Installing Windows Mobile 6.0 Root Certificates
Recently I ran into a situation where we had purchased an Exchange certificate from a fairly common certificate authority (GeoTrust) and everything worked well with browsers automatically trusting the certificate… and then we picked up a Windows Mobile 6.0 device from Verizon. For whatever reason, Verizon or Microsoft has decided this particular CA was not trustworthy and isn’t in the default list, so ActiveSync fails to connect to the Exchange server. Fortunately, we can force the device to trust the certificate.
Windows Mobile 6.0 brought a change in how to install certificates. Users cannot install a certificate into the root certificates store on a phone unless the certificate is self-signed. This ensures that only true root certificates exist in the root store.
The pain here is that when you try installing a certificate such as the one used to secure Outlook Web Access it gets dumped in the personal store, and ActiveSync won’t connect because it can’t verify the certificate authority associated with the certificate. The solution is to get the certificate authority’s self-signed certificate into the root store. We can do this with the following steps:
1. Open Internet Explorer and navigate to the site securing OWA. Click the lock next to the address bar.
![C 00](https://confusedamused.com/wp-content/uploads/2007/10/c-001.png)
2. Click the **View Certificates** link.
![C 01](https://confusedamused.com/wp-content/pictures/2007/10/c-01.png)
3. Click the **Certification Path** tab at the top.
![C 02](https://confusedamused.com/wp-content/pictures/2007/10/c-02.png)
4. Click the top certificate name first (the root CA) and then click **View Certificate**.
![C 03](https://confusedamused.com/wp-content/pictures/2007/10/c-03.png)
5. Click the **Details** tab.
![C 04](https://confusedamused.com/wp-content/pictures/2007/10/c-04.png)
6. Click the **Copy to File…** button.
![C 05](https://confusedamused.com/wp-content/pictures/2007/10/c-05.png)
7. Click **Next** to start the Certificate Export Wizard.
![C 06](https://confusedamused.com/wp-content/pictures/2007/10/c-06.png)
8. Click **Next** to export the certificate as a DER encoded binary X.509 (.CER)
![C 07](https://confusedamused.com/wp-content/pictures/2007/10/c-07.png)
9. Browse to a location where you’d like to save the certificate and give it a name.
![C 08](https://confusedamused.com/wp-content/pictures/2007/10/c-08.png)
10. Click **Finish** to complete the Certificate Export Wizard.
![C 09](https://confusedamused.com/wp-content/pictures/2007/10/c-09.png)
11. You should see a dialog that the export was successful.
![C 10](https://confusedamused.com/wp-content/pictures/2007/10/c-10.png)
12. Now copy that .cer file you created to the device in some way. Via a storage card, USB cable, Bluetooth, whatever. Just get the .cer in the file structure of the phone somehow.
13. Power up the phone and click **Start**.
![W 01](https://confusedamused.com/wp-content/pictures/2007/10/w-01.png)
14. Find and open **File Explorer**.
![W 02](https://confusedamused.com/wp-content/pictures/2007/10/w-02.png)
15. Locate the .cer file you copied to the phone. I called mine root.cer.
![W 03](https://confusedamused.com/wp-content/pictures/2007/10/w-03.png)
16. Press **Menu** and then **Install**.
![W 05](https://confusedamused.com/wp-content/pictures/2007/10/w-05.png)
17. You should see a dialog that the install was successful. I’ve seen it fail on the first attempt before, so try a few times if you get an error. Press **OK**.
![W 06](https://confusedamused.com/wp-content/pictures/2007/10/w-06.png)
18. Navigate to the phone’s **Settings** option.
![W 07](https://confusedamused.com/wp-content/pictures/2007/10/w-07.png)
19. Click on **Security** and press OK.
![W 08](https://confusedamused.com/wp-content/pictures/2007/10/w-08.png)
20. Click on **Certificates** and press OK.
![W 09](https://confusedamused.com/wp-content/pictures/2007/10/w-09.png)
21. Click on **Root** and press OK.
![W 10](https://confusedamused.com/wp-content/pictures/2007/10/w-10.png)
22. Scroll to the end of the certificates list or keep pressing **More**. You should see the certificate you installed listed at the very end of the list. If it’s not there, try starting over and making sure you’re exporting the certificate authority’s certificate, and not yours.
![W 11](https://confusedamused.com/wp-content/pictures/2007/10/w-11.png)
You can now test ActiveSync and it should be able to connect to the Exchange server without ever needing to install your OWA certificate. It’s automatically trusted because the certificate authority now exists in your root certificates store.