The Certificate Installer component enables installation of certificates through various file formats:
- .PFX/.P12 – Public-Key Cryptography Standards #12 (PKCS #12) format files that include personal certificates with private keys as well as certificates that install into the intermediate and root certificate stores.
- .CER – Base64-encoded or DER-encoded X.509 certificates that install into the intermediate and root certificate stores.
- .P7B - Public-Key Cryptography Standards #7 (PKCS #7) format files that install multiple certificates to any certificate store on the device.
The .PFX, .P12, .P7B or .CER files are opened from the file explorer on the device and the certificate installer is executed to process the file automatically. The following is a list of file types and the certificates and keys they support:
- .PFX/.P12 - Supports one or more certificates and one or more private keys.
- .CER - Supports one certificate. No private key.
- .P7B - Supports one or more certificates. No private keys.
- CertEnroll - Enrolls for the cert+private key for the user and installs the related certificate chain.
The files can get to the device through desktop ActiveSync explore, storage card, e-mail attachment, Mobile Internet Explorer file download or download from a file share (Windows Mobile Professional devices only).
Every certificate contains a subject field that identifies the individual or group to which the certificate was issued. Every certificate also contains an issuer field that identifies the certificate authority, which is an entity entrusted to issue certificates that assert that the recipient individual, computer, or organization requesting the certificate fulfills the conditions of an established policy.
A certificate chain consists of all the certificates needed to certify the subject identified by the end certificate. In practice this includes the end certificate, the certificates of intermediate certificate authorities, and the certificate of a root certificate authority trusted by all parties in the chain. Every intermediate certificate authority in the chain holds a certificate issued by the certificate authority one level above it in the trust hierarchy. The root certificate authority issues a certificate for itself.
Algorithm for Adding Certificate Chains
When importing the certificate for a client, the certificate chain may be included in the .PFX file. This enables the device to authenticate the intermediate and root certificates associated with the end certificate. All certificates in the chain will be added to the appropriate certificate stores on the device to enable trust validation.
If the chain certificates are included in the .PFX file, the application processes the chain certificates as follows:
- Store the subject certificate in the MY certificate store. The subject certificate has a public key associated with the private key that is being added to the device as a part of the PFX import.
- Check for existence and install any certificate that meets the following requirements into the ROOT certificate store:
- The certificate is self-signed by its own private key.
- The issuer of the certificate is the same as the subject of the certificate.
- Check for the existence of and install any other certificates provided in the chain (intermediate certificates) to the CA certificate store.
It is assumed that the user has a way to copy a file to the device's file system by using a storage card, desktop ActiveSync, or a file share connection over the network.
The CertInstaller tool will add certificates to the user (HKCU) MY, CA, or ROOT certificate stores.
The functionality of the CertInst.exe tool (available on Pocket PC for Windows Mobile 2003 and Pocket PC for Windows Mobile Version 5.0) has been merged into the CertInstaller.exe tool. In addition, the CertInstaller.exe tool replaces the SPAddCert utility.
|Windows Mobile||Windows Mobile 6 and later|