RE: How do I install a SSL Certificate on a WinCE 5.0 Device?

You need to use the makecab.exe command-line tool, ie:

makecab _setup.xml myCab.cab.

Simply running this cab on the device should install it. I take it your XML
contains the wap-provsioningdoc schema that contains your cert encoded in
base64 x.509?

Alternativly you could provision your device using the DMProcessConfigXML
call.
--
Simon Hart
Visual Developer - Device Application Development MVP
http://simonrhart.blogspot.com


"Greg Hellem" wrote:

> Please excuse me if this has been covered previously, but I've searched for
> the past two days and can only find references to installing certificates
> (for https communications) to PocketPC, Windows Mobile 5/6, and SmartPhones
> but nothing about how to install a cert under WinCE5. Our host server uses a
> SSL Cert issued by VeriSign. I've copied the cert info to my desktop and
> created a _setup.xml as outlined in several posts/blogs but I can't figure
> out how to wrap that xml into a Visual Studio 2005 - SmartDevice CAB File...
> I've successfully copied the .cer file to the WinCE device (Symbol/Motorola
> MC3000 series), executed the Certificates applet in the Control Panel,
> accepted the prompt to add it to the store, and the import worked perfectly.
> But, is there a way for me to call CertManage.exe with some type of /silent
> switch so I can programmatically import the cert without user intervention?
> Or, is there a way for the VS2005 CAB to install the cert when it gets
> expanded/installed? Oh, and this version of WinCE 5.0 doesn't contain any
> VeriSign certs in the OEM Build.
>
> I am investigating how to properly implement these types of certificates
> because this device is apparently using 40 or 56-bit encryption when
> communicating to our SSL Servers and I'm trying to increase the encryption
> level to 128-bit. Our IT Dept increased the security levels on our servers
> to 128-bit and all of a sudden my .NET 2.0 CF apps were unable to
> communicate with the servers until they lowered it back down to 40 or 56-bit
> (something like that).
>
> And I do believe another side-effect of these "low-bit" encryption
> communications (or improperly accepting all cert discrepancies using the
> CheckValidationResult method in the LocalCertificatePolicy) are the fact the
> all of my SOAP Requests greater than or equal to 34K become corrupt towards
> the end of the file, but ONLY when communicating to our SSL Servers. So I
> know I'm doing something wrong in regards to supporting 128-bit
> encryption...
>
> I appreciate any and all responses,
> Thank you!
> [Also posted to microsoft.dotnet.security]
>
>
>

Greg,

I posted a reply to the wrong thread! long day...See (Restart Application
thread)

You have to use CABWIZ.exe for Windows CE devices which itself calls
makecab.exe.
--
Simon Hart
Visual Developer - Device Application Development MVP
http://simonrhart.blogspot.com


"Greg Hellem" wrote:

> Using makecab from the DOS Command Line, with Windows XP Professional,
> creates a cab file, but when I attempt to run/unpack it from the mobile
> device I get this error: The file "\Application\CertTest\rootcert.cab" is
> not a valid Windows CE Setup file.
> And yes, the cert was exported as base64 x.509.
> My _setup.xml consists of the following:
> <wap-provisioningdoc>
> <characteristic type="CertificateStore">
> <characteristic type="ROOT" >
> <characteristic type="26e83d5927f019c3119ee778d6339075344f9f99">
> <parm name="EncodedCertificate" value="
> ....
> .... Blob removed...
> ....
> "/>
> </characteristic>
> </characteristic>
> </characteristic>
> </wap-provisioningdoc>
>
> So any ideas on how I can wrap this in a VS2005 WinCE Setup cab and get it
> to install, or anything else I can try?
> Thanks!
>
> "Simon Hart [MVP]" <srhartone@yahoo.com> wrote in message
> news:09583BD7-3858-4B96-8ADC-E99DD1A06630@microsoft.com...
> > You need to use the makecab.exe command-line tool, ie:
> >
> > makecab _setup.xml myCab.cab.
> >
> > Simply running this cab on the device should install it. I take it your
> > XML
> > contains the wap-provsioningdoc schema that contains your cert encoded in
> > base64 x.509?
> >
> > Alternativly you could provision your device using the DMProcessConfigXML
> > call.
> > --
> > Simon Hart
> > Visual Developer - Device Application Development MVP
> > http://simonrhart.blogspot.com
> >
> >
> > "Greg Hellem" wrote:
> >
> >> Please excuse me if this has been covered previously, but I've searched
> >> for
> >> the past two days and can only find references to installing certificates
> >> (for https communications) to PocketPC, Windows Mobile 5/6, and
> >> SmartPhones
> >> but nothing about how to install a cert under WinCE5. Our host server
> >> uses a
> >> SSL Cert issued by VeriSign. I've copied the cert info to my desktop and
> >> created a _setup.xml as outlined in several posts/blogs but I can't
> >> figure
> >> out how to wrap that xml into a Visual Studio 2005 - SmartDevice CAB
> >> File...
> >> I've successfully copied the .cer file to the WinCE device
> >> (Symbol/Motorola
> >> MC3000 series), executed the Certificates applet in the Control Panel,
> >> accepted the prompt to add it to the store, and the import worked
> >> perfectly.
> >> But, is there a way for me to call CertManage.exe with some type of
> >> /silent
> >> switch so I can programmatically import the cert without user
> >> intervention?
> >> Or, is there a way for the VS2005 CAB to install the cert when it gets
> >> expanded/installed? Oh, and this version of WinCE 5.0 doesn't contain any
> >> VeriSign certs in the OEM Build.
> >>
> >> I am investigating how to properly implement these types of certificates
> >> because this device is apparently using 40 or 56-bit encryption when
> >> communicating to our SSL Servers and I'm trying to increase the
> >> encryption
> >> level to 128-bit. Our IT Dept increased the security levels on our
> >> servers
> >> to 128-bit and all of a sudden my .NET 2.0 CF apps were unable to
> >> communicate with the servers until they lowered it back down to 40 or
> >> 56-bit
> >> (something like that).
> >>
> >> And I do believe another side-effect of these "low-bit" encryption
> >> communications (or improperly accepting all cert discrepancies using the
> >> CheckValidationResult method in the LocalCertificatePolicy) are the fact
> >> the
> >> all of my SOAP Requests greater than or equal to 34K become corrupt
> >> towards
> >> the end of the file, but ONLY when communicating to our SSL Servers. So I
> >> know I'm doing something wrong in regards to supporting 128-bit
> >> encryption...
> >>
> >> I appreciate any and all responses,
> >> Thank you!
> >> [Also posted to microsoft.dotnet.security]
> >>
> >>
> >>
>
>
>