This article describes implementation options that you can use to add root certificates to Microsoft Windows Mobile 2003 Smartphone and to Microsoft Windows Mobile 2002 Smartphone.
Microsoft Windows Mobile-based Smartphones use the Microsoft
Crypto API (CAPI) certificate store to securely store root certificates. The
following applications use root certificates:
- Microsoft Pocket Internet Explorer for Secure Sockets Layer
- Microsoft ActiveSync when it is configured to synchronize
directly with either Microsoft Mobile Information Server (MIS) or with
Microsoft Exchange 2003 Server.
- Layer 2 Tunneling Protocol (L2TP)-based virtual private
network (VPN) connections that are available in Windows Mobile 2003-based
- Third-party programs as necessary.
To use one of the previously mentioned four applications, use
one of the following implementation options for using internal SSL Web sites
without receiving warnings about untrusted certificates:
- Obtain the backend server certificate from one of the
certificate authorities that are represented by the root certificates that are
included on the device.
The root certificates that are included with
the Windows Mobile 2002-based Smartphone device represent the following
The root certificates that are included with the
Windows Mobile 2003-based Smartphone device represent the following certificate
- Add the root certificate for the private issuing authority
on the device that you choose. Make sure that you do this before you follow the
steps in the "How to add root certificates to Windows Mobile 2002 Smartphone
and Windows Mobile 2003 Smartphone" section.
How to add root certificates to Windows Mobile 2002 Smartphone and to Windows Mobile 2003 Smartphone
- Export the root certificate to a computer that is running
Microsoft Windows in DER encoded binary X.509 format with a .cer file name
- Connect your Smartphone to the computer.
- On your computer, start ActiveSync, and then click
- Copy the SPAddcert.exe file to the Smartphone that is in
one of the following locations depending on your situation:
- Windows Mobile 2003 Smartphone - copy the file to \Storage\Windows\Start Menu\Accessories on the
- Windows Mobile 2002 Smartphone - copy the file to \IPSM\Windows\Start Menu\Accessories on the
- Copy the exported root certificate file to one of the
following locations depending on your situation:
- Windows Mobile 2003 Smartphone - copy the exported root certificate file to either \Storage on
the Smartphone or on the root folder of a storage card.
- Windows Mobile 2002 Smartphone - copy the exported root certificate file to either \IPSM on the
Smartphone or on the root folder of a storage card.
- On the Smartphone, click Start, click
Accessories, and then click SPAddCert.
- Select the certificate with the Dpad, and then click
OK. The certificate details will appear.
- Click OK when are prompted to add the
- Restart your Smartphone.
The SPAddCert utility runs only on Smartphones that have the
Unrestricted Application Security Policy. If your device has been restricted by
the mobile operator, you will receive the following message: For the SPAddCert utility to run on restricted
Smartphones, it must be signed and distributed by the mobile operator. A
restricted Smartphone is a telephone that uses a Restricted policy or a
Standard Prompt policy. Contact your mobile operator for support.
Windows Mobile-based Smartphones implement an application security model that
is based on digital code signing. Application security helps protect the
integrity of the end-user’s device by not permitting the user to run programs
that are from an unknown source.
The mobile operator company decides
whether to implement application security before it brings a Smartphone to
market. The mobile operator may change its policy decision at any time.
For more information about Smartphone Application Security, visit the
following Microsoft Web site, and then see the “A Practical Guide to the
Smartphone Application Security and Code Signing Model for Developers” section
that is located at the following Microsoft Web site:
The following download provides sample scripts to add certificates
The following file is available for download from the Microsoft Download
the SmartPhoneAddCert.exe package
Collapse this imageExpand this image
Release Date: April
For more information about how to download Microsoft support
files, click the following article number to view the article in the Microsoft
How to obtain Microsoft support files from online services
Microsoft scanned this file for viruses. Microsoft used the most
current virus-detection software that was available on the date that the file
was posted. The file is stored on security-enhanced servers that help prevent
any unauthorized changes to the file.
Microsoft has worked with VerizonWireless to create a signed
version of the SPAddCert.exe utility to run on VerizonWireless Windows Mobile
Smartphones. To download the VZW_SPAddCert.exe file, visit the following
Microsoft Web site:
Release Date: October 15, 2004
Microsoft has worked with Sprint to create a signed version of
this SPAddCert.exe utility to run on Sprint iDEN Windows Mobile 2003
SmartPhones. To download the SprintIden_signed_SPAddCert.exe file, visit the
following Microsoft Web site: