A few months ago, I already encountered the problem and I knew you could bypass it by importing the certificate directly into the mobile device's registry. However, the procedures that I read all involved:
- flashing Windows Mobile 5 (or a WM6 version that was patched to accept any certificate),
- importing the certificate in that temporary ROM,
- exporting the relevant registry data,
- reflashing back to the rom that has the certificate problem,
- importing the certificate through the registry file you obtained earlier in step 3.
The tricky part is that you need to create the proper registry file to import. This file looks like:
Windows Registry Editor Version 5.00(please disregard the unintentional wrapping of the registry location; everything between the square brackets should be on one line).
The difficult part is converting your self-signed certificate to the proper registry format. Here's how I did that:
- On a regular PC, use Internet Explorer to go to a website with the certificate that you want to install on your mobile device (typically this will be Outlook Web Access or something). Open the certificate and install it on your local PC (let the certificate import wizard automatically place the certificate in whatever store it finds necessary).
- View the certificate (in Internet Explorer or by using the Certificate MMC) and go to the "Details" tab. There you will find the "Thumbprint" of the algorithm. You will need to look up this number in a few moments, so be sure to remember the first few digits. In the case for the company I work for, the thumbprint is "824af72ab8somethingsomething".
- Open your registry editor and go to the following location:
There should be a registry key that has the thumbprint of your certificate as its name:
Rightclick that registry key and click "Export...". Choose a location for the exported registry data.
- Next, open the registry export in Notepad. Replace the registry key location (between the square brackets) to HKEY_LOCAL_MACHINE\Comm\Security\SystemCertificates\Root\Certificates\ followed by the thumbprint. Next, replace the first 12 bytes in the "Blob" registry value by: hex:19,00,00,00,01,00,00,00,10,00,00,00.
- Your result should look like this:
Windows Registry Editor Version 5.00Compare this with the original registry export that I have shown above, the differences are shown in bold.
- Save the registry file, copy it to your mobile device and import it there. Voila! Finished!
Note: you must either restart the ActiveSync process on your device because it will not immediately recognize the new certificate; you can kill the ActiveSync process or restart your device (but first wait at least a few minutes such that Windows Mobile can commit your registry changes to memory!).
Obviously, this is completely not supported or endorsed by anybody on this planet. Perform these actions at your own risk and be sure you know what to do in case you brick your device!