Jaa

What are the Certificate Stores?

  • Artikkeli

What are the different Certificate stores on Windows Mobile?

ROOT
This store contains root certificates. They are primarily used for SSL chain validation. This store can be inspected via the Certificates Control Panel page.This store has NOTHING to do with code execution.

MY

This store contains the user's client certs. They typically have associated private keys, and are used for client authentication to web sites, the Exchange server, S/MIME, etc. This store can also be inspected via the Control Panel.

CA
This store contains intermediate certs for chaining. It's not currently exposed via UI, and no certificates ship in it by default.

The following are the code execution certificate stores:

Privileged Execution Trust Authorities and Unprivileged Execution Trust Authorities

These certificate stores are used by the security loader to control code execution. If an executable can be chained up to a cert in either of these stores, it is considered "signed" by the security loader and is assigned a trust level depending on the device security policies. If a binary is Authenticode signed but cannot be chained up to a certificate in these stores, it is considered unsigned by the security loader. (and there will likely be a prompt to state that)

SPC
This store governs cab installation. The cab installer tries to chain the signature on a cab up to a certificate in this store, following similar rules as described above for other binaries. All code execution certificates in the above two stores should also be in this store. For instance, if the device has the M2M certificates, they will also be in this store for application installation. Certificates in the SPC store contain an additional property which lets the cab installer know what privilege level to use when installing the application.

The biggest area of confusion I have seen here is regarding the ROOT store - it is absolutely not a code signing store.

Scott

Comments

  • Anonymous
    May 02, 2006
    The comment has been removed

  • Anonymous
    May 03, 2006
    The comment has been removed

  • Anonymous
    May 03, 2006
    One thing I'd like to know is if there is a way to get an unsigned CAB to have the publisher name associated with it. Right now the unsigned CABs say "unknown publisher" and at least I'd like to have our company name associated with it.

  • Anonymous
    May 04, 2006
    The comment has been removed

  • Anonymous
    May 04, 2006
    jwhang: The difference between those two stores is that on a two-tier device (smartphone default), the application will run at a different trust level based on which store it chains to. For PPC there is not really a difference - any signed app will run with the maximum privilege level. More info here: http://blogs.msdn.com/windowsmobile/archive/2005/11/09/491160.aspx

  • Anonymous
    May 04, 2006
    mattc:
    Yes, but it's more difficult than I'd like it to be.

    To do it via XML, there is documentation and samples here: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/DevGuideSP/html/sp_wce51oricertificatestorecspexamplesozup.asp

    Unfortunately, that typically won't work over RAPI or on most Smartphones, because of a limitation of our XML system. In most cases, the access control checks doesn't differentiate between reads and writes to an entity, so since the certificate stores aren't writable without a higher privilege level, you can't query them either. I'd like to make it so you can always query certificate stores and security policies over RAPI but we don't yet have that.

    Otherwise, if you are writing code on the device, you can use the Cert* APIs to enumerate and examine the certificates. CertOpenStore, CertEnumCertificatesInStore, etc. It's the same as on the desktop.

    One question for you - what information are you looking for that you want to query the stores? It seems like a lot of people want to query the cert stores as a first troubleshooting step for ode signing problems, but I don't see that as so helpful.

  • Anonymous
    May 04, 2006
    Alex Kac: Not currently. There's a little more information about your question on this post: http://blogs.msdn.com/windowsmobile/archive/2005/12/17/security_model_faq.aspx

  • Anonymous
    May 04, 2006
    Roberth: The ROOT and CA stores are the ones used for verifying chains for EAS. But if your URL doesn't match the host name on the cert then we won't ever trust it for a SSL sync connection. Server configuration isn't my area of expertise but I'd guess you would need a cert for your internal URL and one for the external as well.

  • Anonymous
    June 22, 2006
    Also, is there any documentation to clarify if the certificate stores (ROOT and USER) are automatically cold boot/battery drain persistent?

  • Anonymous
    June 24, 2006
    Vasu, I'm not sure what you mean. If the device gets reset via cold boot, everything returns to factory settings. No certs that were added at runtime to any store will persist. There are some certs that come preinstalled in the ROM - those will still be there.

  • Anonymous
    August 07, 2006
    Hi scyost,

    Like matt, I'm interested in seeing the when running a query on the stores is to determine if the device supports M2M certs in the priv or unpriv store.

    Currently, we are working on acquiring a priv M2M cert as we need it for some/most carriers, but would be nice to be able to do a quick query of other devices as well....

    Thanks,

    dang

  • Anonymous
    August 07, 2006
    The Device Security Manager is the best tool for that purpose - it has friendly names for most of the well-known certificates so it's very easy to see if the M2M certs are on the device.

    http://blogs.msdn.com/windowsmobile/archive/2006/06/22/643027.aspx

  • Anonymous
    August 14, 2006
    Hi All,
    I have a situation whereby i use my own ca root cert as well as code signing cert to sign my provisioning cab. Based on the readings in this blog, i came to know that i need to store my root cert in the SPC store (Please correct me if i'm wrong) in order for authenticate my signed cab (signed using code signing cert).

    is it possible to install the root cert into the SPC store without the operator permission ? Is it the only way to get the provisiong cab running by getting the provisioning cab sign by M2M ?

  • Anonymous
    August 29, 2006
    The comment has been removed

  • Anonymous
    October 26, 2006
    Can any body tell me path where the certificates will be stored physically. Thx in advance

  • Anonymous
    December 11, 2006
    Hi! excellent topic. Very good explanations.   I have a question now. This is my scene: first I created a provisioning xml to add a new ROOT certificate to my smartphone. Then I configured a Tomcat server to use SSL with the same certificate. Everything works perfect (I can navigate the website from my device), but, although I can see the certificate is in the root store (through the “Settings” icon, then security, certificates, and finally, root) the first time I access the web site with my smartphone I get a message prompting me to allow the connection. Why is this happening? An url name problem with the certificate perhaps? I would like it to be transparent for the user, I mean, if the certificate is there, don’t prompt! Thanks in advance!

  • Anonymous
    December 17, 2006
    Hi Emilio - it could definitely be a problem with the url name - the server name has to match the subject name in the cert for the connection to succeed in most cases.

  • Anonymous
    December 26, 2006
    Hi Scyost, yes you are right, it is a problem with the URL name. I did some coding in C and when I tried to use the function HttpOpenRequest it was unsuccesful until I passed the flag INTERNET_FLAG_IGNORE_CERT_CN_INVALID and then it worked. The flag is used when you need to ignore the mismatching of certificate name. I guess the problem will be gone when I change the certificate I’m currently using to one with the subject equals to the server name. Good Bye!

  • Anonymous
    February 12, 2007
    Are you able to shed some light on how the client certificates are stored? I'm proposing two-factor authenication for WM5 and exchange based on certs. The solution depends largely on how tamper resistant the the MY store is, not just from within WM5 but from offline attack, i.e. someone removing the memory and decoding it. Thanks for a great website.

  • Anonymous
    February 13, 2007
    I'd suggest you go the smartcard route to protect the client keys. The keys are encrypted when they're persisted to the registry using CryptProtectData, but the master keys for that API are in the filesystem of the device, so it's not resistant to offline attack.

  • Anonymous
    April 26, 2007
    I have a very basic question. How can i create my own root certificate. Thanks in advance.

  • Anonymous
    May 16, 2007
    Hi Scyost, I have a new question and I’m afraid it isn’t related to the Certificates Stores, but as in the previous occasion it was very helpful to me the information you posted, I’m confident you could help me again. Here is my question (now about the UI): Regarding the personalization of the menu entries in the contacts/dialer screens, is there any way to take the “beam” menu out from the user interface? Thank you in advance, best regards. Emilio

  • Anonymous
    April 06, 2009
    The comment has been removed