Personal Certificate Import Utility for Pocket PC 2003 and Windows Mobile



Last update: Mar 8, 2015

A "Personal Certificate" issued by any Certificate Authority (CA).

A private key which corresponds to this certificate.

One, zero or more "Root Certificates".

One, zero or more "Intermediate CA Certificates".

User authentication in L2TP/IPsec VPNs (more info).

Web client authentication in Pocket Internet Explorer (SSL, HTTPS) (more info).



User authentication in 802.1x wireless networks (EAP-TLS only) (more info).

Microsoft Office Communicator Mobile Client (more info).

Sending and receiving encrypted e-mail (S/MIME) (more info).

Exchange ActiveSync certificate-based authentication (more info).



Other third-party applications that happen to support personal certificates.



1.2 Author

The author of this document is Jacco de Leeuw (contact me). Corrections, additions, extra information etc. are much appreciated.

The official name of Pocket PC 2003 is Windows Mobile 2003 for Pocket PC, which is often abbreviated to WM2003 or PPC2003. Windows Mobile 5.0 for Pocket PC is often abbreviated to WM5.0 and likewise for Windows Mobile 6. These are based on a light-weight variant of Windows called Windows CE.

3.1 When is a personal certificate required?



In the introduction I already listed a number of applications that use personal certificates. However, the three main applications for which you can use P12imprt are: L2TP/IPsec, EAP-TLS and web client authentication.

As mentioned in the introduction, there are several applications that require a root certificate but not a personal certificate. So, how do you install a root certificate on Windows Mobile based devices? For Pocket PC 2002 you had to use a separate program available from Microsoft: AddRootCert.exe. You copied the certificate file to your PPC2002 device, ran the AddRootCert.exe utility and the certificate was added to the Certificate Store. On Windows Mobile 2003 Smartphone and to Windows Mobile 2002 Smartphone you use a similar routine.



On Pocket PC 2003 and Windows Mobile it is much easier to import a root certificate. In most cases you don't have to use a separate utility. Root certificates can be installed using the File Explorer application (to be more precise: the ShellExecute function which on its turn calls the built-in program certinst.exe ). The procedure for importing a root certificate is as follows. You copy the certificate file to the device, you start File Explorer and then simply tap the filename. Make sure that the certificate filename has the extension .cer . On Pocket PC 2003 and Windows Mobile 5.0 the file has to be in DER format. DER is a binary format. Another common format is PEM, which is a text based format in Base64 encoding (first line starts with: -----BEGIN CERTIFICATE----- ). PEM certificates are not supported by Pocket PC 2003 and Windows Mobile 5.0: you will have to convert them to DER with OpenSSL, or import the PEM certificate on a desktop Windows computer and then re-export it to DER. Windows Mobile 6 supports both DER and PEM. More information can also be found on this page.



3.3 Installing a personal certificate



On Pocket PC 2003 and Windows Mobile 5.0 you can use File Explorer to install "Root" (CA) certificates, but not "Personal" certificates. A personal certificate has an associated private key which also has to be installed (see "Public Key cryptography" for the basics on this). There are basically two methods of installing a personal certificate: certificate enrolment and certificate import. Pocket PC 2003 and Windows Mobile 5.0 do not support importing personal certificates File Explorer, unlike desktop Windows and Windows Mobile 6.



3.3.1 Certificate enrolment



P12imprt for Windows Mobile 2003, Windows Mobile 5.0 and Windows Mobile 6, available from this webpage.

PFXimprt for Windows Mobile 5.0 and Windows Mobile 6.



Crtimprt for Windows Mobile 2003, Windows Mobile 5.0 and Windows Mobile 6.

PPCCertImport for Windows Mobile 2003, Windows Mobile 5.0 and Windows Mobile 6. By Kiko Vives Aragonés and Antonia Saez Bernal.



p12imprt.exe

user.pfx

p12imprt.zip (version 0.3, size 320 KB, released 6-Jun-2007) - (PGP sig)

AT_KEYEXCHANGE

AT_SIGNATURE

Back to Contents

Copy the p12imprt.exe executable to the Windows Mobile device. You can use any method to do the transfer: ActiveSync, a flash memory card, network share, Bluetooth, WiFi, infrared etc. (The p12imprt.exe file is a Windows Mobile executable, not a Win32 executable. You can't use it on your desktop Windows computer).

executable to the Windows Mobile device. You can use any method to do the transfer: ActiveSync, a flash memory card, network share, Bluetooth, WiFi, infrared etc. (The file is a Windows Mobile executable, not a Win32 executable. You can't use it on your desktop Windows computer). Copy the certificate file (in PKCS#12 format) to your Windows Mobile device.

Execute p12imprt.exe by tapping it in File Explorer. (Note: File Explorer does not show extensions, so the file shows up as 'p12imprt' instead of 'p12imprt.exe').



by tapping it in File Explorer. (Note: File Explorer does not show extensions, so the file shows up as 'p12imprt' instead of 'p12imprt.exe'). Enter the location of the PKCS#12 file or use the 'Browse' button. By default, P12imprt will look for the file " user.pfx " in your "My Documents" folder. (The actual pathname of that folder depends on the language version of your Windows Mobile device. In the English version, it is " \My Documents ", the German version uses " \Meine Dokumente ", etc.)

" in your "My Documents" folder. (The actual pathname of that folder depends on the language version of your Windows Mobile device. In the English version, it is " ", the German version uses " ", etc.) Enter the password that was used to encrypt the PKCS#12 file. (Don't tap the "Enter" key in the virtual keyboard, otherwise the program will exit).



The certificates included in the file will be imported. If an equivalent certificate (i.e. with the same name) already exists on your Windows Mobile device, P12imprt will ask if you want to overwrite the existing certificate. You can respond by tapping Yes, No or Cancel. If you tap Cancel this certificate and any remaining certificates will not be imported but certificates that were already imported will not be removed.



You should see a message reporting the total number of (Personal, Root, Intermediate CA) certificates that have been imported.



Exit P12imprt by tapping "Ok".

In the Settings menu, tap the "System" tab. Then tap "Certificates".

Select the "Personal" tab if it has not been selected already. The top of the page should say: "Use personal certificates to positively identify yourself to others."



You should see the newly added certificate.

If you tap on the name of this personal certificate, you should see its details. Tap "OK" to return to the previous window.

Tap on the "Root" tab. You should now see the new root certificate that you added. If you tap on the name of this root certificate, you should see its details.



Back to Contents



Acer N311

Asus A636N

AudioVox SMT5600

Chainway C5000W running Windows Embedded CE6.0

Fujitsu Siemens Pocket LOOX 718/720/n560

HP iPAQ rx3115

HP iPAQ hx2490b

HTC Blue Angel (i-mate PDA2k / Qtek 9090 / O 2 XDA III / O 2 Xda IIs / T-Mobile MDA III / Vodafone VPA III / E-plus PDA III / Siemens SX66 / Audiovox 6600/6601 / Orange SPV M2000).

XDA III / O Xda IIs / T-Mobile MDA III / Vodafone VPA III / E-plus PDA III / Siemens SX66 / Audiovox 6600/6601 / Orange SPV M2000). HTC Charmer (T-Mobile MDA Compact II).

HTC Galaxy (Qtek G100).

HTC Magician (i-mate JAM / Qtek S100 / O 2 XDA II Mini / T-Mobile MDA Compact / Orange SPV M500 / Vodafone VPA Compact / Dopod 818 / Krome Spy).

XDA II Mini / T-Mobile MDA Compact / Orange SPV M500 / Vodafone VPA Compact / Dopod 818 / Krome Spy). HTC Prophet (Qtek S200 / Dopod 818 Pro / O2 Xda neo / Orange SPV M600 / i-mate Jamin).

HTC TyTN II (P4550/Kaiser) / AT&T Tilt / T-Mobile MDA Vario III / Vodafone v1615 / SFR v1615 / XPA1615 / Xda Stellar.

HTC Universal (i-mate Jasjar / Qtek 4040 / Qtek 9000 / O2 XDA Exec / T-Mobile MDA Pro / Vodafone VPA IV / Vodafone V1640 / Orange SPV M5000 / Dopod 900 / Grundig GR980).

HTC Wizard (Cingular 8125 / i-Mate KJAM / Qtek 9100 / O2 Xda Mini S / T-Mobile MDA Vario).

HTC Apache (Sprint PPC-6700 / UT-Starcom PPC6700 / Audiovox PPC6700).

LXE MX7 handheld computer / VX7 vehicle mounted computer.



MiTAC Mio 168.

Motorola Q.

Palm Treo 700w and Treo 700wx running WM5.0.

Qtek 8300.

Samsung i730 (Verizon branded).

Symbol MC3090 running Windows CE.Net 4.20.

Symbol MC70.

Symbol PDT8100.

Symbol MC9090G

Willcom W-ZERO3.

Yakumo DeltaX GPS.

The Pocket PC device emulator included with eMbedded Visual C++ 4.0 SP4.

The Microsoft Device Emulator 1.0



The Microsoft Device Emulator 2.0



The device emulator included with Visual Studio 2005 (beta 2).

(Contact me to get your device listed here!)

MiTAC Mio A701 running WM5.0 Phone Edition ("Import Certificate" button does not work?).

Qtek 2020: P12imprt runs fine, but for some reason Qtek did not include the "Certificates" applet on this model. So be warned that you cannot view or delete certificates, unless you are prepared to use a registry editor (remove keys from Hkey_current_user/comm/security/system certificates/my/certificates ).

There is a bug in P12imprt v0.1 which was corrected in v0.2. The bug is that imported root certificates cannot be deleted on Pocket PC 2003 using the Certificates applet in Settings->System. This problem does not occur on Windows Mobile devices. It was a stupid mistake and I would like to apologise for the inconvenience. You get the following error:



"The certificate issued by TESTCA was not deleted. You do not have sufficient permissions, or the certificate was installed by the device's manufacturer and cannot be deleted."



The bug was that certificates were imported to CERT_SYSTEM_STORE_LOCAL_MACHINE instead of CERT_SYSTEM_STORE_CURRENT_USER.



Root certificates that have already been imported with v0.1 cannot be deleted. This is only a bit of a nuisance if you have imported your own root certificates. But if you have imported the sample certificate ("TESTCA") you would probably want to delete it for security reasons. I have made a program that can delete imported root certificates:



certman.zip (version 0.2, size 221 KB, released 26-Mar-2006) - (PGP sig)

I suspect that most Smartphones do not support WiFi or L2TP/IPsec VPN. So you won't be able to use the personal certificate for EAP-TLS or L2TP/IPsec for those Smartphone models.

I suspect that most people get their Smartphones from telecom operators as part of a cellular phone plan. Telecom operators usually lock the root certificate store of those Smartphones. A personal certificate is of little use without a corresponding root certificate. Unlocked Smartphones without a plan are more expensive.

There is no "Ok" button to exit the program.



Modifying an existing Pocket PC program so that it fits on a Smartphone screen does not seem to be straightforward. Again, this is too much trouble for me.

Smartphone 2003 has a problem with personal certificates in Pocket Internet Explorer.



On Embedded Visual C++ there is a difference between a Pocket PC project and a Smartphone project. It is not easy to maintain a program for both platforms.

If I remember correctly, I could not get WCECOMPAT and/or OpenSSL to compile for the Smartphone project.



Perhaps things may have improved in Visual Studio but I can't afford to buy it. Plus, Visual Studio does not support Windows Mobile 2003.

It would probably be better to use a menu (File/Open/Exit/About etc.) instead of buttons but I have not looked into this.

MFC seems to work on the Microsoft Device Emulator 2.0. I use MFC for the file dialogue. Smartphone does not support MFC. I have statically linked the MFC library in the P12imprt program, so I figured that even if the device is lacking MFC the file dialogue should pop up. But this is not the case. Microsoft recommends to build a list of available files on the Smartphone so that you select one. This is a bit too much trouble for me. (Feel free to send me source code :-) .



If you have Windows Mobile 6, use its built-in certificate installer instead of P12imprt.



Some items on the screen are not visible, most notably the "import certificate" button and the password field. Smartphones do not have a touch sensitive screen so you have to use the keypad. You can navigate using the Up/Down buttons on the keypad. The order of the input fields is: "Location of personal certificate" -> "Password of certificate"-> "Browse" -> "Import certificate" (and then back again to "Location of personal certificate"). You just need to remember this order when the cursor moves off-screen.

The Browse button does not work on Smartphone. You will have to enter the location of the certificate file manually. An easier workaround is as follows. Rename your certificate file to "user.pfx" and copy it to the "My Documents" folder. Then you don't have to change the default filename in "Location of personal certificate".

Once you have entered the file location and the password, move the cursor to the "Import certificate" button. The cursor will be off-screen, but you can still press the centre button of the keypad. This will activate the button and import the certificate.

You can exit the program by moving the cursor to an input field and then pressing the middle button of the keypad, or by tapping the "Enter" key in the virtual keyboard.

We have definitely gotten the message that a lot of customers find themselves in this situation and we feel your pain

(This may or may not be relevant to Windows Mobile 5.0 based Smartphones. It depends on whether Microsoft fixed the problem. I guess they have had plenty of time by now).



Advantages of web enrolment:



It used to be the only Microsoft approved method for getting a Personal certificate onto a Windows Mobile device. (Windows Mobile 6 now also supports PKCS#12).



The private key of the Personal certificate does not leave the Windows Mobile device (actually, this can never be guaranteed because the device might get stolen or the user could be negligent).

Disadvantages of web enrolment:

The Windows 2000/2003 Server CA ("Certificate Services") is exposed to an internal (or even external) network. Some people prefer to keep their CA off-line for security reasons.

The web enrolment clients are reported to work only with English Windows CAs.



The Windows CA has to run in "issue automatically" mode for Windows Mobile devices. As far as I know, Windows Mobile devices cannot submit a certificate request at one time and then pick up the certificate later when the request has been approved by a system administrator. This may not fit your security policy.

While enrolling, clients send usernames and passwords in clear text over HTTP to the Windows CA. That's not very secure.

Private keys are generated on the Windows Mobile device itself, but the device may not be able to generate good (i.e. cryptographically strong) random numbers for these private keys: Windows Mobile devices do not have many sources of entropy, unlike desktop PCs.

The enrolment sample program is not available for download as a executable. Microsoft wants you to install the SDK for Windows Mobile 2003-based Pocket PCs so that you compile the source code yourself. If you are not a programmer you are probably not going to like this.



A web enrolment program is included as a feature of the MSFP update but that update is available for only selected Windows Mobile 5.0 devices.

Some Windows Mobile vendors and wireless network vendors ship with ready-to-run enrolment programs but these are hardwired to work only with the vendor's hardware. They don't want their programs to run on hardware from competitors. For example, HP's graphical Certificate Enrollment Tool only runs on selected high-end models with wireless support (at least 5450, 5550, 5555 and 4150, 4155).

I could not get the ENROLL sample code to work with Windows Server 2003 R2 (not that I tried hard, though).



Advantages of P12imprt:



You can use certificates from any CA, not just the Microsoft Windows CA ("Certificate Services").

Many third-party CAs such as Thawte and Verisign do not support Windows Mobile's web enrolment. Importing a PKCS#12 file is your only option.



You are not forced to use web enrolment. I.e., you are not forced to buy into the whole Windows "ecosystem" with Windows 2000/2003, IIS, ISA Server, Active Directory etc.



Private keys can be generated on any machine, not just on the Windows Mobile device itself.



Should run on any Pocket PC 2003 and Windows Mobile device (unless the device is locked). The other certificate import and enrolment tools run only on selected Windows Mobile models.

Available for free. Available for download now. Unlike the MSFP update, which is only available on selected Windows Mobile 5.0 devices.



Disadvantages of P12imprt:



P12imprt's GUI is very basic.

P12imprt is quite large (almost 700 KB), compared to Crtimprt, PFXimprt and web enrolment.



Some options are hard-coded such as the CSP (Cryptographic Service Provider). This means for example that it is currently not possible to import the certificate to a smartcard inside the Windows Mobile device (are there any devices with smartcards anyway?). Another hard-coded setting is that the certificate should use RSA and not DSA/DSS. These settings are easy to change in the source code, however. Perhaps a new 'Advanced settings' dialogue window can be added to the problem if there is enough interest. (If you want to write it yourself and submit the code to me that would be even better :-).



Back to Contents



CryptImportKey()

p12imprt_src.zip

\wcecompat

\openssl-0.9.8a

\p12imprt

\openssl-0.9.8a\INSTALL.WCE

wcecompat\lib\wcecompat.lib

openssl-0.9.8a\out32_ARMV4\libeay32.lib

\wcecompat\include\time.h

wcecompat.lib

p12imprt\p12imprt.vcw

#define WCECOMPAT_OPENSSL 1

p12imprtDlg.cpp

If you don't want to import your certificate from a file you can use the web enrolment technique that is recommended by Microsoft. I mention it here only for the sake of completeness, because I find it a bit too limited and much too convoluted.



*.example.com

/Microsoft-Server-Activesync

18. Third-party web browsers



Pocket Internet Explorer is included with Windows Mobile. It supports clients certificates for authentication to webserver. There are other web browsers available as well.



18.1 NetFront browser



The NetFront browser for Pocket PC ships with a built-in certificate manager. You can access it under the menu 'Tools -> Browser Setting -> Security'. The NetFront certificate manager can import PKCS#12 files, single (root) certificates in DER format, multiple (root) certificates in PKCS#7 format and private keys (not sure what format). NetFront is commercial but a time-limited and crippled version can be downloaded for free.



The NetFront certificate manager is separate from the Windows Mobile native certificate applet. So if you import a (personal or root) certificate with NetFront, the certificate can only be used by NetFront itself. The certificate cannot be used by Pocket IE, L2TP/IPsec or EAP-TLS.



The NetFront certificate manager can be a great alternative to P12imprt if you are already unhappy with Pocket IE and you only want to use web client authentication.



18.2 ThunderHawk



ThunderHawk by Bitstream Inc. is licensed on a subscription basis (US$5.95/month or US$49.95/year). It supports SSL with 128-bit encryption (but is it RC4 or AES?). They also have a trial version. See also this review.



18.3 Mozilla Minimo



Minimo is a small, simple, powerful, innovative, web browser for mobile devices. Because it is a spin-off from the Mozilla project, it is Open Source and free to use. It supports SSLv3 and TLS. Minimo uses the certificates installed in the Windows Mobile native certificate applet. At the time of this writing the current version does not seem to support client certificate authentication, only server authentication.



Get everything working so you can successfully get on the network (i.e. install certificate, configure wireless profile, etc.). Export the wireless settings for the profile you are using by going into the radio options and selecting Options->Export. Click on both the "Export Options" and "Export All Profiles" button and save both using the default REG file that is displayed. Place both files in the ZIP file supplied by Symbol*) into the \Application folder on your Symbol device

Open up Windows Explorer and run SymScript.EXE Click on the "Run a Script" button Click on "Browse for a script" Navigate to the \Application folder and select the CertCapture.spt script file Click on the "Autostart script on startup" button Click on the "Yes" button Warm boot the unit. The script should automatically run when the device boots up. It will ask if the certificates are set up properly. Click on "Yes". The script should say that the certificates have been saved. Cold boot the unit. After the unit boots up, the script should restore the certificates and then warm boot the unit.

Back to Contents



20. Importing certificates on Blackberry and PalmOS



20.1 PalmOS based devices



I have been asked if a similar program exists for other platforms such as Blackberry, PalmOS and Symbian. First off, my certificate import program run only on Windows Mobile devices. Palm makes a Windows Mobile device (the Treo 'w' models) and P12imprt runs on those devices. P12imprt does not run on Symbian devices such as the N70/N80/N95, nor does it run on PalmOS devices such as the Tungsten or the TX. I'm sympathetic to PalmOS and Symbian but I do not own a current device nor is there a free emulator. Otherwise I would have researched the options more thoroughly. I did manage to collect the following information.



It appears that on PalmOS each application requires its own support for certificates:



Palm TX: there is additional software that you can buy (the "Wi-Fi Enterprise Security Update for the Palm® TX handheld"). Its list price is $ 5.99. PalmOS supports WEP and WPA-PSK encryption schemes on selected wireless models, but not 802.1x. The software update adds support for EAP-TLS and other EAP schemes but it is not clear to me if it allows you to import a client certificate from a file (I suspect it does).

Palm Tungsten C: there is an 802.1x client ("supplicant") by Meetinghouse Aegis. They have been bought by Cisco but I can't find any reference to the software on the Cisco website.

Other models: Blazer is a webbrowser that included with various Palm models. I don't know if it supports client certificates for web authentication.

Other models(?): there is a commercial 802.1x implementation for PalmOS by Devicescape, but this company only makes the framework, not the actual client. You could contact them and ask if there is someone who has made a client for your particular Palm device.



Last ditch option: Linux can be installed on some Palm models, such as the Lifedrive. There is a host of free software for Linux, including an 802.1x supplicant. Switching from PalmOS to Linux is a solution, but obviously it is a very drastic one.

20.2 Blackberry



Back to Contents



21. Importing certificates on Symbian



Back to Contents



Oct 1, 2007: Added more on Symbian.

Jun 6, 2007: P12imprt v0.3 released. Imported certificates can now be used with S/MIME.

Oct 26, 2006: Added info on PalmOS and Symbian devices.

Oct 17, 2006: PGP Mobile may be re-released, according to PGP representatives.

May 23, 2006: Sending/signing e-mail with the MSFP update requires Exchange. Bummer!

May 23, 2006: Emulator for Windows Mobile released. Pocket PC images with the MSFP update.

Mar 15, 2006: Bug reported and fixed: imported root certs could not be deleted. v0.2 released. If you have downloaded P12imprt.zip before, please replace it with the latest version.

Feb 9, 2006: First report of P12imprt running on an actual Pocket PC device.

Feb 8, 2006: P12imprt runs on Pocket PC 2003 and Windows Mobile 5.0 (on the emulators, at least).

May 18, 2005: Some Windows CE 5.0 devices apparently do ship with a certificate panel utility. But Windows Mobile 5.0 Pocket PC devices do not.

May 12, 2005: Windows Mobile 5.0 announced. Supports PFXImportCertStore()! New emulator released.



Jacco de Leeuw

