Adding self-signed root certificates to Windows mobile devices

If you're a small shop and you don't think you need to have third-party certificates generated for you, you can always create one yourself by setting up Certificate Services and fulfilling a certificate request from yourself.

The process has been fairly well documented for creating a self-signed certificate to use on a server. (See the MSExchange.org article, SSL-enabling OWA 2003 using your own certificate authority.) But what if you want to take your self-signed root certificate and manually add it to one or more mobile devices?

There are a few ways to do this, although they all require management access to the mobile devices. One particularly interesting way is to take the root certificate, turn it into a .CAB file, and then deploy it to the mobile devices.

Some types of management systems (such as OTA or "over-the-air") will only deploy .CAB files., and Installing certificates via .CAB files may work if you're trying to add the certificate to a store on the mobile device other than the root store.

The full technique has been published on the Windows Mobile Team Blog:, How to add your own root cert via CAB file. There aren't a lot of steps involved, but be aware of these critical issues before you get started:

1. You must export the root certificate, not a leaf, for this to work correctly. If you've generated and self-signed the certificate, this is probably easier than if you're using a third-party certificate authority. Be sure to go as far up the certificate chain as you possibly can. If you have intermediate certificates to be installed, export the root first, then the intermediates.
2. This technique will not work for wildcard certificates. You need to have a certificate for the specific URL being accessed via the mobile device.
3. When you create the "thumbprint" for the certificate, as per the instructions, make sure that the thumbprint listed in the XML files has no spaces or carriage returns. Otherwise, the thumbprint will not validate.

About the author: Serdar Yegulalp is editor of Windows Insight, a newsletter devoted to hints, tips, tricks, news and goodies for all flavors of Windows users.

Do you have comments on this tip? Let us know.

Related information from SearchExchange.com:

Please let others know how useful this tip was via the rating scale below. Do you know a helpful Exchange Server, Microsoft Outlook or SharePoint tip, timesaver or workaround? Email the editors to talk about writing for SearchExchange.com.

Rate this Tip To rate tips, you must be a member of SearchExchange.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Mobile Devices Configure a mobile device to receive POP3 email from Exchange Server Email sent to a PDA doesn't get saved in Exchange Server mailbox Synchronizing Apple iPhone email with Microsoft Exchange Server Use the free Windows Mobile emulator to test mobility on Exchange Using ActiveSync without a front-end Exchange server Why Exchange ActiveSync fails with NAT firewalls Is it time to upgrade users' Windows Mobile devices? Deploying ISA Server as a firewall for Exchange Server mobile devices Adjust your firewall to avoid Exchange 2007 Direct Push failures How to solve common ActiveSync error messages User Authentication for Microsoft Outlook and OWA OWA won't load after applying Exchange 2007 SP1 security patch Minimize remote and mobile Outlook Web Access (OWA) security risks How to improve Outlook Web Access (OWA) security Alleviate Outlook Web Access (OWA) email attachment security issues How to customize OWA authentication logon in Exchange Server 2003 Automated redirects to OWA directories may fail when SSL is enforced Configure Windows Mobile devices to local wipe after failed logons How to set up an SSL certificate to encrypt OWA and ActiveSync traffic Error: 'The name of the security certificate is invalid or does not match the name of the site' Password authentication works for OWA but fails for Microsoft Outlook Exchange Server Administration Tips Exchange Server 2007 hardware planning for continuous replication Benefits of SAN-based storage in Microsoft Exchange Server 2007 How to generate HTML reports with the Exchange Management Shell (EMS) Hosted Exchange Server adoption to infiltrate the enterprise Using ActiveSync without a front-end Exchange server Use the Exchange Management Shell Set command to block senders Why boot an Exchange server from a storage area network (SAN)? How to test Exchange Management Shell commands Grant or deny permissions to access a user's Exchange 2007 mailbox Control query results with Exchange Management Shell's Format command RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Vouch by Reference (VBR)  (SearchExchange.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.