Installing a Root Certificate

  • Article

4/8/2010

To install a root certificate in a Windows Mobile device after manufacture you must do the following: first ensure that it is a Base-64 encoded certificate, then place it in a provisioning XML document containing the code required to install the certificate in the appropriate certificate store (in this case ROOT), finally, you must send the provisioning XML document to the device.

To install a root certificate on a Windows Mobile powered device

  1. Convert the root certificate (.cer file) to a Base-64 Encoded x.509 certificate. For more information, see Converting a Root Certificate.

  2. Create the provisioning XML to install the certificate in the appropriate certificate store on the device. For more information, see Creating a Provisioning XML Document For The Root Certificate or, if you are provisioning through a DM server, see Creating a Provisioning XML Document For The Root Certificate (OMA DM).

  3. Deliver the certificate to the device.

    After you create the provisioning file you have the following options for delivering the file to a Windows Mobile device:

    • You can send the provisioning file over the air (OTA) using an OMA DM Server. For more information see Provisioning OTA Through an OMA DM Server.

    • You can wrap the provisioning file in a .cpf file and send it using one of these delivery methods: Internet Explorer Mobile, ActiveSync, SI/SL, or Storage Card. For more information see How To Create a .cpf File and Delivering Applications.

      Note

      Microsoft recommends that you package and sign provisioning documents in a Cab Provisioning Format (.cpf) file. An XML provisioning document may not install on a Windows Mobile device if the file containing the document is not signed. For more information about .cpf files, see Cab Provisioning Format (CPF) File. Note   The installation of a root certificate on a 1-tier device will fail if the NOPROMPT policy is not set.

    • You can send the provisioning file OTA using an OMA Client Provisioning server. For more information, see Provisioning OTA Through a WAP Push.

    • You can "tap" the .cer file and trigger the Cerinst.exe application to install the .cer file on the device. If the security role is SECROLE_USER_AUTH, the CAPI user interface will display. You can accept or deny the installation.

See Also

Reference

CertificateStore Configuration Service Provider

Concepts

Cab Provisioning Format (CPF) File

Other Resources

Certificate Management in Windows Mobile Devices
Methods for Adding Root Certificates