Windows Mobile Team Blog : How to add your own root cert via CAB file

Community

Disclaimer

This posting is provided "AS IS" with no warranties, and confers no rights.

Resources

Comments

AK said:

So - enlighten me as to what the purpose of this would be? When would I need something like this? Enterprise apps? Or perhaps for self-signed apps?

# January 28, 2006 7:17 PM

Scott Yost said:

Sorry, that wasn't clear. The purpose of the certificates in the ROOT store is to secure SSL connections, for the browser or exchange activesync or wi-fi. I'll add that up above. Thanks!

# January 28, 2006 7:52 PM

Riki said:

it the good 'ol days this was useful for developing apps that used priviledged APIs:

http://homepages.inspire.net.nz/~gambit/Article/#privmode

which reminds me: scott, is the EncodedCertificate white space tolerant? it didn't used to be

riki

# January 29, 2006 8:11 PM

Nick said:

Er, I also don't get it.
I had this problem with my Treo700 and my GoDaddy SSL cert, that was not trusted.
I simply exported the .CER files, moved them to my Treo, and clicked on them.
I was then prompted to install them.

What does having them as a CAB instead of a CER give me?

# January 30, 2006 1:35 PM

Scott Yost said:

Hi Riki:
Yes, we fixed the whitespace bug for the 5.0 release.

# January 30, 2006 8:34 PM

Scott Yost said:

Hi Nick,
Using the ShellExecute extension to add a CER file is good if it works for you - that depends on the grant manager policy to use the version that we ship. It's possible that the OEM or Operator replaced that with their own certificate installer.
This method works if the method you used doesn't work. It also works for adding certs to certificate stores other than ROOT - the certinst tool we ship will only add to the ROOT store if I remember correctly.

# January 30, 2006 8:35 PM

Jose Simon said:

Hi, Is there a way to add the certificate to the normal application cab generated with the VS 2005 install project, so the same cab could install the application and the required root cert ? The cab has already a _setup.xml but dont know if could be edited manually in some way to add this. Kind regards and Thanks!

# February 1, 2006 8:50 AM

Scott Yost said:

Hi Jose,
That's a good question. I asked around internally about it and we're planning to do a post about this in a few days.

# February 1, 2006 8:48 PM

BillC said:

Scott - thanks for this artical. i'm testing the 700w for a large company and ran smack in to their internal CAs. now i get to keep my job.

a am still hung up on *.wildcard.com certs, 5.0 and activesync. got any suggestions?

# February 3, 2006 10:59 PM

Scott Yost said:

Hi Bill, I'm glad the article helped you. Unfortunately I have no help to offer on wildcard certificates - they're just not supported on the platform right now. More information: http://blogs.msdn.com/windowsmobile/archive/2005/11/03/488924.aspx

# February 4, 2006 11:45 AM

adrian said:

The reason why you may need to deploy *.cer files via a *.cab file is if you are using a OTA management system for wireless devices. These typically only deploy *.cab files as far as I am aware.

# February 6, 2006 4:56 AM

Nick Poore said:

Okay, so I followed the instructions for my site, and it worked great.

I then followed the instructions for a 2nd site, but could not get it to work.

I'm assuming that the names you have chosen in your example do need to be unique.
Having installed the 2nd certificate, I get an OK message, and perform a soft reset.
However when I go to the SSL page using IE on the Treo700w, I get the "cert is not trusted" warning. (The name & date are correct, it's just a trust issue.)

I've done a hard reset on the device, and still have the same issue.

Any suggestion?
The 2nd SSL cert is confidential, but if you email me at nick at nicholas poore dot com I'll be happy to email you more into.

Thanks.
-=Nick=-

# February 8, 2006 3:22 PM

Ricardo Meechan (rico) said:

thanks for this! its absolutly perfect for our company, were in the process of migrating our users devices from XDA II's to MINI S and we use a custom root certificate for our activesync connection... i will this cab file to the extended ROM of the devices :)

# February 9, 2006 6:56 AM

Scott Yost said:

I looked into Nick's problem - his site was using a SSL cert from startcom.org but the server itself was not passing down the entire chain. The solution was to go to startcom.org, grab their root certificate and add that to the device. The instructions above can be misleading if the site is not sending down the entire cert chain. If the certificate at the top of the chain is not a self-signed root, you'll have to find the correct root and add it to the device.

# February 9, 2006 2:20 PM

Nino.Mobile said:

TGIF!&nbsp; (sort of..&nbsp; I'll be working through the weekend yet again..*sigh*).&nbsp;&nbsp; Oh yeah,...

# February 10, 2006 9:02 AM

Steve Hansford said:

I followed these directions, but when I go to install the .cab file I get "Installation of rootcert.cab was unseccessful." If you need further details, you can e-mail me at steve at ferguson.com.

Thanks.

# February 10, 2006 9:21 AM

karmstrong said:

installation of the root cab was unsuccessful

# March 2, 2006 1:49 AM

karmstrong said:

I downloaded the windows mobile 5sdk but no makecab?

# March 2, 2006 12:18 PM

Scott Yost said:

Sorry, I was wrong about makecab - it actually ships in Windows. check %windir%\system32.

# March 9, 2006 7:14 PM

Windows Mobile Team Blog said:

A few weeks ago I wrote about constructing CertificateStore XML by hand. You have to open up the certificate...

# March 12, 2006 11:32 AM

hyperdoc said:

I just took on a Cingular HTC 8125 with Pocket PC 5 and ActiveSync 5. It had the certificate issue because our exchange server / IT guys use a locally created certificate. Tried loading the certificate directly, trie exporting in different formats. Some did work some appeared to load but nothing worked until I found this post.

I just went to our Exchange/OWA site via my PCs Internet Explorer and started the process described above.

Used Notepad to create file, built the .cab, and then moved the file to the Pocket PC via ActiveSync file explorer. Once on the device, I just clicked on .cab. To be safe I did soft reset and Walla it was working after 3 days of fighting it.

Thank you, Thank you. scyost

# March 16, 2006 10:38 AM

hyperdoc said:

# March 16, 2006 10:39 AM

hyperdoc said:

# March 16, 2006 10:42 AM

ROBERT said:

Thank you very much for posting this. I just got my hands on a Cingular HTC 8125. I had used my Firewall's CA to issue a cert for my Exchange (lecture me later, I was being lazy). After reading through your article and it's post, I realized my issue was with the root. I installed Microsoft's CA, and did it right. Re-created my IIS cert. Followed your steps to generate the XML file, then into a cab. Installed this into my WM5, browsed OWA with no issue then configured Active Sync. The device is now syncing.

After three days of fighting this, thank you very much for your time in creating this!

# March 17, 2006 4:07 AM

Kevin said:

I think the piece of information missing is the fact you need to put the Thumbprint hash in and how to get it... that big long number that says characteristic type = is the thumprint hash...

Once I figured that out , it worked like a champ..

# March 20, 2006 10:33 AM

Scott Yost said:

It makes sense if the pictures weren't broken.. I'll try to get that fixed.

# March 20, 2006 2:31 PM

casino said:

there a way to add the certificate to the normal application cab generated with the VS 2005 install project, so the same cab could install the application and the required root cert?

# March 21, 2006 11:44 AM

Waters said:

Hi, I was able to make and install the cab file, but still getting sync error (support code 0x80072FOD). I can see the certificate under the root. Any suggestions would be much appreciated.
Thanks

# March 27, 2006 8:47 PM

Windows Mobile Team Blog said:

Advanced issues you might run into when trying to add your own SSL certificates to the device for browsing...

# March 29, 2006 12:55 AM

Trent said:

I have the same problem as this gentleman...

Hi, I was able to make and install the cab file, but still getting sync error (support code 0x80072FOD). I can see the certificate under the root. Any suggestions would be much appreciated.
Thanks

Any ideas?

# April 15, 2006 6:02 PM

Richard Sperry said:

note you must have _setup.xml as the name. not blah_setup.xml

# May 8, 2006 11:04 PM

Simon Parsons said:

Trying to install root certs to a SPV C600 with the AKU2 update on using this method just doesnt work! It does bizzarly work with an M600 though??

Anyone sussed how to get a root cert installed onto the C600 yet?

# May 17, 2006 7:45 AM

jdr said:

you need to call orange if your in the uk, to get them to unlock the phone so you can install the cert, otherwise it'll just say permission denied!

something to do with the new aku firmware blocking a certain registry edit tool didnt help either!

# May 18, 2006 10:55 AM

Rob said:

Well, Orange were really helpful. And I did manage to install the two certs that they kindly supplied.
I managed to install it by copying the cab to the My Documents on the C600 using active sync explore mobile device. I then browsed to the file on the c600 select the file, menu options and run it from there. Both certs installed without any problem.
I got one cert from the browser certificate on the server and the other from the IIS.
However, I still get the "You cannot log on to the Microsoft Exchange Server ... certificate is not valid..." during the set up. And "You have an incorrect SSL certificate common name in the Host Name field ..." Anyone got any ideas how I can resolve this?

# May 25, 2006 7:45 PM

wl_tinus said:

I have the same issue a some of the people above.
The certificate is installed as root certificate on my ppc, but it is still giving a sync error (support code 0x80072FOD). Any suggestions on how to solve this?

# June 1, 2006 12:42 PM

wl_tinus said:

My certificate is installed as root certificate but I'm still getting a sync error (support code 0x80072FOD). I'm certainly not the only one with this problem. Any suggestions on how to solve this?

# June 1, 2006 12:44 PM

tlovell said:

Newbie here, and I know it's basic, but can you please ellaborate on creating the XML to make sure I did this correctly. The way I did this is open the .CER file, cut and pasted it into a Word doc, hand edited in the <characterstic> & thumbprint line info, then Save As... an XML file type named "_setup.xml". Then I converted it to a .CAB file, moved it over to my 8125, it seemed to install OK, but still can't get certified to connect to my corporate wifi network. IT worked with it all day yesterday and determined I needed an additional certificate on my 8125 named "Collaborative Services CA" certificate, that is the one I used, that I generated with certmgr from my laptop. Still no connection, any suggestions?

# June 2, 2006 4:22 PM

tlovell said:

I take my original comment back,"...it seemed to install OK". I tried it a second time and it told me that it installed unsuccessfully. So now I'm questioning my XML file format, was that the proper way to create one? Also scyost, you mentioned in your original directions, "Construct certificate XML using the store, thumbprint and base64 encoded certificate blob". Excuse my ignorance again, but what is "store"? On a side note, I read in another BLOG about the WM2005 registry being locked for certificates, could this be my problem?

# June 2, 2006 4:59 PM

Scott Yost said:

The store should be "ROOT". If it turns out that you need additional (intermediate) certificates besides just the root, then those should be added to the "CA" store.
It is possible that for some device configurations this method won't work, but other posters have mentioned success on the 8125 so I think it will work for you.
One idea - you said you created the XML in Word. Word tends to change quotes to "smart quotes" and those will not work in the XML. Try using notepad to create the XML instead.

# June 3, 2006 7:45 PM

Scott Yost said:

I just remembered what the 8125 device is - this method will definitely work on that device. It should work on any Pocket PC device.

# June 4, 2006 6:45 PM

smaskell said:

Does this method work on any CE based device? I have a unit that is CE.net 4.2 only, not PPC. Will this method work on it? This is sort of rhetorical as I tried it and I see a brief setup dialog flash up then disappear and the cert doesn't appear in the root list anywhere.

thanks
Scott

# June 6, 2006 9:57 AM

kurterodriguez said:

Tried all the above with both self signed default website certificate as well as one of the trusted located in the trusted certificates folder on local machine. Motorola Q still does not allow for cab nor cer install. Any suggestions?

# June 6, 2006 3:29 PM

Joe said:

Moto support tells me you cannot install a cert directly on the Q; you need to do it through a cab install. Eighteen hours of pulling my hair out supports their suggestion. This doc showed me the light. :-)

I have NO idea whether the additional steps I took (above and beyond these instructions) are correct or not but they worked for me.

I followed the instructions as provided with these exceptions:
1. Export the cert to Base-64 and use the Thumbprint from that file.

2. Be sure to install your root cert first and then your intermediate cert, if you have one; you may not.

3. Better safe than sorry - Before you start do a hard reset on the Q (Start | System Tools | Master Reset.)

4. Better safe than sorry - Always delete your Activesync setup if you sync and it fails for whatever reason (Start | Activesync | Menu | Options | Menu | Delete).

My experience, though, is that these instructions work.

# June 6, 2006 9:13 PM

Scott Yost said:

Hi Joe,
Glad you were able to get it to work. None of those four steps you describe should make a difference, though. :)

Kurt - I was able to install a cert onto a review copy of the Q last week in the office using this method. Can you be more descriptive about what's happening on your end?

# June 7, 2006 2:21 AM

JB said:

For those of you getting unsuccessful cab installs. Make sure your thumbprint in the XML file does NOT contain any spaces. If you copy and paste the thumbprint from the cert details, the spaces are pasted as well. Delete the spaces. I saw a colleague run into this problem. Once we found the error, the cab installed normally.

# June 9, 2006 6:18 PM

gabrielstan said:

Hi, I am using this method to install root into Cingular 2125 and it works fine:
I am checking by:
Start \ Settings (7) \ Security (7) \ Certificates (4) \ Root (2) \ More (0) and yes it is there last one,
So far so good, but since I do not know the XML syntax for _setup.xml I cannot import the key for my MS Exchange Server for ActiveSync
<wap-provisioningdoc>
<characteristic type="CertificateStore">
<characteristic type="ROOT" > .... I assume "CA" ?
Can you point me in the right direction?

# June 13, 2006 1:18 PM

Loren said:

For the Verizon Motorola Q you can use the VZW_SpAddRootCert utility to install a root cert. You'll need to DL the utility from MS and copy it to the phone, then create a directory called IPSM at the root of the phone and copy your root cert there. Then run VZW_SpAddCert from the phone and follow the prompts to add the cert.

Check here for poorly written instructions and a link to DL the utility:
http://support.microsoft.com/?kbid=841060

Verizon has the Q really locked down (idiots). The RegEdit tools won't work and I couldn't get an XML rolled into a cab to work either.

The amount of time I've spent trying to get WM5 devices to work properly is ridiculous given that it could have been avoided if MS had included a full set of root certs on the device.

Loren

# June 15, 2006 1:43 AM

Bud said:

Hi. I used this method to install root on a T-Mobile MDA with Cingular 8125 ROM (2.25), and i get the following error:
"You have an incorrect SSL Certificate common name in the Host Name field. For example, you may have entered www.tailspinstoys.com when the common name on the certificate is actually www.wingtiptoys.com. Make sure the server name in entered correctly."

The support code is: 0x80072F06
Our exchange IT guys locally create the certificate.

Any help would be greatly appreciated.

Bud

# June 20, 2006 8:13 AM

Brian said:

Does the *.cab work for the 700p?

# June 22, 2006 11:11 PM

ronholla said:

I found this thread after trying to get help (for 3 hours!) from Sprint (not!) for the 0x80072F0D error while trying to sync a new Sprint PPC-6700. I finally copied the cert (.cer) file to the unit (into the My Documents folder) and just opened it. Viola! It installed the root cert. This did NOT work for a Cingular HP iPAQ hw6515a GSM/EDGE "Mobile Messenger" however, so I'll try this cab technique.

# June 23, 2006 1:08 AM

Matze said:

Hi, first I have to excuse for my bad english.

I want to establish access to a 802.1x secured wireless network for windows mobile 5.0 clients. For this reason I need to import a client certificate on the Windows Mobile 5 device. On WM 2003 I tried this with the certificate enrollment tool. But the certificate requested this way was a user not a client certificate.
So is there any possibility to import a certificate which is stored on a Windows Mobile 5 device idependent of the user which uses the device?
Perhaps somebody can help me?!

# June 23, 2006 4:07 AM

Mike said:

I have gone through and installed both certificates in the chain using a cab file for both and I'm still getting support code 0x80072F0D. Does anyone have any suggestions?

You can contact me at mike dot hall at perigoneng dot com. Any help or suggestions would be greatly appreciated.

# June 23, 2006 11:39 AM

Nick Clark said:

We have a Motorola Q from Verizon and used VZW_SpAddCert to install our root cert, however we're still having problems. We are asked to verify the server name and the support code is 0x80072EE7. This gives us nothing but Windows Update support docs. We have a Win2k3Std w/ SP1 & Exch2003 Enterprise w/SP2 and all updates. Can anyone give me the proper syntax for listing the server name in the phone's confiuraton? Thanks to all.

# June 23, 2006 4:47 PM

SY said:

This method worked great for a root cert. What about a personal cert? I tried editing the XML field <characteristic type="ROOT"> and replacing it with <characteristic type="Personal"> but that doesnt work.

Is it as simple as changing this string to another value to install a personal cert?

Thanks,
SY

# June 28, 2006 6:44 AM

Scott Yost said:

The store name is "MY". You won't be able to install the private key via the CertificateStore CSP though. I would suggest trying out the tool at http://www.jacco2.dds.nl/networking/p12imprt.html for importing full client certs.

# June 28, 2006 1:17 PM

clint said:

I believe that I am in the worst way with the Q! I have been killing myself with it over the last 2 days. I just came across this board and have no idea where to go. Can someone explain how to make the xml file. What is the certificate blob? When I copy the cert in base 64 all it does is put a copy of it on the desktop. I am really confused at this point. Also I tried to put the cert in IPSM directory and it didn't work either. It gave me a invalid error message.

# June 28, 2006 2:59 PM

glyn davies said:

I am looking at the infomration in my cert (created by my SBS 2k3 server) but I only have 1 entry in the cert path and nothin else (being a tree made up of just the servers external domain)

Also when I do a type on the cert.. et c:\type acert.cer ... I am not getting anything like waht you have got and just a load of crazy characters.

Any Ideas ?

Ok.. I know you are wondering.. I am trying to use my Orange SPV5000 to connect to a SBS 2k3 server with the wonderfull notion of getting active sync to work.

Any ideas folks before I have to put my hair dresser on hold as I will be bald with all this hair tuggin...

# June 29, 2006 9:18 AM

Scott Yost said:

Hi Glyn,
If the data in the cer file is not human-readable, I'd guess you exported it as a DER-encoded file instead of base-64. Check the third screenshot above.

# June 29, 2006 11:59 AM

Jon said:

Does this or any other method work to get the cert installed on a 700p? I have not been able to find a utility for the 700p that works the way the Verizon utility works for the 700w and the motorola Q.

# June 29, 2006 3:59 PM

Scott Yost said:

The 700p runs the Palm OS, not Windows Mobile. So I have no idea how to add a certificate to it.

# June 29, 2006 4:20 PM

englitob said:

I figured it out!! My cert was bought from Rapid SSL and I kept getting the 0x80072F0D error when I tried to enable SSL either 128 checked or not. I could access OWA or OMA fine through https. I went on Rapid SSL's website and read something about not being like other chain certificates. Looked at the root certs installed on my Sprint PPC 6700 and found Equifax Secure Certificate Authority, but not Equifax Secure Global eBusiness CA-1. I looked in my IE browser on my desktop and found under tools-->Internet Options-->Content-->Certificates-->Trusted Root Certification Authorities tab and found the Equifax Secure Global...made it a cab file using the above instructions as above, copied it to my 6700, ran the cab, enabled security on the server (128 bit checked), enabled security on the 6700, sync'd and PRESTO!! It WORKED!!

# July 1, 2006 12:05 AM

Julian said:

Here is how it works:

Whether you need and XML file or can double click on the *.cer file to install it only your PDA/WM5, the most important thing is to get the correct root certificate. Most SSL providers have more than one, so just going to the SSL provider's website and downloading any old root certificate wont work.

For example, I purchased a RapidSSL certificate. When I downloaded their only root certificate provided for their standard SSL certificate, it was called "Equifax Secure Global eBusiness CA-1". However, when I opened my website with the recently purchased SSL certificate on it and opened the SSL certificate for that page, IE told me that this page was being protected by a root certificate called "Equifax Secure eBusiness CA-1". This was different to the only root certificate made available on the RapidSSL website!!! (One had the word "Global" in it and the other one didnt)...

I ended up doing a google search for the exact root certificate name and found the following page: http://geotrust.com/resources/root_certificates/index.asp - This had many root certificates on it, and one of them was the one I needed.

After I did this, all was well... If you get another error after this, make sure the right ports are open and if you are using ISA server, try buying a book. They are very helpful in getting through the rest of the settings required.

In summary, just because you have a root certificate from the SSL provider you purchased your SSL certificate from, it doesnt mean you have the right one. Make sure the root certificate name EXACTLY matches the root certificate connected to your SSL protected website.

Also note these points:

1. Make sure that your SSL certificate matches the domain name that you are protecting! Duh!

2. I have an i-mate sp5 and it can install a .cer file without the install file mentioned on this page. All you have to do is use the file manager, browse to where you copied the .cer file and make sure you are in list view (so you can see files as well as folders), then click on it. Make sure the .cer file is in DER format (not base 64) otherwise it wont open. This may work for other devices, but the i-mate SP5 is all I have...

I hope this helps some people....

# July 3, 2006 7:03 PM

Neadom Tucker said:

I have spent the last 4 days trying to resolve this issue with a Motorola Q. It is driving me nutz!!!
I am administrator of our company domain and I am running W2k3 SP1 with Exchange 2003 SP2. The is our DC and is the CA for the domain. I go under the default website and copy to file in DER format and call it root.cer. I then take that file and email it to myself. I then open the file in notepad to get the information above and copy and paste the headers with the modification to the thumnail information. I make the cab file and it installs on the Q. I am still getting a invalid cert error when I sync the Phone. Anyone get this working with a selfsigned cert?
Thanks

# July 5, 2006 9:43 PM

Jim_zhu said:

Hi, first I have to excuse for my bad english.
I will EVC-Cabwiz.exe create *.CAB but I don`t about example 1.exe and 2.exe to one box.
I think you how to write *.inf .please tell me.
my - mail:zhujm@vlive.cn

Very thinks！
您能告我用Cabwiz.exe写*.inf 文件的demo 版吗？现在要是单纯给一个文件打包我没问题，如将1.exe和2.exe 同时打在一个包里我就有点问题，还有就是在安装是总是提示“你安装的程序可能无法正确显示，因为它是为windowsMobile软件的旧版本而设计”，但我选确定完后，软件都能用，请教下您，注销这个提示。谢谢您能否给个demo。

# July 6, 2006 3:14 AM

Windows Mobile Team Blog said:

I'm trying to gather some additional data to help address this problem. If you've had trouble syncing...

# July 6, 2006 2:19 PM

James B said:

I get the following error message when trying to install the .cab file -
"Installation was unsuccessful. The program or setting cannot be installed because it does not have sufficient sytem permissions."
This is a unlocked Qtek 8500.
What else can I try?

# July 6, 2006 6:04 PM

RMK said:

After about 1 hr. of work I finally was able to install a certificate on a Sprint PPC 6700.

On this device, you have to get the certificate on the device via active-sync. The trick is to use the DER encoded format and NOT the base-64 encoded format as mentioned in other attempts. Clicked on the certificate and it installed!

Good luck.

# July 23, 2006 1:42 PM

Myron Johnson said:

OK. I finally figured everything out and was able to create a functional .CAB for a client's SBS Server. It successfully installed on MY Sprint PPC6700. Now to see if it works on the owner's new Verizon PPC6700!

One thing that kept messing me up was that I didn't copy the Thumbprint to the "Characteristic Type" line in the .XML file. I kept assuming that the one shown in the example was, magically(?), the same as the one in MY certificate. Once I got past that hump, the "...unsuccessfully installed..." messages changed to "...successfully installed..."

Thanks!

# July 24, 2006 10:22 PM

Myron Johnson said:

Well, after successfully using the CAB on a Sprint PPC6700, I tried it on a Verizon 6700. The Verizon complained about an "unsigned program", but seemed to accept the Certificate. The Root Certificate Store on the PPC shows the proper certificate, with an expiration date of 2011.

HOWEVER, browsing to my Remote Web Workplace SSL site on my SBS 2003 Server, I get a warning that the Certificate has EXPIRED. The two other checkpoints on the certificate are fine. I'm surpised to see this problem. Anybody encountered an "Expired Certificate" warning after a valid certificate was installed on a Verizon PPC6700? Thanks!

# July 25, 2006 7:21 PM

BoekMan said:

Have al loom here. Also works for 2005

http://www.petri.co.il/adding_root_certificates_to_windows_mobile_2003_ppc.htm

# July 26, 2006 5:33 AM

regan said:

I have an issue with installing a cab... my provider has released a file which opens the phone a bit more to modification... the problem is, I cannot combine their xml file with the cert xml file because it will not work. If I install their cab and then install my cab everything works just fine. I have checked syntax and structure and everything is fine (to my knowledge). Any ideas?

An example of my attempted xml file can be seen on this post of mine:

http://forums.pocketpcfaq.com/viewtopic.php?p=46330#46330

# August 1, 2006 12:23 PM

Windows Mobile Team Blog said:

Say hello to the SslChainSaver tool. This is a tool that I wrote internally to troubleshoot SSL connections...

# August 11, 2006 12:47 PM

jstraumann said:

Hi:

I tried these steps for my new MotoQ, but got a message "Installation of rootcert.cab was unsuccessful. The installation file is not intended for this device"...

Any idea what I can do?

John.

# August 15, 2006 6:57 AM

Justin T Ho - www.justinho.com said:

# August 16, 2006 4:02 AM

Ed said:

Just wanted to add here the very important fact that you have to add ALL certs in the cert chain. When you right click in a blank area of OWA and select Properties, there's a tab showing the Certification Path.. Make a copy of ALL of the certs and the certificate error goes away from browser and from ActiveSync.

# August 22, 2006 3:49 PM

Chris said:

The bible on this, straight from the horses mouth: http://motorola.custhelp.com/cgi-bin/motorola.cfg/php/enduser/std_adp.php?p_faqid=12932&p_topview=1

Did it, worked great, took all of 5 min. Just make sure the .cer file is a DER encoded binary.

# August 25, 2006 12:51 AM

Chris Lakey said:

Hi,

Thanks for the excellent info - worked a treat! THANKYOU :)

NB: For anyone interested in a longer FAQ detailing what i had to do to get this working using apache as a reverse proxy and using openSSL - I posted one on the tek-tips forum.

http://www.tek-tips.com/viewthread.cfm?qid=1276155&page=1

CHEERS - Chris.

# September 8, 2006 2:09 AM

Tuur said:

The confusion for me and i think a lot of other persons who have posted here is the export of the certificate.
I made the wrong export. I took the thumprint of the certificate on my OWA server but you have to take the thumprint of the CA!
I think you should red cirkel the 'view certificate' in the first picture because many persons including me just hit the second tab and take that thumprint...

In my case i use a enterprise root ca of my windows 2000 domain. For testing i use a Dell Axim X51 with Mobile 5. I can simply click the .cer file once i have copied it with active sync to my file explorer. Once this is done, the root is trusted i can sync with my owa server.

# September 14, 2006 8:15 AM

Marc Masnor said:

How do I find certs installed on a WM5 PPC?

I've tried the procedure above and have had successful cert installations. But, I still can't browse my OWA email - and I could before WM5. The same error pops as before the cert.

Could bad certs be causing a problem?

I also received and tried a cert from the OWA server staff for WM5 mobilr phones. It installs, but I get the same error (see 1June support code posts above).

# September 22, 2006 1:15 AM

Claudio said:

i've tried to install the certificate trough the cab file...but my imate spm5 windows mobile 5 device won't do it....

it tells me that i haven't the rights to do that operation...

what can i do now??

# October 4, 2006 8:24 AM

Vino said:

Scott, in your reply in this post - http://blogs.msdn.com/windowsmobile/archive/2006/01/28/making-a-root-cert-cab-file.aspx#522712

you mentioned 'I asked around internally about it and we're planning to do a post about this in a few days.'

Has the post come up yet ?

Thanks,

Vino

# October 8, 2006 10:01 AM

Scott Yost said:

Hi Vino - yes, Brian Cross made the post here: http://blogs.msdn.com/windowsmobile/archive/2006/02/03/524592.aspx

# October 9, 2006 9:19 PM

chris smyth said:

on a treo750v from vodafone it was a case of importing a self signed root and the leaf certificate. i opened owa and saved both from there (one at a time) in der format , then copied them using active sync on usb ,onto the device. double clicking them installed and saved them and hey presto. i will say though make sure the address your trying to connect to is exactly right in the settings.

# October 12, 2006 7:02 AM

Martin Wiedmeyer said:

Now I have I the root cert installed, I find I have to change it.

How does one remove a cert which has been installed via a CAB file?

A cert management utility would be very handy :-).

MPW

# December 18, 2006 10:56 AM

Scott Yost said:

On PPC you can remove it via the Certificates control panel. You can do it with a cab too - documentation is on MSDN here. http://msdn.microsoft.com/library/default.asp?url=/library/en-us/DevGuideSP/html/sp_wce51samdeletingcertificateexampleozup.asp

In a nutshell, remove the parm entries from the XML and change the characteristic to nocharacteristic.

# December 18, 2006 6:37 PM

JMaKAY said:

Worked on the HTC TYTN by downloading it as a der encoded binary format.

Thanks

Complete novice to XML and certificates but found all your comments very useful

# December 19, 2006 11:24 AM

Frustrated Doc said:

Has anyone managed to get the email certificate to work on the Treo 750 running WM5? I have an exchange server synching OTA and had a TyTn working without a lot of problems, I am able to install the Personal, Intermediate and Root Certificates but when I create an email, if I try to sign or encrypt, I get error msg "The Message Cannot Be Signed/ or Encrypted"

What am I doing wrong? I can see all the certificates that I have installed in the respective stores on the Treo

# January 9, 2007 11:02 PM

Bas said:

I had some trouble setting this up. But now it works on a qtek 9100 with the cab file. To make it work I had to delete the current exchange profile in active sync and recreate it. Then the sync works.

If I don't follow this step the active sync fails with the error: Your exchange server requires a certificate, please log onto your corporate network to obtain a certificate.

# January 17, 2007 1:20 PM

onedrop said:

Hi I tried and make the cab file and run on my O2 xda mini. It gave this error, " The file .....cab is not a valid Windows CE Setup file.

Any clue?

Thanks.

# January 25, 2007 3:53 AM

Greg Bray said:

After a weeks worth of research I though I would post what I found:

- I couldn’t ever get the cab file to work on my HP IPAQ 4700 running windows mobile 2003. It keeps giving an error message saying “The file .....cab is not a valid Windows CE Setup file”. I tried changing the extension to cpf and then all it would do is delete the file when you tried to run it. I also tried using cabwiz to create a cab based installer and append the xml to the _setup.xml file, but it still didn’t work. No error message, and no new certificate in the root.

- The easiest way I found to install the certificate was to save it to a file, copy it to the device, and open it using file explorer. This works alright, but it still isn’t an automated process. The cabwiz method should be able to streamline the process into an application installation file, but so far no luck

- Also, please note that Pocket PC 2003 and window mobile 5 devices do NOT support wildcard ssl certificates. Even the Compact Framework Version 1 and 2 do NOT support wildcard ssl certificates. I dont know why Microsoft neglected to implement this feature, but I have heard rumors that it works in pocket pc 2002 (what the @#!%*!!!)

- Sidenote: version 1 of the compact framework does not support SSL connections when using a proxy server that requires authentication. It seems to be a bug in the framework, but luckily it was fixed for version 2.0 and you can force older code to run using the newer framework using an xml application configuration file (search for supportedRuntime and use version="v2.0.6129")

Hopefully this will help someone before they go insane like I did. I ran into all of these issues on one project and was about ready to throw the damn PDA out the window, since all of them are trivial issues that Microsoft should have found and fixed before releasing to the public.

# February 7, 2007 3:35 PM

mfernandez said:

I am totally lost! I have a small business and I need to connect to the exchange server to a Treo 750 and am getting the certificate error. I have access to all the information I need to get the certificate but my knowledge of xml and the like is extremely minimal. Can you break down your steps as if you would for an idiot?

Thank you!

# February 23, 2007 12:51 PM

Ole said:

I do not recommend my customers to by WM5 on SmartPhones and other devices that has certificate problems. It has become to expensive to install certificates. More people do the same. That will teach MS to listen over time.

# March 12, 2007 7:59 PM

selva_rajk said:

I have ROOT certificate Got from OpenCA. For this root certificate, how can i generate the intermediate XML files to sign my application to get previlaged access.

Thanks in advance.

# April 27, 2007 7:38 AM

ChadAmberg said:

We've automated this entire process at http://www.digitallabs.net/mcb

Even includes a standalone .exe for end user deployment. This will build the _setup.xml, the cab file and everything.

# May 5, 2007 5:53 PM

fantasio said:

I don't get it why you guys didn't fixed that issue in Windows Mobile 6.

We confirmed the above described behavior . We're using such a certificate to connect mobile devices (like Windows Mobile) with our wireless lan through 802.1x authentication. We got it running with the third-party software alfa ariss. It still won't work with the native peap supplicant.

Any ideas?

Regards, fantasio

# May 24, 2007 9:54 AM

Karl-johan said:

I had "installation of the root cab was unsuccessful" until I change the file format of the _setup.xml to ansi (was utf8 earlier)

May help some of you out there.

# June 8, 2007 3:38 AM

Bob said:

Thanks a lot Julian concerning the rapidssl root certificates information.

# June 12, 2007 11:22 AM

Coppernicus said:

Here is a little jewel fr those of you still having problems. I have scripted this procedure into a small program, all you need is the CA certificate in DER format or have it installed and it can b extacted. This program creates the completed .cab file that can be copied to the mobile device and run (from the device) to install the certificate.

http://www.anykeycomputers.net/VM_Cert_Cab.exe

http://www.anykeycomputers.net/vm_cert_cab.zip

# June 20, 2007 12:18 PM

Jason said:

I have tried this process repeatedly but continue to get the error, installation of the root cab was unsuccessful. It occurred to me that maybe I am acquiring the certificate info from the wrong source. Thus far I have been viewing the certificate from home through Outlook Web Access, however, I am wondering if I need to acquire the certificate info. from my PC at work that directly acesses the Exchange Server. I assumed the certs were the same but maybe they are not. Can anyone confirm where to get the cert info from????

# June 25, 2007 8:48 AM

kpd151 said:

I have tried this process repeatedly with no luck. I am not sure what I am doing wrong. I am going to OWA and accessing the cert. I copy it to the desktop and open it with notepad. I copy and paste the text above (changing out the thumbprint and base64 encoded certificate blob). I then save this file as "_setup.xml" then I do a save as again from Notepad and change the file name to "makecab _setup.xml rootcert.cab". I use Activesync to move it to the handheld and click to install but everytime I get a message that says "installation of the root cab was unsuccessful". Any suggestions on what I am doing wrong?

Windows Mobile Team Blog

Recent Posts

Tags

Community

Disclaimer

Resources

Archives

How to add your own root cert via CAB file

Comments

AK said:

Scott Yost said:

Riki said:

Nick said:

Scott Yost said:

Scott Yost said:

Jose Simon said:

Scott Yost said:

BillC said:

Scott Yost said:

adrian said:

Nick Poore said:

Ricardo Meechan (rico) said:

Scott Yost said:

Nino.Mobile said:

Steve Hansford said:

karmstrong said:

karmstrong said:

Scott Yost said:

Windows Mobile Team Blog said:

hyperdoc said:

hyperdoc said:

hyperdoc said:

ROBERT said:

Kevin said:

Scott Yost said:

casino said:

Waters said:

Windows Mobile Team Blog said:

Trent said:

Richard Sperry said:

Simon Parsons said:

jdr said:

Rob said:

wl_tinus said:

wl_tinus said:

tlovell said:

tlovell said:

Scott Yost said:

Scott Yost said:

smaskell said:

kurterodriguez said:

Joe said:

Scott Yost said:

JB said:

gabrielstan said:

Loren said:

Bud said:

Brian said:

ronholla said:

Matze said:

Mike said:

Nick Clark said:

SY said:

Scott Yost said:

clint said:

glyn davies said:

Scott Yost said:

Jon said:

Scott Yost said:

englitob said:

Julian said:

Neadom Tucker said:

Jim_zhu said:

Windows Mobile Team Blog said:

James B said:

RMK said:

Myron Johnson said:

Myron Johnson said:

BoekMan said:

regan said: