Adding self-signed root certificates to Windows mobile devices

If you're a small shop and you don't think you need to have third-party certificates generated for you, you can always create one yourself by setting up Certificate Services and fulfilling a certificate request from yourself.

The process has been fairly well documented for creating a self-signed certificate to use on a server. (See the MSExchange.org article, SSL-enabling OWA 2003 using your own certificate authority.) But what if you want to take your self-signed root certificate and manually add it to one or more mobile devices?

There are a few ways to do this, although they all require management access to the mobile devices. One particularly interesting way is to take the root certificate, turn it into a .CAB file, and then deploy it to the mobile devices.

Some types of management systems (such as OTA or "over-the-air") will only deploy .CAB files., and Installing certificates via .CAB files may work if you're trying to add the certificate to a store on the mobile device other than the root store.

The full technique has been published on the Windows Mobile Team Blog:, How to add your own root cert via CAB file. There aren't a lot of steps involved, but be aware of these critical issues before you get started:

1. You must export the root certificate, not a leaf, for this to work correctly. If you've generated and self-signed the certificate, this is probably easier than if you're using a third-party certificate authority. Be sure to go as far up the certificate chain as you possibly can. If you have intermediate certificates to be installed, export the root first, then the intermediates.
2. This technique will not work for wildcard certificates. You need to have a certificate for the specific URL being accessed via the mobile device.
3. When you create the "thumbprint" for the certificate, as per the instructions, make sure that the thumbprint listed in the XML files has no spaces or carriage returns. Otherwise, the thumbprint will not validate.

About the author: Serdar Yegulalp is editor of Windows Insight, a newsletter devoted to hints, tips, tricks, news and goodies for all flavors of Windows users.

Do you have comments on this tip? Let us know.

Related information from SearchExchange.com:

Please let others know how useful this tip was via the rating scale below. Do you know a helpful Exchange Server, Microsoft Outlook or SharePoint tip, timesaver or workaround? Email the editors to talk about writing for SearchExchange.com.

Rate this Tip To rate tips, you must be a member of SearchExchange.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Mobile Devices Troubleshooting Apple iPhone and Exchange Server integration issues Extracting Exchange ActiveSync data from IIS log files Sharing a user's Outlook calendar with a public folder calendar OWA Light vs. Exchange ActiveSync on Windows Mobile devices Prevent SSL-related synchronization errors on emulated mobile devices Connecting an Apple iPhone to Exchange Server on Windows SBS 2003 Why can't I send Exchange email from a BlackBerry 7100i mobile device? Troubleshoot Windows Mobile device emulator synchronization errors Configure Microsoft SharePoint mobile access via Exchange Server 2007 Synchronizing the Windows Mobile emulator with Exchange Server 2007 User Authentication for Microsoft Outlook and OWA Create a secure Microsoft Outlook Web Access (OWA) redirect page Why does a security alert pop up when accessing Outlook Web Access? OWA won't load after applying Exchange 2007 SP1 security patch Minimize remote and mobile Outlook Web Access (OWA) security risks How to improve Outlook Web Access (OWA) security Alleviate Outlook Web Access (OWA) email attachment security issues How to customize OWA authentication logon in Exchange Server 2003 Automated redirects to OWA directories may fail when SSL is enforced Configure Windows Mobile devices to local wipe after failed logons How to set up an SSL certificate to encrypt OWA and ActiveSync traffic Exchange Server Administration Tips Benefits of backing up Exchange Server with Microsoft's DPM 2007 Exchange Server 2007 replication and database transaction basics Microsoft Exchange Server 2003 database recovery methods Automate complex Exchange 2007 Management Shell tasks via scripting Considerations for virtualizing Exchange 2007 mailbox servers Extracting Exchange ActiveSync data from IIS log files How to virtualize Exchange Server 2003 Microsoft Exchange Server mailbox recovery using database portability Plan an Exchange 2007 standby continuous replication (SCR) deployment Set up messaging records management (MRM) in Exchange Server 2007 RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Vouch by Reference (VBR)  (SearchExchange.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.