Installing Certificates on Windows Mobile 5.0 Smartphone

Certificate installation is controlled by the GRANT MANAGER security policy. To install certs interactively via the UI requires the USER_AUTH role to be added to this policy – by default on WM 5.0 its not set. The problem is somewhat compounded because this policy is in the registry and so it needs code to change it, either using a signed reg editor or by some other signed application. The way I have achieved this is to use the RAPICONFIG SDK utility to modify the GRANT MANAGER policy setting remotely, but RAPI is a protected interface in itself and on Orange devices is set to restricted. Anyway, try these steps on the Orange C600 device (NOTE: this route is only applicable for development testing and I've only tested it on the C600). WARNING: Messing around with security policies on your device might leave it exposed to attack, do so at your own risk and make sure you know what you are doing before attempting this.

There are two steps. First the device must have RAPI policy set to OPEN. The original SPV developer unlock utility should work for the C600 and open the RAPI policy. Go to this web site and follow the instructions: http://developer.orangews.com/orgspv/comdefq.aspx.If you have issues with the unolock request, try a ‘lock’ request first, and then the unlock request.

Once that’s done, ensure you have the WM 5.0 Smartphone SDK (the Pocket PC SDK also has the tools you need) installed, you will need Active Sync 4.1 and a connection to the device. In a command prompt go to “\Program Files\Windows CE Tools\wce500\Windows Mobile 5.0 Smartphone SDK\Tools”. Save the following XML snippet as ElevateToGrantManager.xml in that directory:

<wap-provisioningdoc>

   <characteristic type="SecurityPolicy">

            <parm name="4119" value="144"/>

   </characteristic>

</wap-provisioningdoc>

This XML tells the configuration manager to use the “SecurityPolicy” Configuration Service Provider (CSP) and change the GRANT MANAGER policy (4119) to include the bit flags USERAUTH (16) and CARRIERTPS (128) roles – we only need to set the USERAUTH role but CARRIERTPS is there by default.

Next, from the command prompt run the following:

Rapiconfig.exe /P ElevateToGrantManager.xml

If the RAPI policy is set correctly then you should see a success message and will now be able to install certificates interactively on the device.

To back out these security changes do the following:

Save the following XML snippet in the tools directory as RestoreGrantManager.xml

<wap-provisioningdoc>

   <characteristic type="SecurityPolicy">

            <parm name="4119" value="128"/>

   </characteristic>

</wap-provisioningdoc>

and run…

Rapiconfig.exe /P RestoreGrantManager.xml

Then go back to the SPV unlock web page and request a ‘lock’ the RAPI setting on the device.

For a production environment the right solution for installing these certs is to talk to your operator and create a signed CPF file using the appropriate certificate.

Marcus