Installing Windows Mobile 6.0 Root Certificates

Recently I ran into a situation where we had purchased an Exchange certificate from a fairly common certificate authority (GeoTrust) and everything worked well with browsers automatically trusting the certificate… and then we picked up a Windows Mobile 6.0 device from Verizon. For whatever reason, Verizon or Microsoft has decided this particular CA was not trustworthy and isn’t in the default list, so ActiveSync fails to connect to the Exchange server. Fortunately, we can force the device to trust the certificate.

Windows Mobile 6.0 brought a change in how to install certificates. Users cannot install a certificate into the root certificates store on a phone unless the certificate is self-signed. This ensures that only true root certificates exist in the root store.

The pain here is that when you try installing a certificate such as the one used to secure Outlook Web Access it gets dumped in the personal store, and ActiveSync won’t connect because it can’t verify the certificate authority associated with the certificate. The solution is to get the certificate authority’s self-signed certificate into the root store. We can do this with the following steps:

  1. Open Internet Explorer and navigate to the site securing OWA. Click the lock next to the address bar. C 00

  2. Click the View Certificates link. C 01

  3. Click the Certification Path tab at the top. C 02

  4. Click the top certificate name first (the root CA) and then click View Certificate. C 03

  5. Click the Details tab. C 04

  6. Click the Copy to File… button. C 05

  7. Click Next to start the Certificate Export Wizard. C 06

  8. Click Next to export the certificate as a DER encoded binary X.509 (.CER) C 07

  9. Browse to a location where you’d like to save the certificate and give it a name. C 08

  10. Click Finish to complete the Certificate Export Wizard. C 09

  11. You should see a dialog that the export was successful. C 10

  12. Now copy that .cer file you created to the device in some way. Via a storage card, USB cable, Bluetooth, whatever. Just get the .cer in the file structure of the phone somehow.

  13. Power up the phone and click Start. W 01

  14. Find and open File Explorer. W 02

  15. Locate the .cer file you copied to the phone. I called mine root.cer. W 03

  16. Press Menu and then Install. W 05

  17. You should see a dialog that the install was successful. I’ve seen it fail on the first attempt before, so try a few times if you get an error. Press OK. W 06

  18. Navigate to the phone’s Settings option. W 07

  19. Click on Security and press OK. W 08

  20. Click on Certificates and press OK. W 09

  21. Click on Root and press OK. W 10

  22. Scroll to the end of the certificates list or keep pressing More. You should see the certificate you installed listed at the very end of the list. If it’s not there, try starting over and making sure you’re exporting the certificate authority’s certificate, and not yours. W 11

You can now test ActiveSync and it should be able to connect to the Exchange server without ever needing to install your OWA certificate. It’s automatically trusted because the certificate authority now exists in your root certificates store.

Peanut Gallery

  1. 1 Phillip

    Thanks that worked!

     
  2. 2 scott

    Thanks for posting this. Very helpful for a first time installation of a certificate to to Windows Mobile.

     
  3. 3 Rich

    My copy function is grayed out. Is there something else I need to do.

     
  4. 4 Victor

    hi

    I have followed above mentioned steps.

    My certificate installs in intermediate and not Root.!!!

    and i am still geting the same error message!!

    any help, i will appreciate.

    thanks

     
  5. 5 Jakob Hojer

    Thank’s a lot, this was very helpful, my IT depratment hasn’t been able to help me but the step-by-step screen shots certainly helped

     
  6. 6 Anita

    So what did u do Rich, when the Copy to File button is greyed out?

     
  7. 7 ChrisE

    My copy to file button is also greyed out.

     
  8. 8 lani

    Perfect guide! Thanks a lot. I didn´t have to perform steps 18-22 on my brand new HTC Diamond2.

     
  9. 9 gilby

    Rich, you need to run IE as administrator

     
  10. 10 Mobile Developer

    Thank you for posting this… very helpful for windows mobile users and developers.

     
  11. 12 Marc

    I have a new HTC HD2 device and could’nt synchronise with OWA because of 0×80072FOD error. I followed the steps deeeopped above and… it works!

    Thanks a lot

    The most amazing is that the customer service of HTC didn’t knew the answer!

     
  12. 13 Gepetto

    It’s very helpfull. Tested on Samsung Omnia. Everything works fine

     
  13. 14 Kelvin Arcelay

    Yup…your instructions are on target. Thanks

     
  14. 15 hans

    Good advice, worked on HTC s740…!

     
  15. 16 Linc

    New HTC HD2, worked perfectly, very clear, thanks, saved me a lot of grief!

     
  16. 17 d3b14n

    hey everyone,

    have the same problem as victor, my cert installs as intermediate and not as root, what can I do about it??? anyone has any answers how to solve this?

    thx for your help poldy

     
  17. 18 ITman

    I am using an HTC Diamond2 and I am amazed at how far back Windows Mobile 6.5 is.

    The AppleOS on the Iphone finds the certificate automatically and says ‘Do you want to install it’ and it’s job done.

    Why is windows mobile so useless?

     
  18. 19 Osman

    Wow! This advice is from 2007 and it is still valid :-)

    I walked through step by step and my HD2 with WM6.5.1 is synchronizing again!

    Thanks a lot!

     
  19. 20 Fahad

    Thanks a lot

    I walked through step by step and my HD2 is synchronizing again!

     
  20. 21 Simon

    Anyone having trouble with not being able to install certificates to the root section, ensure you select THE TOP LEVEL certificate in the list from the OWA Certification Path settings. You may have more than 2 levels of certificates in the OWA list, it’s easy to mistakenly select the last/lowest in the list, when you actually need the top level one.

    S.

     
  21. 22 piccolo

    Perfect ! Thanks a lot, quite straightforward guide

     
  22. 23 Jim

    works like a charm! thanks for posting this!

     
  23. 24 Richard

    Hi thanks for the tutorial, but i’ve try and it my root certificate install as intermediate. i’ve checked that i was at the top level. have somebody resolve this issue ??

     
  24. 25 Defredo

    If you have lots of users needing it. Zip the file and post it on your internet.

    then send out this email

    To all staff with a Windows Mobile company ‘phone (i.e. not Blackberry or iPhone) will have noticed their phones were not automatically updating for the last day or so.

    Please read the below instructions and follow on the ‘phone itself:

    1) Click this link: https://YourWebAddress/root.zip

    2) Click “Open”.

    3) Expand “root.zip” by clicking the + symbol.

    4) Double click “root.cer”.

    5) Click “OK” on the message “One or more certificates were installed successfully” – it will take about 10 seconds to appear after double clicking.

    6) Close the Zip window, the download window and the browser.

    7) Click “Start” in the top left corner.

    8) Scroll down until you find the “Tools” button and click it.

    9) Click “ActiveSync”

    10) Click “Sync”

    Your emails should now come through automatically again.

    If you are still not getting emails, follow steps 7-10 again. If it still does not work, restart the phone by holding the hang up button for 5 seconds, then click “Power Off”. Once the device is off, press the hang up button again to turn back on.

    Any problems, please call IT on the below number.

    Apologies for the inconvenience – our certificate vendor has upgraded their security and the preloaded certificates we shipped with the ‘phones would not accept the high security settings.

    Many Thanks,

     
  25. 26 abdul

    I have only one certificate level and when I install it goes in intermediate level not the root. I am using Blackjack 2 windows mobile 6.1. Can any one please suggest any help ? how to move the certificate from intermediate to root? or to disable the certificate check of active sync completely?

     
  26. 27 Daniel Huang

    Thanks very much! It helped me fixed my problem!!

     
  27. 28 K Thomas

    Still haven’t got it working but at least have now realised that the Secure Server Certification Authority certificate expired a month ago which is probably causing the issue!

     
  28. 29 Asybo2002

    Post 21 solved it for me.

    Thank you.

     
  29. 30 Chris Noble

    I love you! I was almost at the point of throwing myself out the window trying to get Email Synchronised, Microsoft help docs are absolutely useless but with your help it’s finally working!

     
  30. 31 Miller

    I have to mark here. this is the only workable method to me after I tried many kinds of way, search on google, microsoft support. it’s a total solution, no just a not clear diagnose again.

     
  31. 32 Annonymous

    Yep this worked – all IT dept could do was tell me the certificate was never designed to work with WM6.1 or lower. Sounds like it was just bad Cert creation on their part when they compiled it without selecting the certificates top level as described in your step 4 above. Wish I had have searched for this 2 weeks ago rather than wait for their “this can never work” response.

     

Speak Up