MC9090 WM6.1 MSP/Airbeam Server Certificate Package Install Commands


Audience

Anyone know how I can install a Server Certificate on a WM6.1 device(MC9090) using an Airbeam Package.  I need to build a Package that has the Cert in it as a file but then need to invoke the installation of it.  Is there a Install command line utility to install the cert silently once it is copied down to the device? Thanks

Submitted by DHW736 on May 04, 2019 Permalink

Bill; Yes, I was able to load your cert via an MSP Settings Object with no problem. So, we still don't know what there is about the customer's cert that the Microsoft Windows API doesn't like. I did find another possible way to install the customer's cert. See the following article: http://www.windowsphoneexpert.com/Connection/forums/p/360/1335.aspx When I used Provisioning XML to install the customer's cert, it worked just fine. This may be a workable stopgap for the customer. I am attaching the XML I made so you can save the hand editing.

Submitted by USER02241 on May 04, 2019 Permalink

Allan, my customer is using his own MS CA Authority to retrieve the Cert.  Starting with page 39 of the attached document is the procedure they followed. Thanks for looking at this. Bill

Submitted by DHW736 on May 04, 2019 Permalink

Bill; The only thing I can conclude is that the details of the cert are not supported by the Windows API.  One thing I noticed is that your cert had a 2048 bit key length whereas all the ones I have used that worked successfully had 1024.  1024 was also shown in the document you provided.  Can you try it with 1024 and see if that works any better?

Submitted by USER02241 on May 04, 2019 Permalink

Allen, this is my Cert I use in my lab and it works.  It has a 2048 bit key.  I can't see any difference between mine and my customers Cert except the content. Can you confirm that my cert works? Thanks Bill

Submitted by USER02241 on May 04, 2019 Permalink

Thanks Allan!  I was afraid that would be the answer :)

I am using MSP 3.3, unfortunately I have had no success deploying my customers Cert using a Certificate Settings Object.  I have tried to make it part of a Staging Profile (Under the Additional Settings options), as a Package (Certificate setting in the package) The device displays "Applying Settings Failed"  I may have found a bug I don't know.  I will open a case with the helpdesk and see if they can help. I have attached the Cert Just incase you would like to see it. Thanks again for the response. Bill 

Submitted by DHW736 on May 04, 2019 Permalink

Bill; I tried your cert and had a failure as well.  The API we call in Windows to install the cert is failing.  This seems odd since Windows can install that cert when you click on it.  I can only assume that the cert does not properly conform to the encoding requirements used by that API and Windows may be using some other API.  It is not clear whether it is even possible to replicate what Windows is doing, since it is not covered in the documentation. My best guess is that the conversion to .CER was not done correctly.  Can you provide the original file and the process you used to convert it?

Submitted by fdv684 on May 04, 2019 Permalink

I have a customer using MSP 3.2 to install root certficates onto the MC17. The certicate required the user to to acknowledge the installation of the certficate with a dialog box and this would re-occur on every cold boot. The solution was to use symscript to inject an "enter" key press so the process was automatic and was successful unattended. Symscript closes immediately afterwards and only starts again on the next cold boot to do the same thing again. Script attached, hope it helps.

Submitted by DHW736 on May 04, 2019 Permalink

Bill; There is no generic ulility provided as part of Windows Mobile to install certificates using command lines.  You can examine the Device Registry to see what is invoked when a certificate file is launched from the File Explorer, but that will end up bringing up the UI-based certificate installer, not a silent command-line-based utility. If you are installing a certificate using MSP, the recommended way to do it is using a Certificate Settings Object.  The MSP 3.3 Certificate Settings Object includes the code required to install up to 8 of any combination of CER files (root and server certificates) and/or PFX files (client certificates).  If your certificate is in a different format, it can likely be converted to one of those formats. Note that on Windows Mobile, it is NOT possible to install a Root certificate without device user approval.  Even if the underlying APIs are called directly from code (as the MSP Certificate Settings Object does), Windows Mobile pops up a UI to ask the device user to approve the installation of the Root certificate.  This is a Microsoft-mandated security requirement. You COULD write your own command line utility to install certificates, using similar code to what is in the MSP Certificate Settings Object, although it would have to be changed to understand new formats if you wanted to support anything but CER and PFX files.  Or, you could try to locate a third-party utility to install certificates.  But we aware that such a utility will be subject to the same limitation with regard to Root certificates that was mentioned above.