Applies to: Exchange Server 2010 SP3, Exchange Server 2010 SP2

Topic Last Modified: 2012-07-23

It is possible to save a digital certificate to a file and install a digital certificate on a Windows Mobile phone. Microsoft Exchange ActiveSync enables a variety of mobile phones to synchronize with an Exchange mailbox. A digital certificate might need to be installed on a user's mobile phone if Exchange ActiveSync is required to use Secure Sockets Layer (SSL) and your organization uses a certificate that isn't from a trusted commercial certification authority (CA).

Instructions for installing a certificate on a Windows Mobile phone are included here. For more information about how to install a certificate on a phone that isn't running Windows Mobile software, see the documentation for the specific phone.

Note:
If your organization uses an SSL certificate from a trusted commercial CA, your users might not have to install the certificate on their phone. Most phones have certificates from several trusted commercial CAs preinstalled in the root store of the phone. For a list of certificates that are preinstalled on Windows Mobile 6.0 and Windows Mobile 5.0 phones, see the Windows Mobile Center Web site.

Looking for other management tasks related to Exchange ActiveSync? Check out Managing Exchange ActiveSync Devices.

Prerequisites

To perform the following procedures on a Windows Mobile phone, your users may need an ActiveSync connection between the phone and a desktop or portable computer. For Windows XP, use desktop ActiveSync to form this connection. For Windows Vista computers, use the Windows Mobile Center Web site. Your users must be able to copy the certificate file to the phone before they install the certificate. They can copy the certificate to the phone by using desktop ActiveSync or the Windows Mobile Center web site. Alternatively, your users can copy the certificate to a storage card and access the storage card from the mobile phone.

Use Internet Information Services Manager to save a certificate to a file

  1. Right-click the Default Web Site or the Microsoft-Server-ActiveSync virtual directory, and then click Properties.

  2. Click the Directory Security tab.

  3. Under Secure Communications, click View Certificate.

  4. In the Certificate dialog box, click the Details tab.

  5. Click Copy to File.

  6. In the Certificate Export Wizard, click Next.

  7. Select No, do not export the private key, and then click Next.

  8. Select DER encoded binary X.509 (.CER), and then click Next.

  9. Type a file name, click Next, and then click Finish.

After your users have saved their certificate to a file, they can install it on their phone. The procedure for installing the certificate on a phone will vary depending on the operating system of the phone. Choose the procedure that matches the operating system of the phone.

Use ActiveSync to install a certificate on a Windows Mobile 5.0 phone

  1. With your user's phone connected to their computer, click Tools, and then click Explore Smartphone.

  2. Drag the .cer file that was created in the previous procedure into a folder on the phone.

  3. On the phone, click Start, and then click File Explorer.

  4. Locate the folder that you selected in step 2.

  5. Open the .cer file and, when you're prompted, select Yes.

Many Windows Mobile 5.0 phones implement a security policy that prevents the installation of certificate files directly from a .cer file. If the previous procedure fails, use the following procedure.

Use the SmartPhoneAddCert tool to install root certificates on a Windows Mobile 5.0 phone

  1. Download the SmartPhoneAddcert.exe tool.

    Note:
    Some mobile service providers provide a signed version of this tool. If a signed version is available for the phone, download the signed version from the mobile service provider.
  2. Run SmartPhoneAddCert.exe and extract the contents to a folder on your user's computer.

  3. Copy SmartPhoneAddCert.exe to your user's phone through desktop ActiveSync or the Windows Mobile Center Web site.

  4. On your user's phone, create a folder named Storage.

  5. Copy the .cer file to the Storage folder on your user's phone.

  6. Run SmartPhoneAddCdert.exe. Select the .cer file that you copied to the Storage folder and install the root certificate.

Note:
If you create a .cab file that includes the .cer file, you can also copy this .cab file to your user's phone and run the .cab file to install the certificate.

Use ActiveSync or the Windows Mobile Center Web site to install a certificate on a Windows Mobile 6.0 phone

  1. With your user's phone connected to their computer, click Tools, and then click Explore Smartphone.

  2. Drag the .cer file that was created in the previous procedure into a folder on the phone.

  3. On the phone, click Start, and then click File Explorer.

  4. Locate the folder that you selected in step 2.

  5. Open the .cer file and, when you are prompted, select Yes.

    Note:
    You don't have to use ActiveSync or the Windows Mobile Center Web site to install the certificate on a Windows Mobile 6.0 phone. The certificate file can be copied to a storage card and installed directly from the storage card.