I’am receiving lot’s of questions (internally and externally) regarding certificates and and applications or cab file signing in Windows Mobile. This small how-to describes how to install certificate into device and using it for files and applications signing in the future deployment.

All tools considered in this blogpost are available in the Windows Mobile SDK or other Microsoft’s resource kits. Please note that makecert.exe tool is only for demonstration and educational purposes. It creates certificates but it’s ineligible for productions scenarios. You should use certificate issued by certification authority in your organization instead.

If you don’t understand what I’am talking about or you are not familiar with Windows Mobile security model, you should read at least this TechNet article. More preferably read this: Security Model for Windows Mobile 5.0 and Windows Mobile 6 for full understanding.

Step 1. Creating the certificate

Use the makecert.exe to create the certificate file and private key.

  1. Run makecert.exe to create private key and certificate
C:\Tools> makecert.exe -n "CN=Testing CA" -sv private_key.pvk testing_certificate.cer
  1. Click None button in the following dialog

private key password 280x200

  1. In Windows Explorer, double-click the testing_certificate.cer
  2. Choose the Details tab.

certificate details 335x415

  1. Click Copy to File… button
  2. Click Next button

certificate export wizard 375x340

  1. Choose Base-64 encoded X.509 (.CER) and click Next button

Export to base64 380x345

  1. Use testing_certificate_base64.cer as the filename and click Next button

Save base64 385x350

  1. Click Finish button

Finish wizard 380x350

Step 2. Certificate provisioning XML

Write provisioning file that uses CertificateStore configuration service provider to add certificate from previous task into the Privileged Execution Trust Authorities. Follow steps in this complex task.

  1. Create following XML document (with notepad.exe) and name it _setup.xml
    <characteristic type="CertificateStore">
        <characteristic type="Privileged Execution Trust Authorities"> 
            <characteristic type="CERTHASH"> 
                <parm name="EncodedCertificate" value="BASE64ENCODEDCERT"/> 
  1. In Windows Explorer, double-click the testing_certificate.cer
  2. Choose the Details tab.

Certificate hash 365x445

  1. Choose Thumbprint in the list box, select the text, and then press CTRL+C.
  2. Replace CERTHASH in _setup.xml with the copied text. Delete the spaces between digits!
<characteristic type="Privileged Execution Trust Authorities"> 
    <characteristic type="3275d56c0450425e91f51cfaad2164ecee2d2d63"> 
        <parm name="EncodedCertificate" value="BASE64ENCODEDCERT"/> 
  1. Open the testing_certificate_base64.cer using a notepad.exe
  2. Select text between —BEGIN CERTIFICATE— and —END CERTIFICATE—. This text is the encoded content of the certificate. Copy selected text by pressing Ctrl-C.

Certificate in notepad 533x325

  1. In the XML document, replace BASE64ENCODEDCERT with the copied text by pressing Ctrl-V
<characteristic type="Privileged Execution Trust Authorities"> 
    <characteristic type="3275d56c0450425e91f51cfaad2164ecee2d2d63"> 
        <parm name="EncodedCertificate" 
  1. Save the XML document

Step 3. Deploying certificate into device

Make cab file from provisioning file created in previous task and execute it in the device.

  1. Run makecab.exe
C:\Tools> makecab.exe _setup.xml cert_deploy.cab
  1. Copy cert_deploy.cab into device via ActiveSync or SD card.
  2. Execute the cert_deploy.cab

Step 4. Signing the application or cab file

Use signcode.exe to sign your application or installation cab. Let?s assume the file for signing is called myApplication.exe

C:\Tools> signcode -v private_key.pvk -spc testing_certificate.cer myApplication.exe

After executing this application on your device, no security warning will be displayed and privileged mode will be delegated.