Certificate Installer

4/8/2010

The Certificate Installer component enables installation of certificates through various file formats:

• .PFX/.P12 – Public-Key Cryptography Standards #12 (PKCS #12) format files that include personal certificates with private keys as well as certificates that install into the intermediate and root certificate stores.
• .CER – Base64-encoded or DER-encoded X.509 certificates that install into the intermediate and root certificate stores.
• .P7B - Public-Key Cryptography Standards #7 (PKCS #7) format files that install multiple certificates to any certificate store on the device.

The .PFX, .P12, .P7B or .CER files are opened from the file explorer on the device and the certificate installer is executed to process the file automatically. The following is a list of file types and the certificates and keys they support:

• .PFX/.P12 - Supports one or more certificates and one or more private keys.
• .CER - Supports one certificate. No private key.
• .P7B - Supports one or more certificates. No private keys.
• CertEnroll - Enrolls for the cert+private key for the user and installs the related certificate chain.

The files can get to the device through desktop ActiveSync explore, storage card, e-mail attachment, Mobile Internet Explorer file download or download from a file share (Windows Mobile Professional devices only).

Certificate Installer

Every certificate contains a subject field that identifies the individual or group to which the certificate was issued. Every certificate also contains an issuer field that identifies the certificate authority, which is an entity entrusted to issue certificates that assert that the recipient individual, computer, or organization requesting the certificate fulfills the conditions of an established policy.

Certificate Chains

A certificate chain consists of all the certificates needed to certify the subject identified by the end certificate. In practice this includes the end certificate, the certificates of intermediate certificate authorities, and the certificate of a root certificate authority trusted by all parties in the chain. Every intermediate certificate authority in the chain holds a certificate issued by the certificate authority one level above it in the trust hierarchy. The root certificate authority issues a certificate for itself.

Algorithm for Adding Certificate Chains

When importing the certificate for a client, the certificate chain may be included in the .PFX file. This enables the device to authenticate the intermediate and root certificates associated with the end certificate. All certificates in the chain will be added to the appropriate certificate stores on the device to enable trust validation.

If the chain certificates are included in the .PFX file, the application processes the chain certificates as follows:

1. Store the subject certificate in the MY certificate store. The subject certificate has a public key associated with the private key that is being added to the device as a part of the PFX import.
2. Check for existence and install any certificate that meets the following requirements into the ROOT certificate store:
   • The certificate is self-signed by its own private key.
   • The issuer of the certificate is the same as the subject of the certificate.
   • Check for the existence of and install any other certificates provided in the chain (intermediate certificates) to the CA certificate store.

Remarks

It is assumed that the user has a way to copy a file to the device's file system by using a storage card, desktop ActiveSync, or a file share connection over the network.

The CertInstaller tool will add certificates to the user (HKCU) MY, CA, or ROOT certificate stores.

Requirements

See Also

Other Resources

Certificates and Public Keys
Certificate Chains