Self-signed SSL certs on Windows Mobile
December 14, 2008In the latest act of stupidity from Microsoft (at least as far as what I’ve discovered), after wanting to turn on SSL on my connection between Windows Mobile and Exchange 2003, it turns out that if you have a self-signed cert (ie. one from your own server, rather than one you’re paying $1000 a year to Verisign for), then WM doesn’t want to play.
I found this post: http://forums.msrportal.com/showthread.php?t=7926, which has the following instructions:
Step 1: Export certificate from Server.
1. Start MMC on the Exchange server.
2. Please add "Certificates" Snap-in and associate to "Local Computer"
account
3. In the "Personal\Certificates" or "Trusted Root Certification
Authorities\Certificates container", please double click to open the
certificate you used for ActiveSync.
4. In the Details tab, please right click the certificate, click All Tasks
to export your root certificate to DER type certificate with a *.cer file.
Step 2: Copying the Certificate File to the Device
1. Log on to a client computer that has ActiveSync 4.1 installed.
2. Copy the certificate you exported in Step 1 to this workstation.
3. Navigate to Mobile Device under My Computer. By default, the contents of
the My Documents folder on the device are displayed.
4. Right-click the content area and click Paste to copy the certificate
file to the device.
Step 3: Installing the Certificate on the Device
1. On the Windows Mobile device, open File Explorer (for Pocket PCs) or
File Manager (for Smartphones).
Note: File Explorer is present at Start\Programs on Pocket PCs.
2. Find the certificate file you just copied to the My Documents folder on
the device and run the file by either tapping the file name or pressing
ENTER while the file is selected.
3. Click Yes on the confirmation message box to install the certificate. If
you receive no error messages, the certificate is installed successfully.
If you receive an error and the certificate is not installed, you will need
to use an external utility to install the certificate on the device. To
install the certificate using this external utility, perform the following
steps:
a. On the client computer, download smartphoneaddcert.exe from the
following URL:
http://support.microsoft.com/?id=841060
If a signed version of smartphoneaddcert by your mobile operator is
available from this link, download the signed version.
Note: Although the Knowledge Base article, "841060," at the given link
refers to Windows Mobile 2003 and Windows Mobile 2002, the utility will
also work with Windows Mobile 5.0.
In addition, even though the file is named "smartphoneaddcert," it also
works with Pocket PCs.
b. Run smartphoneaddcert.exe and extract SpAddCert.exe.
c. Copy SpAddCert.exe to the device.
d. On the device, create a folder named "Storage" on the root of the device
and copy the certificate file into the Storage folder.
e. On the device, run SpAddCert.exe. By default, the certificates in the
Storage folder of the device are listed. Select the certificate you just
copied and click OK on all message boxes that get displayed, to install the
certificate.
More info here:
Deploying Windows Mobile 5.0 with Windows Small Business Server 2003 (Page
14: Step 4 - Deploying an SSL Certificate)
http://www.microsoft.com/downloads/d…d72-1e5a-4128-
a30c-dafeeb43544d
**UPDATE**
As an update to this, it still won’t work because my certificate doesn’t match the FQDN of the way I access my site, and there’s no workaround for this (unlike if I browse to the OWA website and choose to use the certificate anyway).
Thanks for that guys, nice work.
