. It creates certificates but it’s ineligible for productions scenarios. You should use certificate issued by certification authority in your organization instead.

If you don’t understand what I’am talking about or you are not familiar with Windows Mobile security model, you should read at least this TechNet article. More preferably read this: Security Model for Windows Mobile 5.0 and Windows Mobile 6 for full understanding.

Step 1. Creating the certificate

Use the makecert.exe to create the certificate file and private key.

1. Run makecert.exe to create private key and certificate

1. Click None button in the following dialog

1. In Windows Explorer, double-click the testing_certificate.cer
2. Choose the Details tab.

1. Click Copy to File… button
2. Click Next button

1. Choose Base-64 encoded X.509 (.CER) and click Next button

1. Use testing_certificate_base64.cer as the filename and click Next button

Step 2. Certificate provisioning XML

Write provisioning file that uses CertificateStore configuration service provider to add certificate from previous task into the Privileged Execution Trust Authorities. Follow steps in this complex task.

1. Create following XML document (with notepad.exe) and name it _setup.xml

1. In Windows Explorer, double-click the testing_certificate.cer
2. Choose the Details tab.

1. Choose Thumbprint in the list box, select the text, and then press CTRL+C.
2. Replace CERTHASH in _setup.xml with the copied text. Delete the spaces between digits!

1. Open the testing_certificate_base64.cer using a notepad.exe
2. Select text between —BEGIN CERTIFICATE— and —END CERTIFICATE—. This text is the encoded content of the certificate. Copy selected text by pressing Ctrl-C.

1. In the XML document, replace BASE64ENCODEDCERT with the copied text by pressing Ctrl-V

Step 3. Deploying certificate into device

Make cab file from provisioning file created in previous task and execute it in the device.

1. Run makecab.exe

1. Copy cert_deploy.cab into device via ActiveSync or SD card.
2. Execute the cert_deploy.cab

Step 4. Signing the application or cab file

Use signcode.exe to sign your application or installation cab. Let?s assume the file for signing is called myApplication.exe

After executing this application on your device, no security warning will be displayed and privileged mode will be delegated.

Install digital certificates on Windows 10 Mobile

Applies to

Digital certificates bind the identity of a user or computer to a pair of keys that can be used to encrypt and sign digital information. Certificates are issued by a certification authority (CA) that vouches for the identity of the certificate holder, and they enable secure client communications with websites and services.

Certificates in WindowsВ 10 Mobile are primarily used for the following purposes:

• To create a secure channel using Secure Sockets Layer (SSL) between a phone and a web server or service.
• To authenticate a user to a reverse proxy server that is used to enable Microsoft Exchange ActiveSync (EAS) for email.
• For installation and licensing of applications (from the Windows Phone Store or a custom company distribution site).

In Windows 10, Version 1607, if you have multiple certificates provisioned on the device and the Wi-Fi profile provisioned does not have a strict filtering criteria, you may see connection failures when connecting to Wi-Fi. Learn more about this known issue in Version 1607

Install certificates using Microsoft Edge

A certificate can be posted on a website and made available to users through a device-accessible URL that they can use to download the certificate. When a user accesses the page and taps the certificate, it opens on the device. The user can inspect the certificate, and if they choose to continue, the certificate is installed on the WindowsВ 10 Mobile device.

Install certificates using email

The WindowsВ 10 Mobile certificate installer supports .cer, .p7b, .pem, and .pfx files. Some email programs block .cer files for security reasons. If this is the case in your organization, use an alternative method to deploy the certificate. Certificates that are sent via email appear as message attachments. When a certificate is received, a user can tap to review the contents and then tap to install the certificate. Typically, when an identity certificate is installed, the user is prompted for the password (or passphrase) that protects it.

Install certificates using mobile device management (MDM)

WindowsВ 10 Mobile supports root, CA, and client certificate to be configured via MDM. Using MDM, an administrator can directly add, delete, or query root and CA certificates, and configure the device to enroll a client certificate with a certificate enrollment server that supports Simple Certificate Enrollment Protocol (SCEP). SCEP enrolled client certificates are used by Wi-Fi, VPN, email, and browser for certificate-based client authentication. An MDM server can also query and delete SCEP enrolled client certificate (including user installed certificates), or trigger a new enrollment request before the current certificate is expired.

Do not use SCEP for encryption certificates for S/MIME. You must use a PFX certificate profile to support S/MIME on WindowsВ 10 Mobile. For instructions on creating a PFX certificate profile in Microsoft Intune, see Enable access to company resources using certificate profiles with Microsoft Intune.

Process of installing certificates using MDM

The MDM server generates the initial cert enroll request including challenge password, SCEP server URL, and other enrollment related parameters.

The policy is converted to the OMA DM request and sent to the device.

The trusted CA certificate is installed directly during MDM request.

The device accepts certificate enrollment request.

The device generates private/public key pair.

The device connects to Internet-facing point exposed by MDM server.

MDM server creates a certificate that is signed with proper CA certificate and returns it to device.

The device supports the pending function to allow server side to do additional verification before issuing the cert. In this case, a pending status is sent back to the device. The device will periodically contact the server, based on preconfigured retry count and retry period parameters. Retrying ends when either:

• A certificate is successfully received from the server
• The server returns an error
• The number of retries reaches the preconfigured limit

The cert is installed in the device. Browser, Wi-Fi, VPN, email, and other first party applications have access to this certificate.

If MDM requested private key stored in Trusted Process Module (TPM) (configured during enrollment request), the private key will be saved in TPM. Note that SCEP enrolled cert protected by TPM isn’t guarded by a PIN. However, if the certificate is imported to the Windows Hello for Business Key Storage Provider (KSP), it is guarded by the Hello PIN.

How do I install a certificate to my Windows CE or Windows Mobile based device?

Article ID: 39014722

Installation of Certificates to Windows Mobile Based Devices

If you want to create a registry file or clean boot persist the certificate, follow the Windows CE instructions instead but instead use the below instructions when it comes time to Configure the settings you want to persist.

1. Copy the CER file to your device
2. Using File Explorer on the device find the file you copied to the device
3. Tap on the file
4. Tap OK

Installation of Certificates to Windows CE Based Devices

Download RemCapture to capture settings on the device. ( Read More>>)

Once you’ve installed RemCapture on your PC:

1. Review all the articles in the short Help file in the “Motorola Remote Capture v2.0” program group,
2. Cold boot the device
3. ActiveSync the device
4. Run Remote Capture
   • Select View => Exclusions => Registry
     • Under each HKEY section, delete the branches of the registry that are listed
     • Save & Exit
   • Press the green plus “+” in the upper left.
5. On the device: Configure the settings you want to persist:
   • Copy your CER Files to the device
   • Click Start
   • Settings
   • Control Panel
   • Certificates
   • Import
   • Find the certificate and follow the prompts to install the certificate
   • Tap “OK” to close the certificate window
6. In Remote Capture
   • Press the yellow minus “-“ in the upper left.
   • Press the “Save” diskette icon to save the resultant information to your PC.
7. In Windows Explorer on your PC, Navigate to where you saved the information and copy the files to the device’s “\Application” directory

After you’ve completed these steps, cold boot the device and confirm that the certificates were installed automatically.