Important:
This is retired content. This content is outdated and is no longer being maintained. It is provided as a courtesy for individuals who are still using these technologies. This content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.
4/8/2010

The Certificate Installer component enables installation of certificates through various file formats:

The .PFX, .P12, .P7B or .CER files are opened from the file explorer on the device and the certificate installer is executed to process the file automatically. The following is a list of file types and the certificates and keys they support:

The files can get to the device through desktop ActiveSync explore, storage card, e-mail attachment, Mobile Internet Explorer file download or download from a file share (Windows Mobile Professional devices only).

Certificate Installer

Every certificate contains a subject field that identifies the individual or group to which the certificate was issued. Every certificate also contains an issuer field that identifies the certificate authority, which is an entity entrusted to issue certificates that assert that the recipient individual, computer, or organization requesting the certificate fulfills the conditions of an established policy.

Certificate Chains

A certificate chain consists of all the certificates needed to certify the subject identified by the end certificate. In practice this includes the end certificate, the certificates of intermediate certificate authorities, and the certificate of a root certificate authority trusted by all parties in the chain. Every intermediate certificate authority in the chain holds a certificate issued by the certificate authority one level above it in the trust hierarchy. The root certificate authority issues a certificate for itself.

Algorithm for Adding Certificate Chains

When importing the certificate for a client, the certificate chain may be included in the .PFX file. This enables the device to authenticate the intermediate and root certificates associated with the end certificate. All certificates in the chain will be added to the appropriate certificate stores on the device to enable trust validation.

If the chain certificates are included in the .PFX file, the application processes the chain certificates as follows:

  1. Store the subject certificate in the MY certificate store. The subject certificate has a public key associated with the private key that is being added to the device as a part of the PFX import.

  2. Check for existence and install any certificate that meets the following requirements into the ROOT certificate store:

    • The certificate is self-signed by its own private key.

    • The issuer of the certificate is the same as the subject of the certificate.

    • Check for the existence of and install any other certificates provided in the chain (intermediate certificates) to the CA certificate store.

Remarks

It is assumed that the user has a way to copy a file to the device's file system by using a storage card, desktop ActiveSync, or a file share connection over the network.

The CertInstaller tool will add certificates to the user (HKCU) MY, CA, or ROOT certificate stores.

Note:
The functionality of the CertInst.exe tool (available on Pocket PC for Windows Mobile 2003 and Pocket PC for Windows Mobile Version 5.0) has been merged into the CertInstaller.exe tool. In addition, the CertInstaller.exe tool replaces the SPAddCert utility.

Requirements

Windows Mobile Windows Mobile 6 and later

See Also