Adding self-signed root certificates to Windows mobile devices

If you're a small shop and you don't think you need to have third-party certificates generated for you, you can always create one yourself by setting up Certificate Services and fulfilling a certificate request from yourself.

The process has been fairly well documented for creating a self-signed certificate to use on a server. (See the MSExchange.org article, SSL-enabling OWA 2003 using your own certificate authority.) But what if you want to take your self-signed root certificate and manually add it to one or more mobile devices?

There are a few ways to do this, although they all require management access to the mobile devices. One particularly interesting way is to take the root certificate, turn it into a .CAB file, and then deploy it to the mobile devices.

Some types of management systems (such as OTA or "over-the-air") will only deploy .CAB files., and Installing certificates via .CAB files may work if you're trying to add the certificate to a store on the mobile device other than the root store.

The full technique has been published on the Windows Mobile Team Blog:, How to add your own root cert via CAB file. There aren't a lot of steps involved, but be aware of these critical issues before you get started:

1. You must export the root certificate, not a leaf, for this to work correctly. If you've generated and self-signed the certificate, this is probably easier than if you're using a third-party certificate authority. Be sure to go as far up the certificate chain as you possibly can. If you have intermediate certificates to be installed, export the root first, then the intermediates.
2. This technique will not work for wildcard certificates. You need to have a certificate for the specific URL being accessed via the mobile device.
3. When you create the "thumbprint" for the certificate, as per the instructions, make sure that the thumbprint listed in the XML files has no spaces or carriage returns. Otherwise, the thumbprint will not validate.

About the author: Serdar Yegulalp is editor of Windows Insight, a newsletter devoted to hints, tips, tricks, news and goodies for all flavors of Windows users.

Do you have comments on this tip? Let us know.

Related information from SearchExchange.com:

Please let others know how useful this tip was via the rating scale below. Do you know a helpful Exchange Server, Microsoft Outlook or SharePoint tip, timesaver or workaround? Email the editors to talk about writing for SearchExchange.com.

Rate this Tip To rate tips, you must be a member of SearchExchange.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Mobile Devices Top 5 Exchange ActiveSync tips Windows Mobile 6.5 touts Internet Explorer, OWA improvements Windows Mobile 6.5 touts ActiveSync and Outlook Mobile improvements What are your options for sending text messages from Outlook 2007? Using Mobile Device Manager 2008 server roles in Exchange 2007 Understanding Exchange Server 2007 SP1 mobile security settings Synchronized Exchange mobile device showing deleted appointment Which ActiveSync authentication method is best for your mobile device? Disable ActiveSync in bulk with Exchange Management Shell commands Configuring ActiveSync authentication in Exchange Server 2007 User Authentication for Microsoft Outlook and OWA Lock down direct file access and protect OWA users Obtaining and verifying SSL certificates in Exchange Server Top 5 Outlook Web Access (OWA) tips of 2008 Manage user rights and access to Outlook Web Access (OWA) mailboxes Create a secure Microsoft Outlook Web Access (OWA) redirect page Why does a security alert pop up when accessing Outlook Web Access? OWA won't load after applying Exchange 2007 SP1 security patch Minimize remote and mobile Outlook Web Access (OWA) security risks How to improve Outlook Web Access (OWA) security Alleviate Outlook Web Access (OWA) email attachment security issues Exchange Server Administration Tips Remove Exchange 2003 objects from AD to install Exchange 2010 Is your Exchange 2007 hub transport server healthy? Avoid Outlook 2007 performance issues during repairs Developing an Exchange 2007 server role DR plan How DSAccess service improves Exchange Server 2007 reliability An introduction to the Exchange Remote Connectivity Analyzer tool Monitor Exchange 2007 with disk- and RPC-related counters DPM 2007 replica inconsistencies in Exchange databases Track Exchange 2007 mailbox server health using database counters Digging deeper into Exchange Server 2010 RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Vouch by Reference (VBR)  (SearchExchange.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.