In my last engagement I was facing the problem of updating SCMDM certificate. The preferred way was to do it from the Windows Mobile device. I was blogging about similar topic some time ago, so this will be the extension of the original article.

Find what you want to update

If you do simple query into the MY certificate store on your enrolled device.

<wap-provisioningdoc>
    <characteristic type="CertificateStore"> 
       <characteristic-query type="MY" />
    </characteristic>  
</wap-provisioningdoc>

You will get the something like the following result. There might be more certificates eventually, but we are interested in the SCMDM one. The most important information in here is the certificate hash. In this case it’s 64BB2D1FAD191B04D33D04781CE9ECC8F7D9BAE5. Let’s keep it for the future use.

In case that you want determine this hash automatically from application, it’s good to look for certificate with template name SCMDM2008MobileDevice. However, this template name is valid only for SCMDM 2008 RTM version, if you are running SCMDM 2008 with Service Pack 1, then the name of instance is also included. The template name looks like this SCMDMMobileDevice (mdm-prg), for the mdm-prg instance.

<wap-provisioningdoc>
  <characteristic type="CertificateStore">
    <characteristic type="MY">
      <characteristic type="64BB2D1FAD191B04D33D04781CE9ECC8F7D9BAE5">
        <parm name="EncodedCertificate" value="MIIE..shortened..3msMYf" datatype="binary" />
        <noparm name="Role" />
        <parm name="ValidFrom" value="2009-04-24T20:46:27Z" />
        <parm name="ValidTo" value="2010-04-24T20:46:27Z" />
        <parm name="IssuedBy" value="Contoso Assurance CA" />
        <parm name="IssuedTo" value="WM-pabans-52.amer.contoso.com" />
        <noparm name="TemplateName" />
        <characteristic type="PrivateKeyContainer">
          <parm name="ContainerName" value="MEEBAB1AFF" />
          <noparm name="ProviderName" />
          <parm name="ProviderType" value="1" />
          <parm name="KeySpec" value="2" />
        </characteristic>
        <characteristic type="RenewalInfo">
          <parm name="ServerName" value="rapp57.amer.contoso.com" />
          <parm name="Template" value="SCMDM2008MobileDevice" />
          <parm name="RequestPage" value="/certsrv/certfnsh.asp" />
          <parm name="PickupPage" value="/certsrv/certnew.cer" />
        </characteristic>
      </characteristic>
    </characteristic>
  </characteristic>
</wap-provisioningdoc>

Initiate renewal

Renewal request is initiated with following query to CertificateEnroller Configuration Service Provider. The RenewalCertificateHash parameter contains hash from the previous step.

<wap-provisioningdoc>
  <characteristic type="CertificateEnroller">
    <characteristic type="Operation">
      <characteristic type="RenewOperation">
        <characteristic type="Some-Unique-String-or-GUID">
          <parm name="RenewCertificateHash" value="64BB2D1FAD191B04D33D04781CE9ECC8F7D9BAE5"/>
        </characteristic>
      </characteristic>
    </characteristic>
  </characteristic>
</wap-provisioningdoc>

To determine result of the operation, you can either use the following query.

<wap-provisioningdoc>
    <characteristic type="CertificateEnroller">
        <characteristic type="Operation">
          <characteristic type="RenewOperation">
            <characteristic type="Same-Unique-String-from-the-previous-step">
              <parm-query name="Status" />
            </characteristic>
          </characteristic>
        </characteristic>
    </characteristic>
</wap-provisioningdoc>

Alternativelly you can check the \Windows\logfiles\GetCertificates\DeviceEnrollLog.txt

Windows Mobile Certificate Enrollment Log
Date: 2009-05-08
Time: 18:10:49Z
Device Name: WM-pabans-52
Domain\Username: (null)
Certificate Type Friendly Name: rapp57.amer.contoso.com_SCMDM2008MobileDevice
CA Server: rapp57.amer.contoso.com
Template: SCMDM2008MobileDevice
Request Page path/name: /certsrv/certfnsh.asp
Pickup Page path/name: /certsrv/certnew.cer
RequestID For Enrollment: 136756
Enrollment or Renewal: Renewal
Desktop Initiated: No
Silent Enrollment: No
Status Upon Completion: Successful
Error Code: The operation completed successfully.