This section provides an overview for mobile devices that require installing self-signed certificates. If your organization uses a public certification authority (CA) it is possible that the root certificate is already installed on your mobile device. Installing a certificate is an important task. This section is necessary only for those users who must install a self-signed certificate on their mobile device. When installing certificates, verify that Communicator Mobile is not running. If you do not do this, you might have to restart your device in order to use the certificates.

Role of Certificates

Certificates help keep your network secure by authenticating the Office Communications Server 2007 R2 to which Office Communicator Mobile connects. To perform authentication, Office Communicator Mobile requires that the root certificate that is part of the server certificate is installed on the device. If your organization uses a Public Certificate Authority, it is possible that the root certificate is already installed on your users’ mobile devices.

By default, Windows Mobile-powered devices are shipped with a variety of certificates. For a list of the certificates currently shipping with Windows Mobile 6 powered devices, see “Certificates for Windows Mobile 5.0 and Windows Mobile 6” at http://go.microsoft.com/fwlink/?LinkId=126909 . Before proceeding, you should confirm that a root certificate that is part of the server certificate is not already installed on your mobile device.

Certificate Tools

Included below is an introduction to some of the tools and policies that can be used to install root certificates on Windows Mobile powered devices, and it describes various installation procedures. Before you install the certificates, you should familiarize yourself with the tools and policies that are used to install certificates on Windows Mobile devices.

SPAddCert

With the SPAddCert utility, you can add root certificates to Windows Mobile-based devices that have the Unrestricted Application Security policy, but you cannot use it to install intermediate CA certificates.

If a device has been restricted by the mobile operator, you will receive the following error message when you try to run SPAddCert: "This device is currently secured such that certificates cannot be added to the root store. For support please contact your device administrator."

You can run SPAddCert on restricted devices only if the version of SPAddCert that you are using is signed and distributed by the mobile operator. For details or to download the SPAddCert utility, see Microsoft Knowledge Base article 841060, "How to add root certificates to Windows Mobile 2003 Smartphone and to Windows Mobile 2002 Smartphone," at http://go.microsoft.com/fwlink/?LinkId=126908 .

SPAddCert Notes

  • For unsigned applications such as SPAddCert to run on the device, the Unsigned Applications Policy (4102) on the device must be set to 1.The default value is 0. If the policy is not configured properly, SPAddCert will fail.

  • You can modify this policy setting by manually editing the registry. By doing this, you also make it possible for other unsigned applications to run, which can lead to a security risk.

  • To modify this policy setting in the registry, go to the registry key HKEY\LOCAL_MACHINE\Security\Policies\Policies\. Under 00001006 (4102), change the value to 1. Create the new DWORD value, if necessary.

Certinst and Grant Manager Policy

Certinst is a built-in utility on Pocket PC devices that installs certificates when you select them. Certinst can be used to install root certificates or intermediate CA certificates. The Grant Managerpolicy is a security policy on Windows Mobile-based devices that specifies the level of access that you have to the resources on the device, such as during the installation of a new application or a certificate. For example, your account must be granted the Manager role on a Pocket PC in order for the device to use the built-in Certinst utility to install a certificate. Your account is granted the Manager role when the value of the Grant Managerpolicy is set to USER_AUTH (16).

Certinst and Grant Manager Notes

  • For Certinst to run properly, the Grant Manager Policy (4119) on the device must be set to 16, which identifies the USER_AUTH role. By default, the policy is set to 128 (the OPERATOR_TPS role). If the policy is not configured properly, Certinst will fail.

    You can add the USER_AUTH role by manually editing the registry or a device provisioning file. By doing this, however, you elevate the privileges of the USER_AUTH security role to system administrative privileges, which can be a security risk.

    To modify this policy setting in the registry, go to the registry key HKEY\LOCAL_MACHINE\Security\Policies\Policies\. Under ‘00001017’ (4119), change the value to 16.

  • If your device does not have a built-in registry editor that you can use to modify the Grant Managerpolicy, you can use one of the free registry editors that are available on the Web.