Important: |
---|
This is retired content. This content is outdated and is no longer being maintained. It is provided as a courtesy for individuals who are still using these technologies. This content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist. |
The Certificate Installer component enables installation of certificates through various file formats:
-
.PFX/.P12– Public-Key Cryptography Standards #12 (PKCS #12)
format files that include personal certificates with private keys
as well as certificates that install into the intermediate and root
certificate stores.
-
.CER– Base64-encoded or DER-encoded X.509 certificates that
install into the intermediate and root certificate stores.
-
.P7B- Public-Key Cryptography Standards #7 (PKCS #7) format
files that install multiple certificates to any certificate store
on the device.
The .PFX, .P12, .P7B or .CER files are opened from the file explorer on the device and the certificate installer is executed to process the file automatically. The following is a list of file types and the certificates and keys they support:
-
.PFX/.P12- Supports one or more certificates and one or more
private keys.
-
.CER- Supports one certificate. No private key.
-
.P7B- Supports one or more certificates. No private keys.
-
CertEnroll- Enrolls for the cert+private key for the user
and installs the related certificate chain.
The files can get to the device through desktop ActiveSync explore, storage card, e-mail attachment, Mobile Internet Explorer file download or download from a file share (Windows Mobile Professional devices only).
Certificate Installer
Every certificate contains a subject field that identifies the individual or group to which the certificate was issued. Every certificate also contains an issuer field that identifies the certificate authority, which is an entity entrusted to issue certificates that assert that the recipient individual, computer, or organization requesting the certificate fulfills the conditions of an established policy.
Certificate Chains
A certificate chain consists of all the certificates needed to certify the subject identified by the end certificate. In practice this includes the end certificate, the certificates of intermediate certificate authorities, and the certificate of a root certificate authority trusted by all parties in the chain. Every intermediate certificate authority in the chain holds a certificate issued by the certificate authority one level above it in the trust hierarchy. The root certificate authority issues a certificate for itself.
Algorithm for Adding Certificate Chains
When importing the certificate for a client, the certificate chain may be included in the .PFX file. This enables the device to authenticate the intermediate and root certificates associated with the end certificate. All certificates in the chain will be added to the appropriate certificate stores on the device to enable trust validation.
If the chain certificates are included in the .PFX file, the application processes the chain certificates as follows:
- Store the subject certificate in the MY certificate store. The
subject certificate has a public key associated with the private
key that is being added to the device as a part of the PFX import.
- Check for existence and install any certificate that meets the
following requirements into the ROOT certificate store:
- The certificate is self-signed by its own private key.
- The issuer of the certificate is the same as the subject of the
certificate.
- Check for the existence of and install any other certificates
provided in the chain (intermediate certificates) to the CA
certificate store.
- The certificate is self-signed by its own private key.
Remarks
It is assumed that the user has a way to copy a file to the device's file system by using a storage card, desktop ActiveSync, or a file share connection over the network.
The CertInstaller tool will add certificates to the user (HKCU) MY, CA, or ROOT certificate stores.
Note: |
---|
The functionality of the CertInst.exe tool (available on Pocket PC for Windows Mobile 2003 and Pocket PC for Windows Mobile Version 5.0) has been merged into the CertInstaller.exe tool. In addition, the CertInstaller.exe tool replaces the SPAddCert utility. |
Requirements
Windows Mobile | Windows Mobile 6 and later |