Applies to: Exchange Server 2007 SP3, Exchange Server 2007 SP2, Exchange Server 2007 SP1, Exchange Server 2007
Topic Last Modified: 2008-11-16

This topic describes how to save a digital root certificate for a certification authority (CA) to a file and then install the certificate on a Microsoft Windows Mobile-based device. After you install the certificate, you can use Microsoft Exchange ActiveSync to synchronize the mobile device with your Exchange mailbox.

You may have to install a digital root certificate on your mobile device if you require Exchange ActiveSync to use Secure Sockets Layer (SSL) and if you use a certificate that is not from a trusted commercial CA. For example, you must install a digital root certificate if you create your own certificates by using Windows Certificate Services.

If your Windows-based mobile device cannot follow the certificate chain up to the trusted root CA, you may receive an error message that resembles the following:

The security certificate on the server is invalid. Contact your Exchange Server administrator or ISP to install a valid certificate on the server.

Support Code: 80072f0d

Note:
In this error message, the support code may be 0x80072f0d.

For more information about an issue that is related to intermediate certificates, see Microsoft Knowledge Base article 927465, Error message when you try to synchronize a Windows Mobile-based device by using Exchange ActiveSync for Exchange 2003 or for Exchange 2007: "Synchronization failed".

This topic explains how to install a root certificate on a Windows Mobile-based device. For information about how to install a certificate on a mobile device that is not running Windows-based software, see the documentation for the device.

Note:
If you use an SSL certificate from a trusted commercial CA, you may not have to install the root certificate on your device. On most devices, root certificates from several trusted commercial CAs are preinstalled in the root store of the device. For a list of root certificates that are preinstalled on devices running Windows Mobile 6.0 and Windows Mobile 5.0, see Windows Mobile Device Center.

Intermediate CA certificates do not have to be installed on Windows Mobile-based devices. This is true whether the intermediate CA certificate is from a trusted commercial CA or from an un-trusted CA. However, intermediate CA certificates must be installed on a Microsoft Exchange Server 2007 server that is running the Client Access server role.

Before You Begin

To perform these procedures on an Microsoft Exchange server, the account you use must be delegated local Administrator permissions.

For more information about permissions, delegating roles, and the rights that are required to administer Exchange Server 2007, see Permission Considerations.

To perform the following procedures on a Windows Mobile-based device, you may need an Exchange ActiveSync connection between the device and a desktop or portable computer. For Windows XP-based computers, use desktop ActiveSync to create this connection. For Windows Vista-based computers, use Windows Mobile Device Center. You must be able to copy the certificate file to the device before you install the certificate. You can copy the certificate to the device by using desktop ActiveSync or Windows Mobile Device Center. Alternatively, you can copy the certificate to a storage card and then access the storage card from the mobile device.

Procedure

To obtain the root certificate from Windows Certificate Services

  1. On a computer that is joined to the domain, start Internet Explorer, and then visit the Certificate Services administration Web site.

    Note:
    This method only works if the Certificate Services Web Enrollment Support option was installed when Certificate Services was installed. If the Certificate Services Web Enrollment Support feature is not installed, you must obtain a copy of the root certificate by exporting it from the Trusted Root Certificate Authorities (Local Computer) store. To do this, use the Certificates Microsoft Management Console (MMC) snap-in.
  2. On the Welcome page, click the Download a CA certificate, certificate chain or CRL link, and then click the Download CA certificate link.

  3. Save the certnew.cer file to a location on the computer, and then rename the file to have a descriptive name, such as root.cer.

  4. Use a file transfer mechanism, such as e-mail or an FTP site, to distribute the .cer file to the appropriate remote users.

After you distribute the certificate file to the appropriate users, the certificate must be installed on the devices. Choose the procedure that matches the operating system of the device.

To use Exchange ActiveSync or Windows Mobile Device Center to install a certificate on a Windows Mobile Professional-based device or on a Pocket PC device

  1. With the device connected to the computer, open My Computer.

  2. Double-click Mobile Device to view the folders on the device.

  3. Drag the .cer file from the previous procedure to a folder on the device.

  4. On the device, click Start, and then click File Explorer.

  5. Open the folder that contains the .cer file, and then open the .cer file.

  6. When you are prompted to install the certificate, click Yes.

Important:
When you install the certificate, you do not receive any notification about whether the certificate was installed successfully.

To use Exchange ActiveSync or Windows Mobile Device Center to install a certificate on a Windows Mobile Standard-based device or on a SmartPhone device

  1. With the device connected to the computer, click Explore Smartphone on the Tools menu.

  2. Drag the .cer file from the first procedure to a folder on the device.

  3. On the device, click Start, and then click File Explorer.

  4. Open the folder that contains the .cer file, and then open the .cer file.

  5. When you are prompted to install the certificate, click Yes.

Note:
You do not have to use Exchange ActiveSync or Windows Mobile Device Center to install a certificate on a Windows Mobile 6.0-based device. Instead, you can copy the certificate file to a storage card and then install the certificate directly from the storage card.

For More Information

For more information about Windows Mobile devices, see Windows Mobile Device Center.