Windows Mobile certificates and applications signing

I'am receiving lot's of questions (internally and externally) regarding certificates and and applications or cab file signing in Windows Mobile. This small how-to describes how to install certificate into device and using it for files and applications signing in the future deployment.

All tools considered in this blogpost are available in the Windows Mobile SDK or other Microsoft's resource kits. Please note that makecert.exe tool is only for demonstration and educational purposes. It creates certificates but it's ineligible for productions scenarios. You should use certificate issued by certification authority in your organization instead.

If you don't understand what I'am talking about or you are not familiar with Windows Mobile security model, you should read at least this TechNet article. More preferably read this: Security Model for Windows Mobile 5.0 and Windows Mobile 6 for full understanding.

Step 1. Creating the certificate

Use the makecert.exe to create the certificate file and private key.
1. Run makecert.exe to create private key and certificate

C:\Tools> makecert.exe -n "CN=Testing CA" -sv private_key.pvk testing_certificate.cer

2. Click None button in the following dialog

3. In Windows Explorer, double-click the testing_certificate.cer
4. Choose the Details tab.

5. Click Copy to File... button
6. Click Next button

7. Choose Base-64 encoded X.509 (.CER) and click Next button

8. Use testing_certificate_base64.cer as the filename and click Next button

9. Click Finish button

Step 2. Certificate provisioning XML

Write provisioning file that uses CertificateStore configuration service provider to add certificate from previous task into the Privileged Execution Trust Authorities. Follow steps in this complex task.

1. Create following XML document (with notepad.exe) and name it _setup.xml

<wap-provisioningdoc> 
    <characteristic type="CertificateStore">
        <characteristic type="Privileged Execution Trust Authorities"> 
            <characteristic type="CERTHASH"> 
                <parm name="EncodedCertificate" value="BASE64ENCODEDCERT"/> 
            </characteristic> 
        </characteristic>
    </characteristic> 
</wap-provisioningdoc>

2. In Windows Explorer, double-click the testing_certificate.cer
3. Choose the Details tab.

4. Choose Thumbprint in the list box, select the text, and then press CTRL+C.
5. Replace CERTHASH in _setup.xml with the copied text. Delete the spaces between digits!

<characteristic type="Privileged Execution Trust Authorities"> 
    <characteristic type="3275d56c0450425e91f51cfaad2164ecee2d2d63"> 
        <parm name="EncodedCertificate" value="BASE64ENCODEDCERT"/> 
    </characteristic> 
</characteristic>

6. Open the testing_certificate_base64.cer using a notepad.exe
7. Select text between ---BEGIN CERTIFICATE--- and ---END CERTIFICATE---. This text is the encoded content of the certificate. Copy selected text by pressing Ctrl-C.

8. In the XML document, replace BASE64ENCODEDCERT with the copied text by pressing Ctrl-V

<characteristic type="Privileged Execution Trust Authorities"> 
    <characteristic type="3275d56c0450425e91f51cfaad2164ecee2d2d63"> 
        <parm name="EncodedCertificate" 
        value="MIIBujCCAWSgAwIBAgIQtdVUzuL2d4JILkNizwyAzzANBgkqhkiG9w0BAQQFADAW
        MRQwEgYDVQQDEwtSb290IEFnZW5jeTAeFw0wODA0MDcwOTAwMjBaFw0zOTEyMzEy
        MzU5NTlaMBUxEzARBgNVBAMTClRlc3RpbmcgQ0EwgZ8wDQYJKoZIhvcNAQEBBQAD
        gY0AMIGJAoGBALdv55G163+Nz2+t3rfPka0GihXgdMiIJIcdLmV58tfrcN5ROjH0
        ItscVGf88XBD9t+Aj/PWJE1C9rXxuSF345aO5uTnulEPgyf6ggXGwBtDRz9ZdHG0
        us2ND0LySRlka6dNpOrQfrE+ASA4xck0HyqHQuZkB3C8N0lFB0DQfbXhAgMBAAGj
        SzBJMEcGA1UdAQRAMD6AEBLkCS0GHR1PAI1hIdwWZGOhGDAWMRQwEgYDVQQDEwtS
        b290IEFnZW5jeYIQBjdsAKoAZIoRz7jUqlw19DANBgkqhkiG9w0BAQQFAANBABQy
        xsMI6XmXdzuAL8A6fgwI3ukg7jeNyO6Ai1Cr2voXY7CXyitNEX2FAdiH2KynLATM
        7kRIJDFvdJFqQCQCGrM="/>
     </characteristic> 
</characteristic>

9. Save the XML document

Step 3. Deploying certificate into device

Make cab file from provisioning file created in previous task and execute it in the device.

1. Run makecab.exe

C:\Tools> makecab.exe _setup.xml cert_deploy.cab

2. Copy cert_deploy.cab into device via ActiveSync or SD card.
3. Execute the cert_deploy.cab

Step 4. Signing the application or cab file

Use signcode.exe to sign your application or installation cab. Let?s assume the file for signing is called myApplication.exe

C:\Tools> signcode -v private_key.pvk -spc testing_certificate.cer myApplication.exe

After executing this application on your device, no security warning will be displayed and privileged mode will be delegated.