.NET Framework - How do I install a SSL Certificate on a WinCE 5.0 Device?

Asked By Greg Hellem on 10-Apr-08 03:21 PM
Please excuse me if this has been covered previously, but I've searched for
the past two days and can only find references to installing certificates
(for https communications) to PocketPC, Windows Mobile 5/6, and SmartPhones
but nothing about how to install a cert under WinCE5. Our host server uses a
SSL Cert issued by VeriSign. I've copied the cert info to my desktop and
created a _setup.xml as outlined in several posts/blogs but I can't figure
out how to wrap that xml into a Visual Studio 2005 - SmartDevice CAB File...
I've successfully copied the .cer file to the WinCE device (Symbol/Motorola
MC3000 series), executed the Certificates applet in the Control Panel,
accepted the prompt to add it to the store, and the import worked perfectly.
But, is there a way for me to call CertManage.exe with some type of /silent
switch so I can programmatically import the cert without user intervention?
Or, is there a way for the VS2005 CAB to install the cert when it gets
expanded/installed? Oh, and this version of WinCE 5.0 doesn't contain any
VeriSign certs in the OEM Build.

I am investigating how to properly implement these types of certificates
because this device is apparently using 40 or 56-bit encryption when
communicating to our SSL Servers and I'm trying to increase the encryption
level to 128-bit. Our IT Dept increased the security levels on our servers
to 128-bit and all of a sudden my .NET 2.0 CF apps were unable to
communicate with the servers until they lowered it back down to 40 or 56-bit
(something like that).

And I do believe another side-effect of these "low-bit" encryption
communications (or improperly accepting all cert discrepancies using the
CheckValidationResult method in the LocalCertificatePolicy) are the fact the
all of my SOAP Requests greater than or equal to 34K become corrupt towards
the end of the file, but ONLY when communicating to our SSL Servers. So I
know I'm doing something wrong in regards to supporting 128-bit

I appreciate any and all responses,
Thank you!
[Also posted to microsoft.dotnet.security]

srharton replied on 10-Apr-08 04:08 PM
You need to use the makecab.exe command-line tool, ie:

makecab _setup.xml myCab.cab.

Simply running this cab on the device should install it. I take it your XML
contains the wap-provsioningdoc schema that contains your cert encoded in
base64 x.509?

Alternativly you could provision your device using the DMProcessConfigXML
Simon Hart
Visual Developer - Device Application Development MVP
Greg Hellem replied on 10-Apr-08 04:28 PM
Using makecab from the DOS Command Line, with Windows XP Professional,
creates a cab file, but when I attempt to run/unpack it from the mobile
device I get this error: The file "\Application\CertTest\rootcert.cab" is
not a valid Windows CE Setup file.
And yes, the cert was exported as base64 x.509.
My _setup.xml consists of the following:
... Blob removed...

So any ideas on how I can wrap this in a VS2005 WinCE Setup cab and get it
to install, or anything else I can try?
srharton replied on 12-Apr-08 11:07 AM

I posted a reply to the wrong thread! long day...See (Restart Application

You have to use CABWIZ.exe for Windows CE devices which itself calls
Simon Hart
Visual Developer - Device Application Development MVP
Greg Hellem replied on 25-Apr-08 12:44 AM
Mr. Hart,
Thank you very much for the heads-up on the Windows CE SDK itself... That
package contained the information and resources I was searching for!!! Hell,
they even have examples of specific types of "_setup.xml" configurations for
all types of security issues... Again, thanks for pointing in that
direction; but I can't believe my search efforts didn't reveal anything
related to the Windows CE SDK, I guess my "Regular Expressions" need some
work so I can refine my search criteria!!!

However, I do have a few more questions for you... If you don't mind?
When running cabwiz.exe (WinCE 5.0 SDK), how do I determine if my
apparently is what cabwiz.exe creates inside of the new cab file!?? So,
should my SSL Certificate-Import XML file" (_setup.xml) for the SSL Cert
being used by our servers be "prepend/appended to _setup.xml"? The
command-line for cabwiz.exe offers the /prexml or /postxml options when
creating a cab file - do I need to use them or do I somehow indicate, within
the .inf file, that my "_setup.xml" file is input for the cab build?

I guess I'm just not sure on how to create the .inf file for cabwiz and then
go about the task of indicating that, "Oh, by the way, would you mind
running this snippet of xml contained in my '_setup.xml' file so the
appropriate SSL Cert Info is recorded properly?"

I really hope I'm not confusing you, as well as possibly myself, but I could
certainly use some clarification on how to package the example '_setup.xml'
blogs/posts that I've seen for PocketPC and Windows Mobile 5/6 into the
WinCE 5.0 Cab File I require for my Symbol/Motorola MC3000 Series WinCE 5.0
Mobile Device...

Thank you again for your, and anyone else's, input,
Greg Hellem