RE: CA and Windows mobile 5.0

Hi John,

Thank you for posting here.

Based on your description, I understand you can not install a CA on your
Mobile device.

Firstly, in order to clarify this issue, please provide the following info:

What kind of certificates in your environment? Is there a Self-signed
certificate or Third party certificate?
How did you install CA on your mobile device?

Two options are available for certificate installation for Windows Mobile
5.0 devices.

Option A - Configuring Self-Signed Certificates
For multiple mobile devices, you will need to install the certificate on
each device. Because the certificate would already be installed on the
Windows SBS server, no additional configuration needs to be done on the
server.

Step 1. Copying the Certificate File to the Device
Perform the following steps to copy the certificate file to the mobile
device:
1. Log on to a client computer that has ActiveSync 4.1 installed.
2. Connect the Windows Mobile device to the computer.
You do not need to establish a partnership; you can simply connect in guest
mode.
3. Open Windows Explorer and navigate to
\\WindowsSBSServerName\ClientApps\SBScert.
4. Right-click the certificate (.cer) file in the SBScert folder and click
Copy.

Note: If your Windows SBS Server is running ISA Server, there may be more
than one certificate in the folder. Select the one named ISACert.cer.

5. Navigate to Mobile Device under My Computer.
By default, the contents of the My Documents folder on the device are
displayed.
6. Right-click the content area and click Paste to copy the certificate
file to the device.

Step 2. Installing the Certificate on the Device
Perform the following steps to install the certificate:
1. On the Windows Mobile device, open File Explorer (for Pocket PCs) or
File Manager (for Smartphones).

Note: File Explorer is present at Start\Programs on Pocket PCs.
File Manager is present at Start\More on Smartphones.

2. Find the certificate file you just copied to the My Documents folder on
the device and run the file by either tapping the file name or pressing
ENTER while the file is selected.
3. Click Yes on the confirmation message box to install the certificate. If
you receive no error messages, the certificate is installed successfully.
If you receive an error and the certificate is not installed, you will need
to use an external utility to install the certificate on the device. To
install the certificate using this external utility, perform the following
steps:
a. On the client computer, download smartphoneaddcert.exe from the
following URL:
http://support.microsoft.com/?id=841060
If a signed version of smartphoneaddcert by your mobile operator is
available from this link, download the signed version.

Note: Although the Knowledge Base article, "841060," at the given link
refers to Windows Mobile 2003 and Windows Mobile 2002, the utility will
also work with Windows Mobile 5.0.
In addition, even though the file is named "smartphoneaddcert," it also
works with Pocket PCs.

b. Run smartphoneaddcert.exe and extract SpAddCert.exe.
c. Copy SpAddCert.exe to the device.
d. On the device, create a folder named "Storage" on the root of the device
and copy the certificate file into the Storage folder.
e. On the device, run SpAddCert.exe. By default, the certificates in the
Storage folder of the device are listed. Select the certificate you just
copied and click OK on all message boxes that get displayed, to install the
certificate.
If you are using a Smartphone and the self-signed certificate still fails
to install, the device manufacturer or mobile operator must have disabled
access to the root certificates. Check with the device manufacturer or your
mobile operator to see if they provide a separate installation utility.
Otherwise, you will have to use a trusted third-party certificate by
following the instructions provided in the following section.


Option B - Configuring Third-Party Certificates
How to purchasing and installing a third-party certificate on the Windows
SBS server?

Note: Some CAs provide their own instructions for installing SSL
certificates on the server. Depending on the type of certificate, these
instructions may be different than the steps provided in this section.
Please follow the installation instructions provided by the CA, if they are
available, instead of instructions in this white paper.

Step 1. Purchasing a Third-Party Certificate
You should only use third-party certificates from a CA that has a root
certificate present on the root store of Windows Mobile powered devices.
For a listing of CAs offering Windows Mobile-compatible certificates, refer
to the following URL:
http://go.microsoft.com/fwlink/?LinkId=61499

For purchasing a certificate from a CA, you will need to generate a
certificate signing request on the Windows SBS server. To do this, perform
the following steps:
1. Open Internet Information Services (IIS) Manager from Administrative
Tools.
2. Expand WindowsSBSServerName, expand Web Sites, and right-click Default
Web Site and click Properties.
3. On the Directory Security tab, click the Server Certificate button to
start the IIS Certificate Wizard.
4. On the welcome page, click Next.
The Modify the Current Certificate Assignment page is displayed if you have
an existing certificate installed on the server. If the page is displayed,
perform the following steps:
a. Click Remove the current certificate and click Next.

Note: The existing certificate could have been created while running the
Configure E-Mail and Internet Connection Wizard.


b. Click Next on the next two pages and then click Finish to complete the
wizard and remove the certificate.
c. Start the wizard again by clicking the Server Certificate button on the
Directory Security tab. On the welcome page, click Next.
5. On the Server Certificate page, click Create a new certificate and click
Next.


6. On the Delayed or Immediate Request page, click Prepare the request now,
but send it later and click Next.

Note: If you have a CA installed on the Windows SBS server, the second
option will not be disabled.


7. On the Name and Security Settings page, type the name of the company and
click Next.
8. On the Organization Information page, type the name of the company and
the name of the department, which may be the same.



Note: It is important to type the proper company name because the CA will
use this name to verify the company information before issuing a
certificate. After you submit the request, the CA will verify the
information that you have submitted, as well as the company information. If
you apply for the certificate using a Trade/DBA (Doing Business As) name,
be prepared to show documentation of the trade name. Also ensure that your
Dun & Bradstreet (D&B) or other commercial directory information is up to
date before submitting the certificate signing request because many CAs use
that information for verification.
Get the exact verification requirements from the CA you have chosen.


9. On the Your Site's Common Name page, type the public DNS (Domain Name
System) name of the server. Take special care to ensure that the
information is correct because the certificate will not work properly if
this information is provided incorrectly.

10. On the Geographical Information page, enter all required information.
Do not use abbreviations because some CAs do not accept abbreviations.

11. Provide a path and file name for saving the request. Click Next twice
and then click Finish.
12. Open the request file you just created using Notepad and copy all of
the text in the file, including dashes, into the application form to be
sent to the CA.

Note: Be careful not to change or modify any of the certificate settings on
the website after creating the certificate request. The steps in the
section will not work if the pending request is cancelled for any reason.
If you cancel the pending request, you will have to apply with the CA to
have the certificate reissued using a new request file.


Step 2. Installing the Certificate on the Server
After receiving the certificate (.cer) file from the CA, install the
certificate on the Windows SBS server. To do this, perform the following
steps on the Windows SBS server:
1. Open the Server Management console.
2. Click the Internet and E-mail link.
3. Click the Connect to the Internet link to start the Configure E-mail and
Internet Connection Wizard.
4. On the welcome page, click Next
5. On the Connection Type page, click Do not change connection type and
click Next.
6. On the Firewall page, click Do not change firewall configuration and
click Next.
7. On the Web Server Certificate page, click Use a Web server certificate
from a trusted authority, click Browse, navigate to and double-click the
certificate file provided by the CA, and finally click Next.

8. On the Internet E-mail page, click Do not change Internet e-mail
configuration and click Next.
9. On the Completing the Configure E-mail and Internet Connection Wizard
page, click Finish.

Hope this helps. I look forward to your update.


Have a nice day!


Best Regards,

Chace Zhang (MSFT)

Microsoft CSS Online Newsgroup Support

Get Secure! - www.microsoft.com/security

=====================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.

Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.

For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Any input or comments in this thread are highly appreciated.

=====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.


.