Monday, January 16, 2006

Windows Mobile 5.0 and Self-Signed Certificates

Happy New Year. I know, I know, the posting isn't as often these days, but when you're heads down on things that you can't speak about, it's a little hard to have other time to investigate cool stuff. And yes, for those of you interested, I'm still working on the steps for hosting multiple websites via ISA, I think that's my only outstanding request.

Anyways, now that Windows Mobile 5.0 is available, I'm allowed to discuss this particular topic. It's becoming known that the self-signed certificate that is created as part of running the CEICW (Configure E-Mail and Internet Connection Wizard) doesn't install on devices running the latest version of Windows Mobile. Well, the good news is, that's because we've made the device much more secure. As a result, your device is much more robust to threats from the outside world. However, it does unfortunately cause a slight headache for our SBS customers.

If you have an i-mate (typically the Audiovox SMT5600) you might not be completely out of luck, as over at Club I-Mate once you register your device (which yes, requires making an account) there is a device that can install such certificates on your device. Depending on how locked down your provider makes your phone this could be an option.

The quickest, most efficient way to get Over the Air Synch against the Exchange server to happen is to install a trusted certificate. But be careful! Not all certificates are created equal. Windows, and by the transitive property, Internet Explorer, trust far more root certificates than Windows Mobile based devices. When you're purchasing your certificate, if you plan to use a Windows Mobile based device against your SBS server, make sure the certificate chains up to one of the core root certificates: VeriSign, Cybertrust, Thawte, Entrust, GlobalSign and Equifax. Without this, to the mobile device, it just looks like a self-signed certificate...

Good luck!


Anonymous said...

This is interesting. I am able to use my self signed certificate on my Dell Axim X50 upgraded to WM5. By just coping the certificate to the device and double clicking it. Is this something OEMs can enable?

Sean Daniel said...

I believe most Pocket PCs still allow you to install self-signed certificates, it's mainly the smartphone.

I guess my picture is missleading... sorry about that.

Mark MCT IRL said...

Also at least one of the imate smartphones out of box will allow the self signed CIEW certs the imate SP5m, pretty much allows you to drag and drop a cert on the device although I do agree it does depend on what the cell operator has locked down.

Conversly I have to say I do disagree with your assertion that the cell phones not supporting the self signed SBS certs to be better security going forward to be incorrect, self signed certs setup correctly and maintained properly particularly for small business represent a good tradeoff and between security and cost if that was not the case why did you guys allow us to create self signed certs in the first place. Also leads me to another question which is a bit cheeky after giving out, will we still have the self signed certs capability in the next version of SBS that you are working on.

Sean Daniel said...

Hey Mark,

I am not saying that having self-signed certificates in general is insecure. All I am saying that is if anyone can install a certificate on your device and get your ESN, then it's possible your device could be reconfigured over the air without your users knowledge! That's insecure and what we're trying to prevent against with Windows Mobile 5.0. I'm not going to go into the details publicly.

As for the next version of SBS, yes, we will continue to support self-signed certificates. We are hoping to take it to new levels to make it easier for you to manage the self-signed certificates we provide.

Hope this helps!

Anonymous said...

Hi Sean

You may want to feed back to the WM5 guys that the difficulty in installing self signed certs has caused at least one of my customers to choose Blackberry - a shame as this was for a large number of devices! PLEASE provide a WM 5 version of CertChk.exe


Sean Daniel said...

We are aware of the issue, but cannot fix it for WM5. The next version of WM already has the fixed included in it! :)

I'm not sure why someone would choose blackberry over WM5. If you have more than one user, WM5 with a trusted certificate is WAY cheaper than a blackberry solution as the server software for WM is already included with SBS and supports up to 75 users!

Blackberry only has a small business edition that does 1 user for free, but then you have to buy EXTRA CALs for any additional users.

WM is still way cheaper, considering you can get certificates for < $100/year

Sean Daniel said...

PS. Some WM 5 devices can work with the self-signed cert... Check out the Deploying WM5 whitepaper.

Also check out Susan Bradley's Post about which WM 5 devices to get for SBS:

Anonymous said...

Do you have an update as to whether self-signed certs can work with WM6, and if so what is needed to make it work ? I've been through everything on the "Deploying WM5" paper but the device says the cert isn't trusted (though it seems to install ok)

Sean Daniel said...

All Self-signed certificates should work with Windows Mobile 6. Windows Mobile 6 has two registry stores, one for your "user" certs and one for the certs it ships with. ActiveSync uses both stores, so any self-issued certificate works on Windows Mobile 6.

Anonymous said...

Who knows where to download XRumer 5.0 Palladium?
Help, please. All recommend this program to effectively advertise on the Internet, this is the best program!