Share via


Device Certificate Management Overview

The Certificate Management pane is the part of the Device Security Manager that is used to view, add, and remove certificates for Windows Mobile devices and emulators. To see the Certificate Management pane, click Device Security Manager on the Tools Menu and then click Certificate Management.

Certificate Stores on Windows Mobile Devices

There are six certificate stores for Windows Mobile-based devices, and the Certificate Management pane provides access to three of them: PrivilegedStore, StandardStore, and SPC Store. For information about how to manage certificates, see How to: View/Add/Remove Certificates (Devices). The following table provides details about the certificate stores.

Certificate Store

Description

Privileged Store

Formally known as the Privileged Execution Trust Authorities Store, this certificate store contains the Privileged Trust Certificates. Applications signed with these certificates run with the Privileged trust level. For more information about trust levels, see Application Trust Levels.

Standard Store

Formally known as the Unprivileged Execution Trust Authorities Store, this certificate store contains the Unprivileged Trust Certificates. Applications signed with these certificates run with the Normal trust level.

SPC Store

Formally known as the Software Publishing Certificates Store, this certificate store contains certificates for signing cabinet (CAB) files, and for assigning the correct security role to the application installation.

How Certificates affect Application Execution

When you execute a signed application or CAB, the application loader determines whether the application or cab is signed with a certificate in your store. There are three possible scenarios:

  1. The application or CAB is signed with a certificate that is in the Privileged Store and will execute with privileged trust level.

  2. The application or CAB is signed with a certificate that is in the standard store. If the device has a two-tier security model, the application executes in Normal trust level with limited to access to certain APIs and registry keys. Otherwise, the device has a one-tier security model and the application executes in Privileged trust level with full rights. For a list of restricted system APIs and registry keys, see Trusted APIs.

  3. The application or CAB is signed with a certificate that is not in any certificate store. The application will execute only if your device’s security policy permits the execution of unsigned applications.

    Note

      Privileged trust level is also known as trusted execution. Normal trust level is also known as untrusted execution.

Certificate Properties and Fields

Property

Description

Issuer

Name of the certification authority which issued the certificate.

Serial Number

Serial number of the certificate. This number is assigned by the issuer and is unique in the issuer's list of issued certificates.

SHA-1 Hash

The digital signature of the certificate produced by the certificate authority's private key.

Issued By

The source that provided the certificate.

Issued To

The owner of the certificate.

Valid To

End date of the certificate's validity.

Valid From

Start date of the certificate's validity.

Hash

The digital signature of the certificate, produced by the certificate authority's private key.

Role

An identifier that enforces security settings and determines the access level for a certificate. For more information, see Security Roles.

EncodedCertificateValue

An identifier that tracks the validity of the certificate against the certificate revocation lists (CRLs).

See Also

Tasks

How to: Install SQL Server Compact 3.5 on a Device

Concepts

Configuring Security on Windows Mobile Devices