How can I add a Root Certificate to my Windows Mobile 2003 Pocket PC?
Windows Mobile 2002 and 2003 based Pocket PCs use Root Certificates to allow access to SSL-enabled applications such as Microsoft Pocket Internet Explorer, Microsoft ActiveSync (when it is configured to synchronize directly with Microsoft Exchange 2003 Server), L2TP-based VPN connections and 3rd-party programs.
When working with the server-side of these applications you can use commercial certificate authorities (such as Verisign, Thawte and others) to obtain Digital Certificated for the SSL connections (see Configure SSL on Your Website with IIS for an example).
Windows Mobile 2003 is already configured with Root Certificates that represent the following certificate authorities:
However, in order to save money on Digital Certificates many enterprises might want to use their own, internally configured certificate authorities (one example of such a CA would be the built-in CA in Windows Server 2003 – See Install Windows Server 2003 CA for more info). Although such CAs can issue various certificates for many uses (for example EFS encryption, IPSec, E-Mail encryption and so on), the biggest problem with using internally-issued and non-commercial certificates is the fact that computers outside your organization will not trust these certificates. This is due to the fact that these “outside” computers and devices do not automatically trust the root certificate of the your internal certificate authority, thus any certificate issued by it will be treated as signed by a non-trusted CA.
In Windows-based computers this can be easily fixed by adding the Root Certificate for the internal CA to the Trusted Root Certificates store on the computers. This can be achieved either by manually importing the Root Certificate to each computer, or by using GPOs and Active Directory.
In Windows Mobile-based Pocket PCs you also need to add the Root Certificate to the Trusted Root Certificates store inside the PPC. However, these devices can be configured to temporarily stop checking the validity of the Root Certificate by using the following tool:
Download Disable Cert Check (376kb)
In order to add the Root Certificate to your Windows Mobile 2003 Pocket PC follow these steps:
Export the Root Certificate in DER encoded binary X.509 format with a .CER file name extension.
If using a Windows 2000 or Windows Server 2003 CA you can easily export the Root Certificate from the CA website at http://servername/certsrv:
You should now have a .CER file.
First, you’ll need to obtain the SPAddCert.exe tool and install it to your Windows Mobile Pocket PC.
Download SPAddCert.exe (182kb)
Note: I’m not sure if this is a must, I’ve tested with other paths and it still worked. Test it on yourself if you want.
Next, you’ll need to transfer the Root Certificate to your Windows Mobile Pocket PC.
The \Storage root of the Pocket PC device
The root of the memory card installed on the Pocket PC device
You can now use any application that uses Root Certificates to allow access to SSL-enabled applications such as Microsoft Pocket Internet Explorer, Microsoft ActiveSync and others.
You may find these related articles of interest to you:
Download ActiveSync 4.1 (7119kb)