Read this section on the P12imprt webpage if you don’t know how to obtain or create a personal certificate and corresponding private key.

5. Importing a certificate on Windows Mobile 6

You can import root certificates and personal certificates. Root certificates need to be in PEM (text, Base64 encoded) or DER (binary) format. Root certificate files have the extension .cer or .p7b and contain a single certificate or a PKCS#7 certificate chain. Personal certificates need to be in PKCS#12 format and have the extension .pfx or .p12. PKCS#12 files typically contain a personal certificate and its corresponding private key, a root certificate and optionally a number of intermediate CA certificates.

Here is how to import a file containing one or more certificates on the Windows Mobile device:

• Copy the certificate file to your Windows Mobile 6 device. You can use any method to do the transfer: ActiveSync, a flash memory card, Bluetooth, infrared etc.
• Tap «Start», «Programs» and «File Explorer».
• Tap the certificate file that you want to import. (Note: File Explorer does not show extensions, so make sure you select the correct file, for example by checking the file size).
• Enter the password that was used to encrypt the PKCS#12 file. No password have to be entered for importing root certificate files.
• The certificate(s) included in the file are imported: «One ore more certificates were installed successfully.». If an equivalent certificate (i.e. with the same name) already exists on your Windows Mobile device, it will be silently overwritten. So make sure you tap the correct certificate file.
• Exit File Explorer.

View the certificates that have been imported to the Pocket PC device:

• In the Settings menu, tap the «System» tab. Then tap «Certificates».
• Select the «Personal» tab if it has not been selected already. At the top of the page the following text is displayed: «Use personal certificates to positively identify yourself to others.»
• If you imported a PKCS#12 file, you should see the newly added personal certificate. If you tap the name of this personal certificate, you should see its details. Tap «OK» to return to the previous window.
• Tap the «Root» tab. You should now see the new root certificate that you added. If you tap on the name of this root certificate, you should see its details.
• Tap the «Intermediate» tab. If there were any intermediate certificates in the PKCS#12 or PKCS#7 file you should see them here. If you tap on the name of an intermediate certificate, you should see its details.

If you have installed my sample root certificate («TESTCA») and personal certificate («TESTUSER») you will probably want to delete them afterwards. Use the «Certificates» applet in Settings->System. Tap and hold the name of the certificate. A context menu will pop up. Select «Delete» to delete the certificate.

6. Importing a personal certificate with PFXimprt or P12imprt

Both my programs P12imprt and PFXimprt work on WM6. But unlike WM6’s built-in certificate installer, they will cause WM6 to display a popup. I would recommend P12imprt over PFXimprt.

• In general, follow the instructions on my P12imprt page.
• Run P12imprt.exe, enter the password and tap «Import certificate».
• You will see a popup asking whether you want to block or install the root certificate in the file: «Your device is being asked to install a security certificate.«
• Tap «More». There will be another popup with yet another warning.
• Tap «Install». (Optionally you can tap «Requester» for verification. This will display the SHA-1 thumbprint of the certificate, its issuer and its subject).

If you tap «Block», WM6 will not allow the certificate to be installed. However, there is something odd with WM6. If the root certificate already exists, P12imprt / PFXimprt asks you if you want to overwrite the certificate or not. If you select «Overwrite», WM6 asks if you want to block or install the root certificate. If you tap «Block», the root certificate will not be overwritten but for some reason WM6 deletes the existing root certificate instead of leaving it alone. Looks like a bug to me. You would expect the CertAddEncodedCertificateToStore(CERT_STORE_ADD_REPLACE_EXISTING) call to be an atomic operation.

On some locked devices such as Smartphones the root certificate may fail to install, even if you allow WM6 to continue. In such cases it is recommended to use WM6’s built-in certificate installer.

Older versions of P12imprt and Crtimprt did not import certificates correctly for use with S/MIME. This has been resolved in updated versions.

Web enrolment is an alternative to importing a certificate from a file. Clients «enrol» at a webbased Certificate Authority. Enrolment means that you contact a certificate server and request the server to issue a certificate. The server will ask for your credentials, such as a username and password, before issuing the certificate. Enrolment requires a web enrolment utility on the Windows Mobile device, and on the server Microsoft Certificate Services is required (no other CA is supported). Web enrolment is (somewhat) documented on the Microsoft website.

7.1 Web enrolment with ActiveSync

Windows XP and earlier use ActiveSync for web enrolment.

Some vendors ship an enrolment utility for previous versions of Windows Mobile but Windows Mobile 6 now contains a built-in support for web enrolment. But this only works in combination with ActiveSync 4.5. Older versions of Windows Mobile such as WM5 are not supported by the enroller included with ActiveSync 4.5: the menu option «Get Device Certificates» will remain ghosted.

This is not a tutorial on web enrolment. If you encounter problems, contact the vendor of your device (or try contacting Microsoft Support).

First, you need to configure your Windows Server to web enrolment:

• Install IIS on your Windows Server.
• Install Certificate Services CA and Certificate Services Web Enrollment (screenshots) on your Windows Server.
• According to the Windows Help file, if you installed IIS after installing CA services, you need to run «certutil -vroot«.
• The Windows Server must be configured to immediately issue certificates (no human interaction required), otherwise the client will abort the web enrolment procedure. Open Certificate Authority (mmc certsrv.msc), open the properties of your CA, click the tab «Policy module «, click Properties, pick «Follow the setting in the certificate template, if applicable. Otherwise, automatically issue the certificate«. This obviously means that you don’t have manual control over what certificates are issued to whom, but that’s the way it is.
• You may have to load the Authenticated Session and User Signature Only templates.
• Test your certificate web enrolment setup by using a browser on a desktop PC. Obtain a «User» certificate by surfing to:
  http://exchange.example.com/certsrv where exchange.example.com is the hostname of your Windows Server. You will be asked for your account credentials (a valid username and password) to enrol for a certificate. Depending on your IIS settings you may need to use HTTPS instead.
• Verify in Certificate Authority (mmc certsrv.msc) that the test certificate has been issued. It should be in the «issued» folder, not in «pending», «revoked» or «failed». You should now be able to pick up and install the certificate on the desktop PC.

Then, you use ActiveSync on your PC to enrol at the CA server:

• Download and install ActiveSync 4.5 or higher on your Windows 2000/2003/XP desktop PC.
• Cradle your Windows Mobile device.
• Start ActiveSync.
• Click on the menu «Tools ->Configure Server Source».
• Enter the server’s hostname and your account credentials.
• Click on the menu «Tools -> Advanced Tools ->Get Device Certificates».
• A window called «Get Device Certificates» will be displayed. Initially there will be no certificate types shown.
• Select «Certificate types from Active Directory».
• Select the «User» certificate type.
• Click «Enroll».
• A window will be displayed: «A security certificate is being requested for your device. You should continue only if you trust this certificate server.» The hostname of the server is displayed in the windows.
• However, I found that the domain name was not appended and for some reason WM6 could not reach this server by its hostname alone. I resolved this by adding a new certificate type:
  • I selected «Certificate types from device».
  • I clicked «Add».
  • I entered the hostname of the server, plus a name for the certificate type. I selected «User» as the Certificate Template Name. I also enabled «SSL» because I had already installed a root certificate on the Windows Mobile device.
  • I clicked «OK» and selected the certificate type that was just created. At this stage I could click «Enroll» and continue with the remaining steps of the procedure.
• ActiveSync displays this message: «You must approve the request on the currently connected device.» The Windows Mobile device displays this popup: «You should continue only if you started a certificate enrolment from the PC that is connected to your device.»
• Enter your account credentials.
• The enrolment will be in progress.
• If all goes well, the enrolment should succeed.

7.2 Web enrolment with Windows Vista Mobile Device Center

Windows Vista requires the Vista Mobile Device Center. Apparently there is already some kind of rudimentary Mobile Device Center included with Windows Vista, but you still need to download and install the full Mobile Device Center from the Microsoft website. Microsoft provides some instructions but these are minimal. See the section «Setting up your device for certificate enrolment». I have not tried it myself but this document claims that enrolment is «automatic» and that it requires Exchange server. I could not find a place to enter the Exchange server’s address in Vista Mobile Device Center, so I assume that Outlook is also required on the desktop PC. Mind you, ActiveSync ‘only’ required IIS / Microsoft Certificate Services but not Exchange server or Outlook. So, migrating to Vista means buying into Microsoft’s other product offerings as well, if you insist on using web enrolment. This increases the cost of ownership.

Читайте также:  Установить dhcp сервер windows

UPDATE: a new version of the Windows Mobile Device Center is available. It appears to support certificate enrolment with WM6 devices, but it requires Exchange Server. This increases the cost of ownership significantly.

8. Acknowledgements and disclaimers

My crack team of lawyers advised me to include the following text. This page shows screenshots of a device resembling a Pocket PC but this does not necessarily mean an endorsement of or by any company. I disclaim everything anyway :-). Windows, Windows Mobile, Pocket PC and Windows CE are trademarks of Microsoft Corporation. The author of this webpage is not associated with Microsoft or any other company mentioned on the page. All trademarks are owned by their respective companies.

May 21, 2007: Initial version. WM6 emulator images available.

Предварительная подготовка

Для выполнения описанных ниже действий на компьютере с сервером Microsoft Exchange используемой учетной записи необходимо делегировать разрешения локального администратора.

Дополнительные сведения о разрешениях, делегировании ролей и правах, необходимых для администрирования сервера Exchange Server 2007, см. в разделе Вопросы, связанные с разрешениями.

Для выполнения описанных ниже действий на устройстве с Windows Mobile может потребоваться соединение Exchange ActiveSync между устройством и настольным или мобильным компьютером. Для установки этого соединения в системе Windows XP используется служба ActiveSync для настольных компьютеров. Для компьютеров с Windows Vista используйте центр устройств Windows Mobile (на английском языке). Необходимо иметь возможность скопировать файл сертификата на устройство перед установкой сертификата. Скопировать сертификат на устройство можно с помощью службы ActiveSync на настольном компьютере или центра устройств Windows Mobile (на английском языке). Можно также скопировать сертификат на карту памяти и использовать ее с мобильным устройством.

Процедура

Получение корневого сертификата от службы сертификатов Windows

На компьютере, подключенном к домену, запустите Internet Explorer, а затем перейдите на веб-узел администрирования служб сертификации.

Примечание.

Этот метод работает, только если при установке служб сертификатов была установлена служба подачи заявок на сертификат через Интернет. Если эта служба не была установлена, необходимо получить копию корневого сертификата, экспортировав ее из хранилища сертификатов доверенных корневых центров сертификации на локальном компьютере. Для этого воспользуйтесь оснасткой сертификатов в консоли управления (MMC).

На странице приветствия щелкните ссылку Загрузка сертификата ЦС, цепочки сертификатов или CRL, а затем ссылку Загрузка сертификата ЦС.

Сохраните файл certnew.cer на компьютере, затем переименуйте его, присвоив ему описательное имя, например root.cer.

Используйте механизм передачи файлов, например электронную почту или FTP-узел, чтобы передать CER-файл соответствующим удаленным пользователям.

После того как файл сертификата будет передан соответствующим пользователям, сертификат следует установить на устройства. Выберите процедуру в соответствии с операционной системой, установленной на данном устройстве.

Установка сертификата на устройство с Windows Mobile Professional или устройство Pocket PC с помощью службы ActiveSync или центра устройств Windows Mobile

Подключив устройство к компьютеру, откройте Мой компьютер.

Дважды щелкните Мобильное устройство, чтобы просмотреть папки на устройстве.

Перетащите CER-файл, созданный при выполнении предыдущей процедуры, в папку на устройстве.

На устройстве нажмите кнопку Пуск и выберите пункт Проводник.

Откройте папку, содержащую CER-файл, затем откройте этот файл.

В ответ на приглашение установить сертификат нажмите кнопку ОК.

Важно!
При установке сертификата не будет выводиться уведомление об успешной установке сертификата.

Установка сертификата на устройство с Windows Mobile Standard или на смартфон с помощью службы ActiveSync или центра устройств Windows Mobile

Подключив устройство к компьютеру, выберите в меню Сервис пункт Отобразить содержимое смартфона.

Перетащите CER-файл, созданный при выполнении первой процедуры, в папку на устройстве.

На устройстве нажмите кнопку Пуск и выберите пункт Проводник.

Откройте папку, содержащую CER-файл, затем откройте этот файл.

В ответ на приглашение установить сертификат нажмите кнопку ОК.

Примечание.
Для установки сертификата на устройство с Windows Mobile 6.0 не нужно использовать Exchange ActiveSync или центр устройств Windows Mobile. Вместо этого можно скопировать файл сертификата на карту памяти и установить его непосредственно с карты памяти.

Дополнительные сведения

Дополнительные сведения об устройствах с установленной операционной системой Windows Mobile см. на веб-узле центра устройств Windows Mobile.