How to add your own root cert via CAB file

This post will explain how to install a root cert on a one tier device via a CAB file. For explanations of why you would want to add a root cert and alternate methods of doing so, see the discussion of root certs with Exchange ActiveSync. This method will work for any one-tier prompt device, including the Treo 700W and Motorola Q.

[8/11/06] An even easier way to create this XML is to use the tool here.

Open up the cert in explorer. You can do this by double clicking the .cer file, using the MMC snapin, or clicking through the SSL lock UI in IE.

If this is a certificate chain, then examine the root cert. Adding the leaf cert to the root store will not work.

Look at the thumbprint of the certificate. Save this string because you will need it later.

If you don't have the certificate on disk already, select "Copy Certificate" to export the certificate to the filesystem in Base-64 format.

Construct certificate XML using the store, thumbprint, and base64 encoded certificate blob. The XML for our example case would look like this:

<wap-provisioningdoc>
<characteristic type="CertificateStore">
<characteristic type="ROOT" >
<characteristic type="97817950d81c9670cc34d809cf794431367ef474">
<parm name="EncodedCertificate" value="
MIICWjCCAcMCAgGlMA0GCSqGSIb3DQEBBAUAMHUxCzAJBgNVBAYTAlVTMRgwFgYD
VQQKEw9HVEUgQ29ycG9yYXRpb24xJzAlBgNVBAsTHkdURSBDeWJlclRydXN0IFNv
bHV0aW9ucywgSW5jLjEjMCEGA1UEAxMaR1RFIEN5YmVyVHJ1c3QgR2xvYmFsIFJv
b3QwHhcNOTgwODEzMDAyOTAwWhcNMTgwODEzMjM1OTAwWjB1MQswCQYDVQQGEwJV
UzEYMBYGA1UEChMPR1RFIENvcnBvcmF0aW9uMScwJQYDVQQLEx5HVEUgQ3liZXJU
cnVzdCBTb2x1dGlvbnMsIEluYy4xIzAhBgNVBAMTGkdURSBDeWJlclRydXN0IEds
b2JhbCBSb290MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCVD6C28FCc6HrH
iM3dFw4usJTQGz0O9pTAipTHBsiQl8i4ZBp6fmw8U+E3KHNgf7KXUwefU/ltWJTS
r41tiGeA5u2ylc9yMcqlHHK6XALnZELn+aks1joNrI1CqiQBOeacPwGFVw1Yh0X4
04Wqk2kmhXBIgD8SFcd5tB8FLztimQIDAQABMA0GCSqGSIb3DQEBBAUAA4GBAG3r
GwnpXtlR22ciYaQqPEh346B8pt5zohQDhT37qw4wxYMWM4ETCJ57NE7fQMh017l9
3PR2VX2bY1QY6fDq81yx2YtCHrnAlU66+tXifPVoYb+O7AWXX1uw16OFNMQkpw0P
lZPvy5TYnh+dXIVtx6quTx8itc2VrbqnzPmrC3p/"/>
</characteristic>
</characteristic>
</characteristic>
</wap-provisioningdoc>

Save the XML file as _setup.xml and make it into a cab file: makecab _setup.xml rootcert.cab

Now install the cab file on the device. You're done!

Comments

• Anonymous
  January 28, 2006
  So - enlighten me as to what the purpose of this would be? When would I need something like this? Enterprise apps? Or perhaps for self-signed apps?

• Anonymous
  January 28, 2006
  Sorry, that wasn't clear. The purpose of the certificates in the ROOT store is to secure SSL connections, for the browser or exchange activesync or wi-fi. I'll add that up above. Thanks!

• Anonymous
  January 29, 2006
  it the good 'ol days this was useful for developing apps that used priviledged APIs:
  
  http://homepages.inspire.net.nz/~gambit/Article/#privmode
  
  which reminds me: scott, is the EncodedCertificate white space tolerant? it didn't used to be
  
  riki
  

• Anonymous
  January 30, 2006
  Er, I also don't get it.
  I had this problem with my Treo700 and my GoDaddy SSL cert, that was not trusted.
  I simply exported the .CER files, moved them to my Treo, and clicked on them.
  I was then prompted to install them.
  
  What does having them as a CAB instead of a CER give me?
  
  
  
  
  

• Anonymous
  January 30, 2006
  Hi Riki:
  Yes, we fixed the whitespace bug for the 5.0 release.
  

• Anonymous
  January 30, 2006
  Hi Nick,
  Using the ShellExecute extension to add a CER file is good if it works for you - that depends on the grant manager policy to use the version that we ship. It's possible that the OEM or Operator replaced that with their own certificate installer.
  This method works if the method you used doesn't work. It also works for adding certs to certificate stores other than ROOT - the certinst tool we ship will only add to the ROOT store if I remember correctly.
  
  

• Anonymous
  February 01, 2006
  Hi, Is there a way to add the certificate to the normal application cab generated with the VS 2005 install project, so the same cab could install the application and the required root cert ? The cab has already a _setup.xml but dont know if could be edited manually in some way to add this. Kind regards and Thanks!

• Anonymous
  February 01, 2006
  Hi Jose,
  That's a good question. I asked around internally about it and we're planning to do a post about this in a few days.

• Anonymous
  February 03, 2006
  The comment has been removed

• Anonymous
  February 04, 2006
  Hi Bill, I'm glad the article helped you. Unfortunately I have no help to offer on wildcard certificates - they're just not supported on the platform right now. More information: http://blogs.msdn.com/windowsmobile/archive/2005/11/03/488924.aspx

• Anonymous
  February 05, 2006
  The reason why you may need to deploy *.cer files via a *.cab file is if you are using a OTA management system for wireless devices.  These typically only deploy *.cab files as far as I am aware.

• Anonymous
  February 08, 2006
  Okay, so I followed the instructions for my site, and it worked great.
  
  I then followed the instructions for a 2nd site, but could not get it to work.
  
  I'm assuming that the names you have chosen in your example do need to be unique.
  Having installed the 2nd certificate, I get an OK message, and perform a soft reset.
  However when I go to the SSL page using IE on the Treo700w, I get the "cert is not trusted" warning.  (The name & date are correct, it's just a trust issue.)
  
  I've done a hard reset on the device, and still have the same issue.
  
  Any suggestion?
  The 2nd SSL cert is confidential, but if you email me at nick at nicholas poore dot com I'll be happy to email you more into.
  
  Thanks.
  -=Nick=-

• Anonymous
  February 08, 2006
  thanks for this! its absolutly perfect for our company, were in the process of migrating our users devices from XDA II's to MINI S and we use a custom root certificate for our activesync connection... i will this cab file to the extended ROM of the devices :)

• Anonymous
  February 09, 2006
  I looked into Nick's problem - his site was using a SSL cert from startcom.org but the server itself was not passing down the entire chain. The solution was to go to startcom.org, grab their root certificate and add that to the device. The instructions above can be misleading if the site is not sending down the entire cert chain. If the certificate at the top of the chain is not a self-signed root, you'll have to find the correct root and add it to the device.

• Anonymous
  February 10, 2006
  TGIF!&amp;nbsp; (sort of..&amp;nbsp; I'll be working through the weekend yet again..sigh).&amp;nbsp;&amp;nbsp; Oh yeah,...

• Anonymous
  February 10, 2006
  I followed these directions, but when I go to install the .cab file I get "Installation of rootcert.cab was unseccessful."  If you need further details, you can e-mail me at steve at ferguson.com.
  
  Thanks.

• Anonymous
  March 01, 2006
  installation of the root cab was unsuccessful
  
  

• Anonymous
  March 02, 2006
  I downloaded the windows mobile 5sdk but no makecab?

• Anonymous
  March 09, 2006
  Sorry, I was wrong about makecab - it actually ships in Windows. check %windir%system32.

• Anonymous
  March 12, 2006
  A few weeks ago I wrote about constructing CertificateStore XML by hand. You have to open up the certificate...

• Anonymous
  March 16, 2006
  I just took on a Cingular HTC 8125 with Pocket PC 5 and ActiveSync 5.  It had the certificate issue because our exchange server / IT guys use a locally created certificate.  Tried loading the certificate directly, trie exporting in different formats.  Some did work some appeared to load but nothing worked until I found this post.
  
  I just went to our Exchange/OWA site via my PCs Internet Explorer and started the process described above.
  
  Used Notepad to create file, built the .cab, and then moved the file to the Pocket PC via ActiveSync file explorer. Once on the device, I just clicked on .cab.  To be safe I did soft reset and Walla it was working after 3 days of fighting it.
  
  Thank you, Thank you. scyost

• Anonymous
  March 16, 2006
  I just took on a Cingular HTC 8125 with Pocket PC 5 and ActiveSync 5.  It had the certificate issue because our exchange server / IT guys use a locally created certificate.  Tried loading the certificate directly, trie exporting in different formats.  Some did work some appeared to load but nothing worked until I found this post.
  
  I just went to our Exchange/OWA site via my PCs Internet Explorer and started the process described above.
  
  Used Notepad to create file, built the .cab, and then moved the file to the Pocket PC via ActiveSync file explorer. Once on the device, I just clicked on .cab.  To be safe I did soft reset and Walla it was working after 3 days of fighting it.
  
  Thank you, Thank you. scyost

• Anonymous
  March 16, 2006
  I just took on a Cingular HTC 8125 with Pocket PC 5 and ActiveSync 5.  It had the certificate issue because our exchange server / IT guys use a locally created certificate.  Tried loading the certificate directly, trie exporting in different formats.  Some did work some appeared to load but nothing worked until I found this post.
  
  I just went to our Exchange/OWA site via my PCs Internet Explorer and started the process described above.
  
  Used Notepad to create file, built the .cab, and then moved the file to the Pocket PC via ActiveSync file explorer. Once on the device, I just clicked on .cab.  To be safe I did soft reset and Walla it was working after 3 days of fighting it.
  
  Thank you, Thank you. scyost

• Anonymous
  March 16, 2006
  Thank you very much for posting this. I just got my hands on a Cingular HTC 8125. I had used my Firewall's CA to issue a cert for my Exchange (lecture me later, I was being lazy). After reading through your article and it's post, I realized my issue was with the root. I installed Microsoft's CA, and did it right. Re-created my IIS cert. Followed your steps to generate the XML file, then into a cab. Installed this into my WM5, browsed OWA with no issue then configured Active Sync. The device is now syncing.
  
  After three days of fighting this, thank you very much for your time in creating this!

• Anonymous
  March 20, 2006
  The comment has been removed

• Anonymous
  March 20, 2006
  It makes sense if the pictures weren't broken.. I'll try to get that fixed.

• Anonymous
  March 21, 2006
  there a way to add the certificate to the normal application cab generated with the VS 2005 install project, so the same cab could install the application and the required root cert?

• Anonymous
  March 27, 2006
  Hi, I was able to make and install the cab file, but still getting sync error (support code 0x80072FOD). I can see the certificate under the root. Any suggestions would be much appreciated.
  Thanks

• Anonymous
  March 28, 2006
  Advanced issues you might run into when trying to add your own SSL certificates to the device for browsing...

• Anonymous
  April 15, 2006
  I have the same problem as this gentleman...
  
  Hi, I was able to make and install the cab file, but still getting sync error (support code 0x80072FOD). I can see the certificate under the root. Any suggestions would be much appreciated.
  Thanks
  
  Any ideas?

• Anonymous
  May 08, 2006
  note you must have _setup.xml as the name.  not blah_setup.xml  

• Anonymous
  May 16, 2006
  Trying to install root certs to a SPV C600 with the AKU2 update on using this method just doesnt work! It does bizzarly work with an M600 though??
  
  Anyone sussed how to get a root cert installed onto the C600 yet?

• Anonymous
  May 18, 2006
  The comment has been removed

• Anonymous
  May 25, 2006
  Well, Orange were really helpful. And I did manage to install the two certs that they kindly supplied.
  I managed to install it by copying the cab to the My Documents on the C600 using active sync explore mobile device.  I then browsed to the file on the c600 select the file, menu options and run it from there. Both certs installed without any problem.
  I got one cert from the browser certificate on the server and the other from the IIS.
  However, I still get the "You cannot log on to the Microsoft Exchange Server ... certificate is not valid..." during the set up.  And "You have an incorrect SSL certificate common name in the Host Name field ..."  Anyone got any ideas how I can resolve this?

• Anonymous
  June 01, 2006
  I have the same issue a some of the people above.
  The certificate is installed as root certificate on my ppc, but it is still giving a sync error (support code 0x80072FOD). Any suggestions on how to solve this?

• Anonymous
  June 01, 2006
  My certificate is installed as root certificate but I'm still getting a sync error (support code 0x80072FOD). I'm certainly not the only one with this problem. Any suggestions on how to solve this?

• Anonymous
  June 02, 2006
  The comment has been removed

• Anonymous
  June 02, 2006
  I take my original comment back,"...it seemed to install OK". I tried it a second time and it told me that it installed unsuccessfully. So now I'm questioning my XML file format, was that the proper way to create one? Also scyost, you mentioned in your original directions, "Construct certificate XML using the store, thumbprint and base64 encoded certificate blob". Excuse my ignorance again, but what is "store"? On a side note, I read in another BLOG about the WM2005 registry being locked for certificates, could this be my problem?

• Anonymous
  June 03, 2006
  The store should be "ROOT". If it turns out that you need additional (intermediate) certificates besides just the root, then those should be added to the "CA" store.
  It is possible that for some device configurations this method won't work, but other posters have mentioned success on the 8125 so I think it will work for you.
  One idea - you said you created the XML in Word. Word tends to change quotes to "smart quotes" and those will not work in the XML. Try using notepad to create the XML instead.

• Anonymous
  June 04, 2006
  I just remembered what the 8125 device is - this method will definitely work on that device. It should work on any Pocket PC device.

• Anonymous
  June 06, 2006
  The comment has been removed

• Anonymous
  June 06, 2006
  Tried all the above with both self signed default website certificate as well as one of the trusted located in the trusted certificates folder on local machine. Motorola Q still does not allow for cab nor cer install. Any suggestions?

• Anonymous
  June 06, 2006
  Moto support tells me you cannot install a cert directly on the Q; you need to do it through a cab install. Eighteen hours of pulling my hair out supports their suggestion. This doc showed me the light. :-)
  
  I have NO idea whether the additional steps I took (above and beyond these instructions) are correct or not but they worked for me.
  
  I followed the instructions as provided with these exceptions:
  1. Export the cert to Base-64 and use the Thumbprint from that file.
  
  2. Be sure to install your root cert first and then your intermediate cert, if you have one; you may not.
  
  3. Better safe than sorry - Before you start do a hard reset on the Q (Start | System Tools | Master Reset.)
  
  4. Better safe than sorry - Always delete your Activesync setup if you sync and it fails for whatever reason (Start | Activesync | Menu | Options | Menu | Delete).
  
  My experience, though, is that these instructions work.

• Anonymous
  June 06, 2006
  Hi Joe,
  Glad you were able to get it to work. None of those four steps you describe should make a difference, though. :)
  
  Kurt - I was able to install a cert onto a review copy of the Q last week in the office using this method. Can you be more descriptive about what's happening on your end?

• Anonymous
  June 09, 2006
  For those of you getting unsuccessful cab installs.  Make sure your thumbprint in the XML file does NOT contain any spaces.  If you copy and paste the thumbprint from the cert details, the spaces are pasted as well.  Delete the spaces.  I saw a colleague run into this problem.  Once we found the error, the cab installed normally.

• Anonymous
  June 13, 2006
  Hi, I am using this method to install root into Cingular 2125 and it works fine:
  I am checking by:
  Start Settings (7) Security (7) Certificates (4) Root (2) More (0) and yes it is there last one,
  So far so good, but since I do not know the XML syntax for _setup.xml I cannot import the key for my MS Exchange Server for ActiveSync
  <wap-provisioningdoc>
  <characteristic type="CertificateStore">
   <characteristic type="ROOT" >  .... I assume "CA" ?
  Can you point me in the right direction?

• Anonymous
  June 14, 2006
  For the Verizon Motorola Q you can use the VZW_SpAddRootCert utility to install a root cert. You'll need to DL the utility from MS and copy it to the phone, then create a directory called IPSM at the root of the phone and copy your root cert there. Then run VZW_SpAddCert from the phone and follow the prompts to add the cert.
  
  Check here for poorly written instructions and a link to DL the utility:
  http://support.microsoft.com/?kbid=841060
  
  Verizon has the Q really locked down (idiots). The RegEdit tools won't work and I couldn't get an XML rolled into a cab to work either.
  
  The amount of time I've spent trying to get WM5 devices to work properly is ridiculous given that it could have been avoided if MS had included a full set of root certs on the device.
  
  Loren

• Anonymous
  June 20, 2006
  Hi. I used this method to install root on a T-Mobile MDA with Cingular 8125 ROM (2.25), and i get the following error:
  "You have an incorrect SSL Certificate common name in the Host Name field. For example, you may have entered www.tailspinstoys.com when the common name on the certificate is actually www.wingtiptoys.com. Make sure the server name in entered correctly."
  
  The support code is: 0x80072F06
  Our exchange IT guys locally create the certificate.
  
  Any help would be greatly appreciated.
  
  Bud
  

• Anonymous
  June 22, 2006
  Does the *.cab work for the 700p?

• Anonymous
  June 22, 2006
  I found this thread after trying to get help (for 3 hours!) from Sprint (not!) for the 0x80072F0D error while trying to sync a new Sprint PPC-6700. I finally copied the cert (.cer) file to the unit (into the My Documents folder) and just opened it. Viola! It installed the root cert. This did NOT work for a Cingular HP iPAQ hw6515a GSM/EDGE "Mobile Messenger" however, so I'll try this cab technique.

• Anonymous
  June 22, 2006
  Hi, first I have to excuse for my bad english.
  
  I want to establish access to a 802.1x secured wireless network for windows mobile 5.0 clients. For this reason I need to import a client certificate on the Windows Mobile 5 device. On WM 2003 I tried this with the certificate enrollment tool. But the certificate requested this way was a user not a client certificate.
  So is there any possibility to import a certificate which is stored on a Windows Mobile 5 device idependent of the user which uses the device?
  Perhaps somebody can help me?!

• Anonymous
  June 23, 2006
  I have gone through and installed both certificates in the chain using a cab file for both and I'm still getting support code 0x80072F0D. Does anyone have any suggestions?
  
  You can contact me at mike dot hall at perigoneng dot com. Any help or suggestions would be greatly appreciated.

• Anonymous
  June 23, 2006
  We have a Motorola Q from Verizon and used VZW_SpAddCert to install our root cert, however we're still having problems. We are asked to verify the server name and the support code is 0x80072EE7. This gives us nothing but Windows Update support docs. We have a Win2k3Std w/ SP1 & Exch2003 Enterprise w/SP2 and all updates. Can anyone give me the proper syntax for listing the server name in the phone's confiuraton?  Thanks to all.

• Anonymous
  June 27, 2006
  The comment has been removed

• Anonymous
  June 28, 2006
  The store name is "MY". You won't be able to install the private key via the CertificateStore CSP though. I would suggest trying out the tool at http://www.jacco2.dds.nl/networking/p12imprt.html for importing full client certs.

• Anonymous
  June 28, 2006
  The comment has been removed

• Anonymous
  June 29, 2006
  The comment has been removed

• Anonymous
  June 29, 2006
  Hi Glyn,
  If the data in the cer file is not human-readable, I'd guess you exported it as a DER-encoded file instead of base-64. Check the third screenshot above.

• Anonymous
  June 29, 2006
  Does this or any other method work to get the cert installed on a 700p?  I have not been able to find a utility for the 700p that works the way the Verizon utility works for the 700w and the motorola Q.

• Anonymous
  June 29, 2006
  The 700p runs the Palm OS, not Windows Mobile. So I have no idea how to add a certificate to it.

• Anonymous
  June 30, 2006
  I figured it out!!  My cert was bought from Rapid SSL and I kept getting the 0x80072F0D error when I tried to enable SSL either 128 checked or not.  I could access OWA or OMA fine through https.  I went on Rapid SSL's website and read something about not being like other chain certificates.  Looked at the root certs installed on my Sprint PPC 6700 and found Equifax Secure Certificate Authority, but not Equifax Secure Global eBusiness CA-1.  I looked in my IE browser on my desktop and found under tools-->Internet Options-->Content-->Certificates-->Trusted Root Certification Authorities tab and found the Equifax Secure Global...made it a cab file using the above instructions as above, copied it to my 6700, ran the cab, enabled security on the server (128 bit checked), enabled security on the 6700, sync'd and PRESTO!!  It WORKED!!

• Anonymous
  July 03, 2006
  Here is how it works:
  
  Whether you need and XML file or can double click on the *.cer file to install it only your PDA/WM5, the most important thing is to get the correct root certificate. Most SSL providers have more than one, so just going to the SSL provider's website and downloading any old root certificate wont work.
  
  For example, I purchased a RapidSSL certificate. When I downloaded their only root certificate provided for their standard SSL certificate, it was called "Equifax Secure Global eBusiness CA-1". However, when I opened my website with the recently purchased SSL certificate on it and opened the SSL certificate for that page, IE told me that this page was being protected by a root certificate called "Equifax Secure eBusiness CA-1". This was different to the only root certificate made available on the RapidSSL website!!! (One had the word "Global" in it and the other one didnt)...
  
  I ended up doing a google search for the exact root certificate name and found the following page: http://geotrust.com/resources/root_certificates/index.asp - This had many root certificates on it, and one of them was the one I needed.
  
  After I did this, all was well... If you get another error after this, make sure the right ports are open and if you are using ISA server, try buying a book. They are very helpful in getting through the rest of the settings required.
  
  In summary, just because you have a root certificate from the SSL provider you purchased your SSL certificate from, it doesnt mean you have the right one. Make sure the root certificate name EXACTLY matches the root certificate connected to your SSL protected website.
  
  Also note these points:
  
  1. Make sure that your SSL certificate matches the domain name that you are protecting! Duh!
  
  2. I have an i-mate sp5 and it can install a .cer file without the install file mentioned on this page. All you have to do is use the file manager, browse to where you copied the .cer file and make sure you are in list view (so you can see files as well as folders), then click on it. Make sure the .cer file is in DER format (not base 64) otherwise it wont open. This may work for other devices, but the i-mate SP5 is all I have...
  
  I hope this helps some people....

• Anonymous
  July 05, 2006
  The comment has been removed

• Anonymous
  July 05, 2006
  Hi, first I have to excuse for my bad english.
   I will EVC-Cabwiz.exe create *.CAB but I don`t about example 1.exe and 2.exe to one box.
  I think you how to write .inf .please tell me.
     my - mail:zhujm@vlive.cn
  
     Very thinks！
  您能告我用Cabwiz.exe写.inf 文件的demo 版吗？现在要是单纯给一个文件打包我没问题，如将1.exe和2.exe 同时打在一个包里我就有点问题，还有就是在安装是总是提示“你安装的程序可能无法正确显示，因为它是为windowsMobile软件的旧版本而设计”，但我选确定完后，软件都能用，请教下您，注销这个提示。谢谢您能否给个demo。

• Anonymous
  July 06, 2006
  I'm trying to gather some additional data to help address this problem. If you've had trouble syncing...

• Anonymous
  July 06, 2006
  I get the following error message when trying to install the .cab file -
  "Installation was unsuccessful. The program or setting cannot be installed because it does not have sufficient sytem permissions."
  This is a unlocked Qtek 8500.
  What else can I try?

• Anonymous
  July 23, 2006
  After about 1 hr. of work I finally was able to install a certificate on a Sprint PPC 6700.
  
  On this device, you have to get the certificate on the device via active-sync.  The trick is to use the DER encoded format and NOT the base-64 encoded format as mentioned in other attempts. Clicked on the certificate and it installed!
  
  Good luck.

• Anonymous
  July 24, 2006
  The comment has been removed

• Anonymous
  July 25, 2006
  Well, after successfully using the CAB on a Sprint PPC6700, I tried it on a Verizon 6700. The Verizon complained about an "unsigned program", but seemed to accept the Certificate. The Root Certificate Store on the PPC shows the proper certificate, with an expiration date of 2011.
  
  HOWEVER, browsing to my Remote Web Workplace SSL site on my SBS 2003 Server, I get a warning that the Certificate has EXPIRED. The two other checkpoints on the certificate are fine. I'm surpised to see this problem. Anybody encountered an "Expired Certificate" warning after a valid certificate was installed on a Verizon PPC6700? Thanks!

• Anonymous
  July 25, 2006
  Have al loom here. Also works for 2005
  
  http://www.petri.co.il/adding_root_certificates_to_windows_mobile_2003_ppc.htm

• Anonymous
  August 01, 2006
  I have an issue with installing a cab...  my provider has released a file which opens the phone a bit more to modification... the problem is, I cannot combine their xml file with the cert xml file because it will not work.  If I install their cab and then install my cab everything works just fine.  I have checked syntax and structure and everything is fine (to my knowledge).  Any ideas?
  
  An example of my attempted xml file can be seen on this post of mine:
  
  http://forums.pocketpcfaq.com/viewtopic.php?p=46330#46330

• Anonymous
  August 11, 2006
  Say hello to the SslChainSaver tool. This is a tool that I wrote internally to troubleshoot SSL connections...

• Anonymous
  August 14, 2006
  Hi:
  
  I tried these steps for my new MotoQ, but got a message "Installation of rootcert.cab was unsuccessful. The installation file is not intended for this device"...
  
  Any idea what I can do?
  
  John.

• Anonymous
  August 22, 2006
  Just wanted to add here the very important fact that you have to add ALL certs in the cert chain. When you right click in a blank area of OWA and select Properties, there's a tab showing the Certification Path.. Make a copy of ALL of the certs and the certificate error goes away from browser and from ActiveSync.

• Anonymous
  August 24, 2006
  The bible on this, straight from the horses mouth:  http://motorola.custhelp.com/cgi-bin/motorola.cfg/php/enduser/std_adp.php?p_faqid=12932&p_topview=1
  
  Did it, worked great, took all of 5 min.  Just make sure the .cer file is a DER encoded binary.

• Anonymous
  September 07, 2006
  Hi,
  
   Thanks for the excellent info - worked a treat! THANKYOU :)
  
  NB: For anyone interested in a longer FAQ detailing what i had to do to get this working using apache as a reverse proxy and using openSSL - I posted one on the tek-tips forum.
  
  http://www.tek-tips.com/viewthread.cfm?qid=1276155&page=1
  
  CHEERS - Chris.
  

• Anonymous
  September 14, 2006
  The confusion for me and i think a lot of other persons who have posted here is the export of the certificate.
  I made the wrong export. I took the thumprint of the certificate on my OWA server but you have to take the thumprint of the CA!
  I think you should red cirkel the 'view certificate' in the first picture because many persons including me just hit the second tab and take that thumprint...
  
  In my case i use a enterprise root ca of my windows 2000 domain. For testing i use a Dell Axim X51 with Mobile 5. I can simply click the .cer file once i have copied it with active sync to my file explorer. Once this is done, the root is trusted i can sync with my owa server.

• Anonymous
  September 21, 2006
  How do I find certs installed on a WM5 PPC?
  
  I've tried the procedure above and have had successful cert installations.  But, I still can't browse my OWA email - and I could before WM5.  The same error pops as before the cert.
  
  Could bad certs be causing a problem?
  
  I also received and tried a cert from the OWA server staff for WM5 mobilr phones.  It installs, but I get the same error (see 1June support code posts above).

• Anonymous
  October 04, 2006
  i've tried to install the certificate trough the cab file...but my imate spm5 windows mobile 5 device won't do it.... it tells me that i haven't the rights to do that operation... what can i do now??

• Anonymous
  October 08, 2006
  Scott, in your reply in this post - http://blogs.msdn.com/windowsmobile/archive/2006/01/28/making-a-root-cert-cab-file.aspx#522712 you mentioned 'I asked around internally about it and we're planning to do a post about this in a few days.' Has the post come up yet ? Thanks, Vino

• Anonymous
  October 09, 2006
  Hi Vino - yes, Brian Cross made the post here: http://blogs.msdn.com/windowsmobile/archive/2006/02/03/524592.aspx

• Anonymous
  October 11, 2006
  on a treo750v from vodafone it was a case of importing a self signed root and the leaf certificate. i opened owa and saved both from there (one at a time) in der format , then copied them using active sync on usb ,onto the device. double clicking them installed and saved them and hey presto. i will say though make sure the address your trying to connect to is exactly right in the settings.

• Anonymous
  December 18, 2006
  Now I have I the root cert installed, I find I have to change it. How does one remove a cert which has been installed via a CAB file? A cert management utility would be very handy :-). MPW

• Anonymous
  December 18, 2006
  On PPC you can remove it via the Certificates control panel. You can do it with a cab too - documentation is on MSDN here. http://msdn.microsoft.com/library/default.asp?url=/library/en-us/DevGuideSP/html/sp_wce51samdeletingcertificateexampleozup.asp In a nutshell, remove the parm entries from the XML and change the characteristic to nocharacteristic.

• Anonymous
  December 19, 2006
  Worked on the HTC TYTN by downloading it as a der encoded binary format. Thanks Complete novice to XML and certificates but found all your comments very useful

• Anonymous
  January 09, 2007
  Has anyone managed to get the email certificate to work on the Treo 750 running WM5? I have an exchange server synching OTA and had a TyTn working without a lot of problems, I am able to install the Personal, Intermediate and Root Certificates but when I create an email, if I try to sign or encrypt, I get error msg "The Message Cannot Be Signed/ or Encrypted" What am I doing wrong? I can see all the certificates that I have installed in the respective stores on the Treo

• Anonymous
  January 17, 2007
  I had some trouble setting this up. But now it works on a qtek 9100 with the cab file. To make it work I had to delete the current exchange profile in active sync and recreate it. Then the sync works. If I don't follow this step the active sync fails with the error: Your exchange server requires a certificate, please log onto your corporate network to obtain a certificate.

• Anonymous
  January 24, 2007
  Hi I tried and make the cab file and run on my O2 xda mini.  It gave this error, " The file .....cab is not a valid Windows CE Setup file. Any clue? Thanks.

• Anonymous
  February 07, 2007
  The comment has been removed

• Anonymous
  February 23, 2007
  I am totally lost! I have a small business and I need to connect to the exchange server to a Treo 750 and am getting the certificate error. I have access to all the information I need to get the certificate but my knowledge of xml and the like is extremely minimal. Can you break down your steps as if you would for an idiot? Thank you!

• Anonymous
  March 12, 2007
  I do not recommend my customers to by WM5 on SmartPhones and other devices that has certificate problems. It has become to expensive to install certificates. More people do the same. That will teach MS to listen over time.

• Anonymous
  April 26, 2007
  Hi I have ROOT certificate Got from OpenCA. For this root certificate, how can i generate the intermediate XML files to sign my application to get previlaged access. Thanks in advance.

• Anonymous
  May 05, 2007
  We've automated this entire process at http://www.digitallabs.net/mcb Even includes a standalone .exe for end user deployment.  This will build the _setup.xml, the cab file and everything.

• Anonymous
  May 24, 2007
  I don't get it why you guys didn't fixed that issue in Windows Mobile 6. We confirmed the above described behavior . We're using such a certificate to connect mobile devices (like Windows Mobile) with our wireless lan through 802.1x authentication. We got it running with the third-party software alfa ariss. It still won't work with the native peap supplicant. Any ideas? Regards, fantasio

• Anonymous
  June 07, 2007
  I had "installation of the root cab was unsuccessful" until I change the file format of the _setup.xml to ansi (was utf8 earlier) May help some of you out there.

• Anonymous
  June 12, 2007
  Thanks a lot Julian concerning the rapidssl root certificates information.

• Anonymous
  June 20, 2007
  Here is a little jewel fr those of you still having problems. I have scripted this procedure into a small program, all you need is the CA certificate in DER format or have it installed and it can b extacted.  This program creates the completed .cab file that can be copied to the mobile device and run (from the device) to install the certificate. http://www.anykeycomputers.net/VM_Cert_Cab.exe or http://www.anykeycomputers.net/vm_cert_cab.zip

• Anonymous
  June 25, 2007
  I have tried this process repeatedly but continue to get the error, installation of the root cab was unsuccessful.  It occurred to me that maybe I am acquiring the certificate info from the wrong source.  Thus far I have been viewing the certificate from home through Outlook Web Access, however, I am wondering if I need to acquire the certificate info. from my PC at work that directly acesses the Exchange Server.  I assumed the certs were the same but maybe they are not.  Can anyone confirm where to get the cert info from????

• Anonymous
  June 25, 2007
  I have tried this process repeatedly with no luck.  I am not sure what I am doing wrong.  I am going to OWA and accessing the cert.  I copy it to the desktop and open it with notepad.  I copy and paste the text above (changing out the thumbprint and base64 encoded certificate blob).  I then save this file as "_setup.xml" then I do a save as again from Notepad and change the file name to "makecab _setup.xml rootcert.cab".  I use Activesync to move it to the handheld and click to install but everytime I get a message that says "installation of the root cab was unsuccessful".  Any suggestions on what I am doing wrong?  

• Anonymous
  July 02, 2007
  The comment has been removed

• Anonymous
  July 02, 2007
  @jbennett: The cert that your server is serving has to match the URL of the site. If it sends down a cert for www2.ourdomain.com and the device is trying to connect to exchange.ourdomain.com then it definitely won't work. So you either need the exchange server to have its own cert, or to get a wildcard cert (*.ourdomain.com) The wildcard certs are only supported on WM6.

• Anonymous
  July 04, 2007
  I have an internal root ca installed, but when trying to sync through activesync ,it writes my username and asks for a password.even though the passwor is correct, it asks again. the pda is i-mate jasjam. thanks.

• Anonymous
  July 05, 2007
  eran, I've seen this happen when the "Disable cert chk" setting for activesync was used. That setting isn't supported anymore.

• Anonymous
  July 05, 2007
  I am trying to install a GoDaddy root certificate on a Treo 750 (cingular/ATT). I follow the directions above, create the XML, create the CAB, e-mail the cab to myself (though another e-mail client), and run the cab - no luck. What could be the problem? GoDaddy changed from ValiCert to their own root cert, and my college renewed its certificate with the new root cert. Any thoughts?

• Anonymous
  July 09, 2007
  Hey guys, Have been playing around with WM 6 and you might add that for 6 this process isn't necessary, you can manually add a cert simply by double clicking on the cert (from my experience).  Of course that process wouldn't work via an MDM solution I don't think, but it's another option.  

• Anonymous
  July 13, 2007
  That's correct. I described the changes more here: https://blogs.msdn.com/windowsmobile/archive/2007/02/07/certificate-improvements-in-windows-mobile-6.aspx

• Anonymous
  August 28, 2007
  My appologies to those who attempted to use my previous program. It was built using WSE 2.0 and required a DLL; so you may have received an error. The new zip file includes the required DLL, just unzip to a folder and run the wm_cert_cab.exe. This will allow you to either select a .cer file on your local machine or extract the cer information from your installed certificates (i.e. Internet Options > Content > Certificates). It will then output the .CAB file to the same directory the program is running in. All you need to do is copy the .CAB file to your phone; then using the file explorer on the phone, run the .CAB file. http://www.anykeycomputers.net/wm_cert_cab.zip

• Anonymous
  August 30, 2007
  Hey Coppernicus, thats a very nice utility.  Are you willing to post the source code?  What is it written in? How are you creating the CAB?  I don't see a makecab utility with your application.

• Anonymous
  September 14, 2007
  It appears that the compact framework has an issue with wildcard certs on WM6 devices.  Has anyone experienced this?

• Anonymous
  September 15, 2007
  These certificates dont seem to work with Activesync .. I have tried importing them but no luck still

• Anonymous
  September 21, 2007
  The comment has been removed

• Anonymous
  September 21, 2007
  Ricke, I used Visual Basic to create the application.  The makecab utility is actually an embedded resource within the application.  When it is run it checks the default location of makecab.exe, if it is not there it creates a file stream of the embedded resource and outputs it to the destination folder, then deletes it after the operation completed. I will package the source code in a zip file and include a link when it is ready.

• Anonymous
  September 21, 2007
  Hey Kevin, try out the link at the top of the blog entry to the sslchainsaver too. If that isn't working for you, e-mail me the name of your exchange server and I can look at it.

• Anonymous
  September 28, 2007
  The comment has been removed

• Anonymous
  October 16, 2007
  thanks! That fixed my Windows Mobile 6 Moto Q9m.  I was able to use the SslChainSaver and then create a cab file and then import it to my Moto Q9m as a root certificate. Then the active sync with SSL started to work even with my self assigned certificate.

• Anonymous
  October 24, 2007
  I followed all of the directions and am still having trouble with my Samsung i730. The certificate is there, but I am still getting error 0x85010014

• Anonymous
  November 08, 2007
  Hey Scott... I'm hoping you might be able to help me, this might be stupid and the answer is "your phone is locked dummy" but here goes.  I have an HTC S620 running WM5 and am running on the Rogers network here in Canada.  I am trying to attach to our exchange server at work.  I have the certificate, I copied it down to the phone along with spaddcert and ran it and was able to get all the way through to the part where it confirms you want to add it and then I get the "Error Adding Certificate.  The phone may be locked." error. Any help or insight you could give me would be much appreciated.

• Anonymous
  November 11, 2007
  The comment has been removed

• Anonymous
  November 12, 2007
  @pkirkbeck: that does sound like your phone might be locked. Did you try the CAB method from this post? It will work in some settings where spaddcert won't.

• Anonymous
  December 03, 2007
  I'm trying to set up ActiveSync to Exchange 2003 using a WM6 emulator.  The front-end server is using a wildcard certificate, which WM6 is supposed to support.  I've used the cab method to import the wildcard certificate in the root, but I still get the 80072F0D error each time I try to sync.  The wildcard cert is not chained.   I tried running the emulator inside our network and pointed it directly to the exchange server (thus bypassing the front-end server).  I imported the server-generated certificate (non-wildcard) from the back-end exchange server into the root and ActiveSync worked wonderfully. I can access OMA and OWA through the front-end without problem. Any suggestions?  Is there something special that needs to be done to use a wildcard certificate in WM6?  You can email me at scottdrock at gmail dot com if necessary. Thanks.

• Anonymous
  December 22, 2007
  Guys, I need help... I've tried everything listed here and elsewhere. At this point I'm getting a Support Code 0x80072F7D on my Windows Mobile 6.0 device trying to synch to a Windows 2k3 SBS server. Please help... I want to synch! :)

• Anonymous
  December 31, 2007
  I am trying to install via CAB file.  I have tried both creating my own _setup.xml file, and also trying the utility above.  In both cases I get the error "The file .....cab is not a valid Windows CE Setup file." Does this method not work for CE? What would make it a valid setup file?

• Anonymous
  January 08, 2008
  Can we add certs programatically as well? Are there any limitation to this?

• Anonymous
  January 08, 2008
  The comment has been removed

• Anonymous
  January 20, 2008
  The comment has been removed

• Anonymous
  January 29, 2008
  The comment has been removed

• Anonymous
  February 14, 2008
  We found the problem with our import - We use an Equifax Global eBusiness CA-1 certificate also and made the cab but we missed the small "/> at the end of the certificate data pasted into the xml - that closing bracket makes the cab import fail on the phones.

• Anonymous
  April 15, 2008
  Thank you! This saved me a lot of headache! I was also able to create a simple HTML page with a link pointing to the CAB file. Users simply opened the web page on their phones, clicked the link, and they were prompted to download the CAB and install the root cert! Awesome!

• Anonymous
  April 17, 2008
  Coppernicus your little program worked like a dream! Awesome thanks a million time over!

• Anonymous
  April 17, 2008
  I don't even know how to do anyone of these that the members are saying. everyone just say...i created this and i've done this. The initial post is not clear enough for a newbie.

1. how do i get the .xml file?
2. how do i make a cab file? the instructions are not clear and that is why i am asking. have a treo 700wx. I also tried the link at: http://support.microsoft.com/?kbid=841060 If i know how to make a cab file, i would make all the .exe into a cab without having to active synch to install it.

• Anonymous
  April 24, 2008
  Scott, I have been trying to use the J2ME application for Gmail on my AT&T Tilt running WM6. The application works on any Tilt with the old ROM (v1.58), but gives a connection error on a Tilt with the new ROM (v1.62). (I've tried on a number of Tilts with the two different ROMs.) Same problem with the J2ME application for Google Apps email, but here the error is more informative: "Your phone doesn't support end-to-end connections (reason: Cause unknown). Mail by Google cannot be used at this time.". Does this sound like a certificate issue to you, or has AT&T simply asked HTC to block Java from using https connections? Thanks, Seth

• Anonymous
  April 24, 2008
  Hi Seth, It doesn't sound like a root certificate error, but honestly I'm not sure what that error message is trying to convey. Scott

• Anonymous
  May 14, 2008
  Hi I created a self signed CAB and now want to export my cert to Smartphone but CAB has already a _setup.xml but dont know if could be edited manually in some way to add this. Kind regards and Thanks!

• Anonymous
  May 16, 2008
  I have a Sprint PPC6700, and a GoDaddy wildcard cert. on my exchange 2007. I've tried installing the cert. via cab, .der, pkcs #7, you name it.. I don't get a cert. error it just keeps telling me the exchange server can't be reached. I've got other users with mobile devices that connect just fine. And the Sprint can browse the web, so I know it's trying the exchange server. Help???

• Anonymous
  June 21, 2008
  Scott, I need to know how to add this to a CAB project in Visual Studio 2008 so it gets installed along with some custom software we have written.  Any ideas/links for me? Thanx, Robert Beaubien rob(at)koolsoft(dot)com

• Anonymous
  June 21, 2008
  Robert, It's probably easiest to just put the XML from this blog post into the _setup.xml for your application.

• Anonymous
  August 14, 2008
  Wahhhooo it works. My process was: SSLChainSaver.exe myURL For each XML file (there is one for WM5 and one for WM6):  Open xml file in Notepad, and change encoding="us-ascii" to encoding="ansi"  Rename to: _setup.xml  Makecab _setup.xml MyCertificates-wm6.cab Publish the CAB's on a web page, so they can be installed from a browser on the client device. Click the link to open the CAB from Internet Explorer on the device, CAB installs successfully.

• Anonymous
  August 25, 2008
  Way to go Coppernicus. Our MS Exchange Server was just "updgraded" and now requires all intermediate certificates to be installed as well. I have a Moto Q MSM 5.0 from Verizon and as others have stated it is locked down tight. The root certificate installation program VZW_SpAddCert works fine for the root certificate, but not for the complete chain. The SSL ChainSaver looked like it was going to work. It correctly discovered that 3 certificates are required in the chain, but could only create a file for the root. My IT people sent me the full chain of .cer files earlier in the day anyway. So I had access to them. A simple run of your tool, push the cab files to Moto Q and viola! Works like a charm. Thanks much!

• Anonymous
  August 25, 2008
  Hi Scott, Just managed to add both a Root CA and Intermediate CA certificate to my HTC Touch Diamond smartphone (running WM6.1) making use of your PowerShell script as a baseline for provisioning XML files via a CAB file (a CPF file - CAB Provisioning File). However, the problem I have is that I can not delete the certificate neither via the phone's UI (since it is greyed out), nor by the WAP provisioning XML message recommended by Microsoft. I suspect it is a permission issue related to the way I provisioned both certs, but can't figure it out. On the other hand, I can delete all of the certificates in a chain of 3 certs when installing them via a PFX file. Any ideas on why the CAB approach differs to the PFX approach? A sample XML messages I pushed to the phone to provision an Intermediate CA is: <wap-provisioningdoc>    <characteristic type="CertificateStore">        <characteristic type="CA">            <characteristic type="{0}">                <parm name="EncodedCertificate" value="{1}"/>            </characteristic>        </characteristic>    </characteristic> </wap-provisioningdoc> I also tried adding the 'role' parameter (e.g. <parm name="Role" value="16"/>) with various values, just in case I was not pushing the certificate with appropriate permissions, but failed. Any guidance would be appreciated. Regards, Manuel.

• Anonymous
  August 31, 2008
  The comment has been removed

• Anonymous
  September 19, 2008
  The link is a working cab that is compatible with Windows Mobile 5 and 6.  You can download and install this cab directly from the internet to the phone.  The problem with all the instructions above is that they do not specifically state that you need to make sure that when you make the file that it cannot have any spaces or hard returns in the _setup.xml.  The file will look like this for the cab made above: --------------Start of _setup.xml file--------------- <wap-provisioningdoc><characteristic type="CertificateStore"><characteristic type="ROOT" ><characteristic type="2796bae63f1801e277261ba0d77770028f20eee4"><parm name="EncodedCertificate" value="MIIEADCCAuigAwIBAgIBADANBgkqhkiG9w0BAQUFADBjMQswCQYDVQQGEwJVUzEhMB8GA1UEChMYVGhlIEdvIERhZGR5IEdyb3VwLCBJbmMuMTEwLwYDVQQLEyhHbyBEYWRkeSBDbGFzcyAyIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTA0MDYyOTE3MDYyMFoXDTM0MDYyOTE3MDYyMFowYzELMAkGA1UEBhMCVVMxITAfBgNVBAoTGFRoZSBHbyBEYWRkeSBHcm91cCwgSW5jLjExMC8GA1UECxMoR28gRGFkZHkgQ2xhc3MgMiBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTCCASAwDQYJKoZIhvcNAQEBBQADggENADCCAQgCggEBAN6d1+pXGEmhW+vXX0iG6r7d/+TvZxz0ZWizV3GgXne77ZtJ6XCAPVYYYwhv2vLM0D9/AlQiVBDYsoHUwHU9S3/Hd8M+eKsaA7Ugay9qK7HFiH7Eux6wwdhFJ2+qN1j3hybX2C32qRe3H3I2TqYXP2WYktsqbl2i/ojgC95/5Y0V4evLOtXiEqITLdiOr18SPaAIBQi2XKVlOARFmR6jYGB0xUGlcmIbYsUfb18aQr4CUWWoriMYavx4A6lNf4DD+qta/KFApMoZFv6yyO9ecw3ud72a9nmYvLEHZ6IVDd2gWMZEewo+YihfukEHU1jPEX44dMX4/7VpkI+EdOqXG68CAQOjgcAwgb0wHQYDVR0OBBYEFNLEsNKR1EwRcbNhyz2h/t2oatTjMIGNBgNVHSMEgYUwgYKAFNLEsNKR1EwRcbNhyz2h/t2oatTjoWekZTBjMQswCQYDVQQGEwJVUzEhMB8GA1UEChMYVGhlIEdvIERhZGR5IEdyb3VwLCBJbmMuMTEwLwYDVQQLEyhHbyBEYWRkeSBDbGFzcyAyIENlcnRpZmljYXRpb24gQXV0aG9yaXR5ggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBADJL87LKPpH8EsahB4yOd6AzBhRckB4Y9wimPQoZ+YeAEW5p5JYXMP80kWNyOO7MHAGjHZQopDH2esRU1/blMVgDoszOYtuURXO1v0XJJLXVggKtI3lpjbi2Tc7PTMozI+gciKqdi0FuFskg5YmezTvacPd+mSYgFFQlq25zheabIZ0KbIIOqPjCDPoQHmyW74cNxA9hi63ugyuV+I6ShHI56yDqg+2DzZduCLzrTia2cyvk0/ZM/iZx4mERdEr/VxqHD3VILs9RaRegAhJhldXRQLIQTO7ErBBDpqWeCtWVYpoNz4iCxTIM5CufReYNnyicsbkqWletNw+vHX/bvZ8="/></characteristic></characteristic></characteristic></wap-provisioningdoc> --------------End of _setup.xml file---------------- Hope this helps, Josh

• Anonymous
  September 24, 2008
  The comment has been removed

• Anonymous
  September 27, 2008
  I used sslchainsaver version 2 (http://blogs.msdn.com/windowsmobile/archive/2008/05/18/sslchainsaver-v2-released.aspx) to create the XML file and then used the above instructions to package it into a CAB file for a Windows Mobile 5 device. Unfortunately it wouldn't install. After much frustration I realized I must rename the XML file created by sslchainsaver from mail.example.com.wm5.xml to _setup.xml; any other name and it won't install. I'm not sure if the cab file must be named rootcert.cab or not but that could be a variable as well.

• Anonymous
  November 30, 2008
  Hi Scott, Thanks for this wonderful and quick to work solution. It saved lot of my time. I am in urgent need of solution to the following problem. Please help. I installed my company's Exchange Authentication certificate on my HTC S710 as root certificate and it worked perfectly fine. But last month the certificate expired and I got a new certificate from the company. First I was not able to remove this existing certificate from the device as its root certificate. Then I installed the second certificate too as root certificate thinking the device might resolve the correct one during runtime. I also restarted the device. But this is not working. I am still getting certificate error (Security Certificate on the server is not valid..., support code 0x80072F0D). Is it possible at all to remove a root certificate from the windows mobile 6 device ? I have checked all configuration files (all provxml, xml and other dat files, but I am not able to find where is the certifcate registered..? I checked all CertificateStores and Registries but no signs of the certifcates in there.. Thanks in advance for the help. Regards, Dinkar gupta.dinkar@gmail.com

• Anonymous
  December 29, 2008
  I finally was able to get this working by installing the root.cer certificate right onto my device which is a Palm Treo 700Wx.  It is worth noting that the cab file did not work for me.   I did use the sslchainsaver.exe to download the root.cert file from the email server. Thank you very much.