Exchange - Net Admin - Outlook
Windows Mobile - Windows

Contact - Director's Blog

Windows Mobile Home

SSL Certificates on Windows Mobile

The Windows Mobile operating system has support for the most common root certificates. However if you are using one the less common certificates (for example RapidSSL) or you are creating your own, then you will be unable to use Exchange ActiveSync. With Exchange 2003, Outlook Mobile Access (OMA) will present a certificate prompt.

To avoid these errors you need to install the certificate on to your device, or install the root certificate on to the device. 

Using the Right Certificate

The choice of the certificate that you are importing to the handheld is important.

If you are generating your own certificates, then that is what you need to import.

If you are putting in a third party certificate that is currently not supported by the handheld, then you need to use the third party's root certificate.

Signed Applications

Either of these processes may not work if your device will only run signed applications. If that is the case then you should look for a mechanism that will remove that requirement, or see if the supplier has provided a signed version of the tool.

Importing the Certificates

There are two methods of importing the certificates

1. Exporting the certificate to file in to a correct format, copying this across to your device and then importing it. Instructions.
2. Having the certificate as part of a cabinet file. This is useful if you want to deploy the certificate as part of a wider configuration file or want the file to be downloadable from a web site, using the Windows Mobile device. Instructions.

Questions

Q: Why should I use the root certificate instead of the individual certificate that I am using with my web site?
A: Your own certificate will only be valid for a set period. When that certificate expires you will have to go through the process of replacing the certificate. A root certificate is valid for much longer - probably longer than the device will be valid.
Furthermore, if you are using multiple certificates or your users could access multiple web sites that support that certificate, then the root is already there ready to be supported.

Q: Can I use a wildcard certificate?
A: Wildcard certificates are not supported by Windows Mobile 5.0 and older versions of Windows Mobile. Therefore their use should be avoided where possible. More information: http://blogs.msdn.com/windowsmobile/archive/2005/11/03/488924.aspx

Q: What about Exchange 2007?
A: If you want to use a Windows Mobile device with Exchange 2007 then you should be using a SAN (Subject Alternative Name) certificate, also referred to as a UC (Unified Communications) certificate. These are treated in the same way as other certificates, and will need to be supported by Windows Mobile.

Q: Are there any cheap certificates that are supported by Windows Mobile without having to go through this hassle?
A: Yes. You can get SSL certificates from Go Daddy or one of their resellers such as Certificates for Exchange. These are trusted by most Windows Mobile devices natively, from version 5.0 with the MSFP pack onwards. If you are using Exchange 2007, then their SAN/UC certificates are also trusted and will work on most devices without additional hanges being required.