Friday, August 8, 2008

WM6 and self-signed certificates

When playing around with a new (unofficial) WM6.1 rom for my Mio A701, I bumped into a well known problem with installing self-signed certificates on (homebrew?) WM6 ROMs: it is not possible to install a new CA certificate with the error message "The certificate was not successfully added; please restart your device and try again". Obviously, restarting the device did not fix the problem.

A few months ago, I already encountered the problem and I knew you could bypass it by importing the certificate directly into the mobile device's registry. However, the procedures that I read all involved:
  1. flashing Windows Mobile 5 (or a WM6 version that was patched to accept any certificate),
  2. importing the certificate in that temporary ROM,
  3. exporting the relevant registry data,
  4. reflashing back to the rom that has the certificate problem,
  5. importing the certificate through the registry file you obtained earlier in step 3.
As you can imagine, this is quite some work and since I am a lazy person by nature, I did not want to go back to WM5 after just having flashed my Mio to a brandnew and shiny WM6. Therefore, I decided to develop a shorter workaround that doesn't involve reflashing.

The tricky part is that you need to create the proper registry file to import. This file looks like:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Comm\Security\SystemCertificates\Root\Certificates\824AF72AB87E17AC777098A4164D7A90C90C0D69]
"Blob"=hex:19,00,00,00,01,00,00,00,10,00,00,00,4f,e5,c4,01,4e,7d,89,4a,da,42,\
3f,f7,24,0f,7f,a2,19,00,00,00,01,00,00,00,10,00,00,00,cb,bc,40,37,8a,45,2c,\
...
(please disregard the unintentional wrapping of the registry location; everything between the square brackets should be on one line).

The difficult part is converting your self-signed certificate to the proper registry format. Here's how I did that:
  • On a regular PC, use Internet Explorer to go to a website with the certificate that you want to install on your mobile device (typically this will be Outlook Web Access or something). Open the certificate and install it on your local PC (let the certificate import wizard automatically place the certificate in whatever store it finds necessary).

  • View the certificate (in Internet Explorer or by using the Certificate MMC) and go to the "Details" tab. There you will find the "Thumbprint" of the algorithm. You will need to look up this number in a few moments, so be sure to remember the first few digits. In the case for the company I work for, the thumbprint is "824af72ab8somethingsomething".

  • Open your registry editor and go to the following location:

    HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root\Certificates\

    There should be a registry key that has the thumbprint of your certificate as its name:


    Rightclick that registry key and click "Export...". Choose a location for the exported registry data.

  • Next, open the registry export in Notepad. Replace the registry key location (between the square brackets) to HKEY_LOCAL_MACHINE\Comm\Security\SystemCertificates\Root\Certificates\ followed by the thumbprint. Next, replace the first 12 bytes in the "Blob" registry value by: hex:19,00,00,00,01,00,00,00,10,00,00,00.

  • Your result should look like this:
    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\Comm\Security\SystemCertificates\Root\Certificates\824AF72AB87E17AC777098A4164D7A90C90C0D69]
    "Blob"=hex:19,00,00,00,01,00,00,00,10,00,00,00,4f,e5,c4,01,4e,7d,89,4a,da,42,\
    3f,f7,24,0f,7f,a2,19,00,00,00,01,00,00,00,10,00,00,00,cb,bc,40,37,8a,45,2c,\
    ...
    Compare this with the original registry export that I have shown above, the differences are shown in bold.

  • Save the registry file, copy it to your mobile device and import it there. Voila! Finished!
You can use the "Certificates" control panel to verify that your certificate is properly recognized!

Note: you must either restart the ActiveSync process on your device because it will not immediately recognize the new certificate; you can kill the ActiveSync process or restart your device (but first wait at least a few minutes such that Windows Mobile can commit your registry changes to memory!).

Obviously, this is completely not supported or endorsed by anybody on this planet. Perform these actions at your own risk and be sure you know what to do in case you brick your device!

6 comments:

Anonymous said...

Thanks for the info... how the hell did you work that out!
I need to do this but can't see how to run regedit on my wm6 device. do i need something special to do this?
Cheers,
Tim

Tim Jacobs said...

Hi Tim,

You need to install a registry editor on WM6 before you can import the .reg files. I use the trial version of Resco Registry Editor (a plugin for the Resco File Explorer). Check out:

http://www.resco.net/pocketpc/explorer/

gary said...

I did everything to the tee on an HTC P3450, but still cannot connect to my exchange server !!!

Tim Jacobs said...

Hi Gary,

Do you see your certificate in the "Certificates" configuration of your device? Also, after adding the reg file to your device, wait a few minutes before rebooting -- it takes a while to flush changes to the device.

Niffum said...

I accidently found this thread, totally unrelated to what I was looking for but I think what I have found out maybe usefull information for installing certificates.

Long story sort, every rom I have installed so far would not install certificates properly, i got this error:
"The certificate root was not successfully added. Please restart the device and try again"

The Soloution was allot easier than i assumed, just create a directory:
\windows\system\CertDtls
and then i could open the certificate and it would install and then tell me that it had installed the certificate.

Just for reference, the company I work for uses a certificate (which we paid for) which is based on a root certificate which for some reason was not installed on the device by default. It was an Equifax root certificate, I downloaded the root certificate from the equifax website (search google for something like equifax root certificate download.

Just for reference I am running Sanjay's ROM, SL61V3 on a HP Hx4700 and I'm quite impressed with the stability so far. Its like a new PDA and in my case its the most stable rom I have installed.

Tim said...

Niffum > brilliant, thanks. this was too easy. adding the .cer file to the folder you said to created works perfectly. less fussing around, everyone can sync securely now. thanks