Share via


Certificate Management in Windows Mobile Devices

4/8/2010

OEMs, mobile operators, and application developers use certificates to sign applications and files that run on Windows Mobile. Certificates are contained in certificate stores in the registry of the device.

On Windows Mobile Version 5.0 devices, the certificate stores ROOT and CA are locked to everyone except those with the Manager role, to ensure the integrity of the digital certificates.

In Windows Mobile 6, the certificate stores ROOT and CA were expanded to include separate user stores that allow device users with the AuthenticatedUser role to install or enroll digital certificates. The system ROOT and CA stores remain locked to those without the Manager or Enterprise role.

In Windows Mobile 6.1, the MY certificate store has been expanded to include a separate system store that allows those with the Manager role to install or enroll certificates.

The following table shows the certificate stores and their uses and permissions.

Logical Store Physical Store Description

Privileged Execution Trust Authorities

HKEY_LOCAL_MACHINE

Contains trusted certificates. Applications signed with a certificate from this store will run with privileged trust level (Trusted).

Unprivileged Execution Trust Authorities

HKEY_LOCAL_MACHINE

Contains normal certificates. On a 1-tier device, an application signed with a certificate in this store will run with privileged trust level (Privileged). On a 2-tier device, applications signed with a certificate from this store will run with normal level (Normal).

SPC

HKEY_LOCAL_MACHINE

Contains Software Publishing Certificates (SPC) used for signing .cab or .cpf files and assigning the correct role mask to the file installation.

ROOT (system)

HKEY_LOCAL_MACHINE

Contains root, or self-signed, certificates. These certificates are used for SSL server authentication. These cannot be changed without Manager role permissions.

ROOT (user)

HKEY_CURRENT_USER

Contains root, or self-signed, certificates that can be installed by the authenticated device user.

> [!NOTE] > This is new for Windows Mobile 6.

CA (system)

HKEY_LOCAL_MACHINE

Contains certificates from intermediary certification authorities. They are used for building certificate chains.

CA (user)

HKEY_CURRENT_USER

Contains certificates, including those from intermediary certification authorities, which can be installed by the device user with AuthenticatedUser role permissions. They are used for building certificate chains.

> [!NOTE] > This is new for Windows Mobile 6.

MY (system)

HKEY_LOCAL_MACHINE

Contains end-user personal certificates used for certificate authentication or S/MIME. These cannot be changed without Manager role permissions.

MY (user)

HKEY_CURRENT_USER

Contains end-user personal certificates used for certificate authentication or S/MIME.

The certificate stores are located in two areas of the registry:

  • HKEY_CURRENT_USER\Comm\Security\SystemCertificates
  • HKEY_LOCAL_MACHINE\Comm\Security\SystemCertificates

It is important to understand that HKEY_LOCAL_MACHINE\Comm is a protected registry key. This means that only privileged or trusted applications can read and write to these locations. Normal applications can only read from these locations and they cannot write.

See Also

Concepts

Certificate Management and Application Signing for Mobile Operators
Certificate Management and Application Signing for Application Developers
Windows Mobile PKI Hierarchy
Mobile2Market Program
Removing Test and Development Certificates