Windows Mobile PKI Hierarchy
Microsoft provides the Windows Mobile software and Microsoft applications such as Word Mobile, Excel Mobile, and Outlook Mobile. As a platform software vendor and an application software vendor, Microsoft also operates a PKI hierarchy for code signing.
As the platform software vendor, Microsoft is similar to the OEM and operator with the following differences:
- Microsoft does not create the final run-time image for the devices, therefore Microsoft does not sign applications from third parties and ship them in the platform.
- Most of the platform software are installed in the firmware before the devices reach the user.
- Patches and upgrades are shipped by the OEM or operator.
For cases when a patch or a service pack may require a signed package, Microsoft operates two certificate authorities roots. These certificates must be in the Windows Mobile-based devices for the patch or service pack to run on the devices. The following table shows the Windows Mobile software PKI hierarchy.
| Certificate | Included in the device? |
|---|---|
| Windows Mobile-based Device Privileged Component PCA | Yes
Included in the Privileged Certificate Store. Included in the SPC with role mask = 222. |
| Windows Mobile-based Device PCA | Yes
Included in the Unprivileged Certificate Store. Included in the SPC with role mask = 16. |
Send Feedback on this topic to the authors