Share via


CertificateStore Configuration Service Provider

4/8/2010

The CertificateStore configuration service provider allows you to add security certificates, role masks, private key containers, and renewal information to the device’s certificate store.

Starting in Windows Mobile 6.5, the functionality of the CertificateStore configuration service provider has been extended so that running under the SECROLE_USER_AUTH role, you can add, delete, or query certificates in the HKCU (User) CA, MY, and ROOT certificate stores. If SECROLE_USER_AUTH is granted the SECROLE_MANAGER role on the device, you can also add certificates to the HKLM (System) certificate stores. For more information about the certificate stores on mobile devices, see Certificate Management in Windows Mobile Devices.

Note

This configuration service provider can be managed over both the OMA DM and the OMA Client Provisioning protocol.

Note

Access to this configuration service provider is determined by security roles. Because OEMs and mobile operators can selectively disallow access, ask them about the availability of this configuration service provider. For more information about roles, see Security Roles and Default Roles for Configuration Service Providers.

The ROOT, MY, and CA certificate stores have been segmented into System and User stores. This segmentation allows the user to insert or remove certificates in the User store while the System certificates remain protected. You can use the User and System parms to designate the segment to query or install a certificate.

To add or update the security roles for a specific certificate in the SPC, Privileged Execution Trust Authorities, or Unprivileged Execution Trust Authorities store, in the provisioning XML you must provide the Role parm and the encoded certificate that is set by the EncodedCertificate parm.

Note

The CertificateStore configuration service provider supports only SHA1 hashes in all of its operations. MD5 hashes are not supported.

The default metabase settings for the CertificateStore configuration service provider are as follows:

  • Unprivileged Execution Trust Authorities\*
    Applications signed with a certificate belonging to this store will run with normal trust level. This setting is a string that has read/write permissions. The Manager role is allowed to query and update this setting.

    Note

    This setting is available only for Windows Mobile Standard.

  • Privileged Execution Trust Authorities\*
    Applications signed with a certificate belonging to this store will run with privileged trust level. This setting is a string that has read/write permissions. The Manager role is allowed to query and update this setting.

The following image shows the management object used by OMA DM.

Bb737346.ff5a2043-f4ac-4425-8ea6-7820a25af1df(en-us,MSDN.10).gif

The following image shows the configuration service provider in tree format as used by OMA Client Provisioning.

Bb737346.f7335335-3f06-491d-9128-f7b4e3fae2ff(en-us,MSDN.10).gif

These images show the default stores. You can create other certificate stores that can also be managed by this configuration service provider.

For CertificateStore configuration service provider examples, see CertificateStore Configuration Service Provider Examples for OMA Client Provisioning.

Characteristics

  • */ < certificate hash >
    A second-level characteristic that specifies the SHA1 hash for the certificate. The 20-byte SHA1 hash of the certificate is specified in hexadecimal format.
  • CA
    A certificate store that contains cryptographic information, including intermediary certification authorities.

    The following table shows the default settings.

    Permissions

    Read/Write

    Data type

    String

    Roles allowed to query and update setting

    For HKLM stores:

    Manager

    For HKCU stores:

    Manager

    User_Auth

  • MY
    A certificate store that contains end-user personal certificates.

    The following table shows the default settings.

    Permissions

    Read/Write

    Data type

    String

    Roles allowed to query and update setting

    For HKLM stores:

    Manager

    For HKCU stores:

    Manager

    User_Auth

  • PrivateKeyContainer
    Applies to MY/HKLM only. Specifies where to find the private key associated with a certificate.

    This parameter is a "Write Once" parameter, which means that you can set it when you create the PIM item, but after the item has been saved, this property cannot be modified.

    The following table shows the default settings.

    Permissions

    Read/Write

    Data type

    Node

    Roles allowed to query and update setting

    Manager

  • Privileged Execution Trust Authorities
    A certificate store that contains privileged trust certificates. Applications signed with a certificate belonging to this store will run with privileged trust level. The role mask does not matter for this store.

    The following table shows the default settings.

    Permissions

    Read/Write

    Data type

    String

    Roles allowed to query and update setting

    Manager

  • RenewalInfo
    Applies to MY/HKLM only. Stores renewal information associated with a certificate.

    The following table shows the default settings.

    Permissions

    Read/Write

    Data type

    Node

    Roles allowed to query and update setting

    Manager

  • ROOT
    A certificate store that contains root, or self-signed, certificates.

    The following table shows the default settings.

    Permissions

    Read/Write

    Data type

    String

    Roles allowed to query and update setting

    For HKLM stores:

    Manager

    For HKCU stores:

    Manager

    User_Auth

  • SPC
    The Software Publishing Certificate (SPC) is used for signing .cab files and assigning the correct role mask to the .cab file installation.

    The following table shows the default settings.

    Permissions

    Read/Write

    Data type

    String

    Roles allowed to query and update setting

    Manager

  • System
    A segment of the ROOT, MY, and CA certificate stores that contains certificates that can only be changed under the Manager role.

    The following table shows the default settings.

    Permissions

    Read/Write

    Data type

    String

    Roles allowed to query and update setting

    Manager

  • Unprivileged Execution Trust Authorities
    A certificate store that contains unprivileged trust certificates. Applications signed with a certificate belonging to this store will run with normal trust level. The role mask does not matter for this store.

    Note

    This setting is available only for Windows Mobile Standard.

    The following table shows the default settings.

    Permissions

    Read/Write

    Data type

    String

    Roles allowed to query and update setting

    Manager

  • User
    A segment of the ROOT, MY, and CA certificate stores that contains certificates that can be changed under the User_Auth role.

    The following table shows the default settings.

    Permissions

    Read/Write

    Required?

    No

    Data type

    String

    Roles allowed to query and update setting

    Manager

    User_Auth

Parameters

  • ContainerName
    The ContainerName property retrieves the private key container name.

    Permissions

    Read/Write

    Required?

    Yes

    Data type

    String

    Roles allowed to query and update setting

    Manager

  • EncodedCertificate
    This parm is used in all CertificateStore characteristics to specify a Base64 Encoded X.509 certificate.
  • IssuedBy
    This read-only parm shows the name of the certificate issuer. This information is the Issuer member in the CERT_INFO structure.

    The following table shows the default settings.

    Permissions

    Read-only

    Data type

    String

    Roles allowed to query and update setting

    Manager

    User_Auth

  • IssuedTo
    This read-only parm shows the name of the certificate subject. This information is the Subject member in the CERT_INFO structure.

    The following table shows the default settings.

    Permissions

    Read-only

    Data type

    String

    Roles allowed to query and update setting

    Manager

    User_Auth

  • KeySpec
    The KeySpec property sets or retrieves the type of key generated.

    Permissions

    Read/Write

    Required?

    Yes

    Data type

    DWORD

    Roles allowed to query and update setting

    Manager

  • PickupPage
    Local URL of the Web enrollment services page from which the issued certificate is picked up. The default URL is \certsrv\certnew.asp.

    Permissions

    Read/Write

    Required?

    Yes

    Default Value

    <same as CertEnroll configuration service provider>

    Data type

    String

    Roles allowed to query and update setting

    Manager

  • ProviderName
    The ProviderName property retrieves the name of the cryptographic service provider (CSP).

    Permissions

    Read/Write

    Required?

    Yes

    Data type

    String

    Roles allowed to query and update setting

    Manager

  • ProviderType
    The ProviderType property retrieves a value of the CAPICOM_PROV_TYPE enumeration that specifies the type of provider.

    Permissions

    Read/Write

    Required?

    Yes

    Data type

    DWORD

    Roles allowed to query and update setting

    Manager

  • RequestPage
    Local URL of the Web enrollment services page to which the PKCS#10 blob is submitted. The default URL is \certsrv\certfnsh.asp.

    Permissions

    Read/Write

    Required?

    Yes

    Default value

    <same as CertEnroll configuration service provider>

    Data type

    String

    Roles allowed to query and update setting

    Manager

  • Role
    This parm is used in all CertificateStore characteristics to specify a four-byte bit mask that corresponds to the roles that can be assigned to the certificate. The role mask is only used for certificates in the SPC store. If the Role parm is not specified for certificates that are added to the store, the role mask defaults to 0.
  • ServerName
    The name of the CA server, for example BIGCORP-CA1 or CA1.mycorp.com.

    Permissions

    Read/Write

    Required?

    Yes

    Data type

    String

    Roles allowed to query and update setting

    Manager

  • Template
    The template name of the certificate as used by the CA server.

    Permissions

    Read/Write

    Required?

    Yes

    Default value

    User

    Data type

    String

    Roles allowed to query and update setting

    Manager

  • TemplateName
    This read-only parm specifies the template name used to produce the certificate. This is a X.509 extension that is in szOID_ENROLL_CERTTYPE_EXTENSION.

    The following table shows the default settings.

    Permissions

    Read-only

    Data type

    String

    Roles allowed to query and update setting

    Manager

    User_Auth

  • ValidFrom
    This read-only parm shows the starting date of the certificate's validity. This information is in the NotBefore member in the CERT_INFO structure.

    The following table shows the default settings.

    Permissions

    Read-only

    Data type

    String

    Roles allowed to query and update setting

    Manager

    User_Auth

  • ValidTo
    This read-only parm shows the expiration date of the certificate. This information is in the NotAfter member in the CERT_INFO structure.

    The following table shows the default settings.

    Permissions

    Read-only

    Data type

    string

    Roles allowed to query and update setting

    Manager

    User_Auth

Microsoft Custom Elements

The following table shows the Microsoft custom elements that this configuration service provider supports for OMA Client Provisioning.

Element Supported

parm-query

Yes

noparm

No

nocharacteristic

Root level and first level: No

Second level: Yes

characteristic-query

Root level: No

First and second levels: Yes

Recursive: No

Use these elements to build standard OMA Client Provisioning configuration XML. For information about specific elements, see MSPROV DTD Elements. For general examples of how to use the Microsoft custom elements, see OMA Client Provisioning XML File Examples.

For information about OMA Client Provisioning, see OMA Client Provisioning Files.

Remarks

Security roles are used with certificates to enforce security settings that were configured by using security policies.

To set a certificate in the SPC store, the provisioning message must have sufficient permissions. For example:

  • To set a Manager certificate in the SPC store, the provisioning message must have the Manager role (8).
  • To set a User Authenticated certificate in the SPC store, the provisioning message must have the User Authenticated role (16).

See Also

Tasks

CertificateStore Configuration Service Provider Examples for OMA Client Provisioning

Concepts

Configuration Service Provider Reference for Windows Mobile Devices