User certificates has been sort of an illusion when it comes to Windows Mobile. It’s been around for a while, but there’s been a few obstacles implementing this. Granted it’s part due to the fact that not everyone’s comfortable setting up a CA, and possibly not require one either. The general understanding of how Windows Mobile works. (Maybe there is a PKI guru in the company, but he doesn’t know what provisioning xml means, and the Windows Mobile guru doesn’t know how the CA works, and you’ve got things going.) Maybe I’m painting a dark picture, but I’m just saying it’s a possible obstacle. And there are of course many companies who are using certificates with success too for that matter.
But the primary obstacle in my mind has been the requirement to tether your device to your computer, and performing the enrollment process through ActiveSync. This bugs me for two reasons; if you’re deploying to 400 users who doesn’t have much of a concept what a Windows Mobile device is, and then you get the added bonus of helping them with ActiveSync in addition. Good luck to that. Not to mention that there are companies out there with policies requiring devices not to be connected to a computer. And do you really feel mobile when you’re killing a few moments in an airport hard resetting your device, and you need to bring out your laptop, and pull up VPN to get things going?
With SCMDM and Mobile VPN we have finally have the tools to say “haha” to those who tether their devices. I thought I’d step through a couple of options you have in the certificate enrollment department.
But first things first. What do we need these certificates for? Well, the typical need would probably be authenticating your ActiveSync account with a client certificate, or against a line-of-business application, maybe WiFi authentication. No need to type in passwords on a daily basis, and with a good setup server side we’re talking decent security as well. Hey, if you’re reading this you’ve probably had some ideas about this already without me telling you 
Nice, but doesn’t the SCMDM enrollment process place a certificate on your device? Yes, but this certificate is issued to the device and is a computer certificate. Sure, the AD object of the device is tied to a specific user, but it’s purpose is authenticating the device itself, not the user pushing the buttons on it.
While SCMDM creates a couple of certificate templates, it does not create one intended for users. So we could either make our own certificate template, or go for one of the other predefined templates on your CA. I’m probably going to create my own template, not necessarily anything being wrong with the existing ones but to highlight one as specific for usage on a mobile device. Let’s call it “Mobile User”. More about that later, it’s not needed for your garden variety enrollment scenario.
There are a couple of different options as far as to how you actually enroll this certificate.
- Using the “CertSrv” web site on the CA.
- XML Provisioning.
- Program with a user interface prompting the user to perform an action.
- Program without a user interface (aka unattended enrollment).
I know that there’s an option to connect to ActiveSync/Windows Mobile Device Center and “Get Certificate”, but one of the main points here is how to avoid that
Let’s look a little closer into these options.
CertSrv
On your ordinary computer using the web site on the CA (https://ca.domain.com/CertSrv) is a plausible option for enrolling for certificates. You’d think this was a viable option on your Windows Mobile device too. Well… On my W2K8 SP2 Beta CA the index page said that it was not viewable in a text-based browser. On my W2K3 CA I managed to get as far as the “Submit” button. But it still didn’t work. Got some cryptic errors and no go. According to Microsoft there is a patch to make things work. Tried it on my W2K8 box. Apparently it was not intended for the SP2 Beta since it said it did not apply to my system. At this point I realized that this option wasn’t really all that workable in the bigger picture, and moved on…
XML Provisioning
This is a good alternative for testing. Using the following xml you can trigger an enrollment from the device with a minimum of fuss.
<wap-provisioningdoc>
<characteristic type="CertificateEnroller">
<characteristic type="Configuration">
//A unique template name on the device.
<characteristic type="UserCertificate">
<parm name="ServerName" value="ca.mobilitydojo.net" />
//This is the name of the template on the CA.
<parm name="Template" value="user"/>
<parm name="NoSSL" value="1" datatype="boolean"/>
</characteristic>
</characteristic>
<characteristic type="Operation">
<characteristic type="Enroll">
//This a guid that must be unique on the device.
<characteristic type="1234567890">
<parm name="CertificateTypeFriendlyName" value="UserCertificate"/>
<parm name="Username" value="username" />
<parm name="Password" value="password" />
</characteristic>
</characteristic>
</characteristic>
</characteristic>
</wap-provisioningdoc>
For all the details on the characteristics in this xml MSDN is your friend:
http://msdn.microsoft.com/en-us/library/bb737636.aspx
You can either package it in a cab/cpf file and copy to device, or you can provision it via RapiConfig.exe. I used RapiConfig as this is quite easy when in “debug” mode, and allows for an output from the provisioning as well. It does require the device to be connected to a host computer through ActiveSync, but that’s ok as long as it’s still work in progress at this stage. When pressing the “Enter” key on the computer I’m triggered for the credentials on the device, and notified when the certificate is ready to install itself. If you include the password in the xml, (which for obvious reasons is discouraged mind you), you’ll get a silent install with no prompts.
If we are able to perform an enrollment through this method we know everything is good on the CA side, and our chosen template works on our device as well. Still not very user-friendly though, and you don’t want to generate individual cab files that you send out to the users. So we need to step up things a notch before we can actually present something to your generic/average user.
Program with GUI
On some devices this option is already included. For instance on iPaqs HP has included a utility called “CertEnroll” where you input username, password and server address and the rest is done for you. (It uses the “User” template, and you don’t get to change this.) So by no means am I doing anything new here, but for completeness I’ve created a small utility that basically does the same as the xml code above. The server address you don’t have to enter as the device already knows this as a result of the device enrollment process in SCMDM. That is, at the moment I can make a qualified guess as to what the address to your CA is, but in case I got it wrong you may change the address to the correct one. I can only guess the address if your device has been enrolled in SCMDM. (If you want to get technical I query the contents of the MY/System certificate store, and look into the details of the first certficiate in the store. If you haven’t performed any other enrollments there is only one certificate here; which would be the device certificate.)
Just fill in the details, and press “Enroll”. Hopefully you’ll get a status telling you everything went ok. Be aware that the server address must match the subject name for the SSL certificate on the CA server.
That should cover the basics shouldn’t it? At this time you might be asking a few questions however:
This seems fair enough – where do I find the download link?
Hey, you mentioned an application without any user interaction – where is it?
Great – I’ve got a personal certificate on my device. Now what?
I’ll provide some input in the order listed
I have a few things to sort out in the certificate enroller above. I’ll just wrap it up in a nice little cab, and release in a couple of days. Not sure if I’ll make a WM Standard version as well (not much demand for Standard apps with the current devices).
As for the silent enroller. I’m working on it. I thought this article would be rather short and sweet, but it turned out to become more verbose than expected. So I realized it would probably be better to break it up in a two-parter. So why didn’t I call this “Part 1″? Well, you see… While I normally have most technical details ready when making a multi-parter I’m still working on this one. Since unattended enrollment still requires some authentication and security mechanisms I need to think things through and do some experiments. And I can’t actually promise what I’m able to deliver. (Yes, I am probably able to do a “hack”, but I want to make something that could actually be considered usable.) If something good comes out of it, I’ll be sure to keep you updated.
Just having a certificate on the device does nothing magic by itself I agree. I’ll be playing around doing some things here as well, and hope to return with something interesting at a later point in time. I get the feeling all the time that I’m not pushing out new content at a fast enough rate, but I guess it’s more important that I feel I have more things to be opining about
Hi Andreas!
Have you made any progress with the application? Let me know if you need any help with testing. It would be nice to get a copy of the tool.
Br,
Karl-Johan
Not sure what you mean. I released the DojoCert app that there’s a screenshot of above a few days later:
http://mobilitydojo.net/2009/03/11/dojocert-certificate-enroller/
I have not created a silent enroller yet though. I’ve also tinkered with the idea of combining it with a utility that will configure ActiveSync at the same time, but haven’t gotten around to that yet either.
Hi, Andreas!
I just try your tool and get error in its status:
“Enrollment failed. Please check \Windows\logfiles\…”
In log I had follow message:
“Windows Mobile Certificate Enrollment Log
Date: 2009-11-02
Time: 15:43:37Z
Device Name: WM61BL
Domain\Username: (null)
Certificate Type Friendly Name: User
CA Server: MOBILE-DC.MOBILE.LOCAL
Template: User
Request Page path/name: /certsrv/certfnsh.asp
Pickup Page path/name: /certsrv/certnew.p7b
RequestID For Enrollment: (null)
Enrollment or Renewal: Enrollment
Desktop Initiated: No
Silent Enrollment: Yes
Status Upon Completion: Failed
Error Code: 0x80072EFD”
What does it mean? Can you help me to solve this issue?
All areas were filled, all routes are correct, VPN works fine.
P.S.
Sorry for my English
We all love those errors that start with 0x-something
First thing I would check is on the device:
- Is is able to resolve the DNS address of the CA?
- Have you installed the root CA certificate so the CA is trusted?
- Any other connectivity issues?
Maybe you have already checked all of these, but I still mention them.
The CA will also return error codes starting with 0×8 if for some reason it does not like your request. Take a look in the CA logs (Failed requests in the MMC console) – if the device was able to submit the request you might get a clue here.
If none of those suggestions work out – let me know, then I’ll have to do some more thinking
Thank you, Anreas!
About your questions:
- Is is able to resolve the DNS address of the CA?
Yes, I test it by ping. Name resolving fine
- Have you installed the root CA certificate so the CA is trusted?
My device was enrolled by SCMDM, so root certificate on device gets automatocaly – or I’m wrong? In any way in root certificates tab I can see it
- Any other connectivity issues?
No, there is no any connectivity issues.
- Take a look in the CA logs
I will be in office tommorow and than I will look throw logs on CA and write here about any results
P.S.
I was tried to make xml, pack it to cab and install into my device, but it’s doesn’t work. Can you explain a little more about xml? I need to make automatic user certificate’s installation, but anything I was tried didn’t work – may be you can give some links to help me? But I don’t know anything about OMA CP & OMA DM.
SCMDM SP1 will provision the root certificate during enrollment, but will remove on the first application of group policies if you haven’t included the root cert for distribution as part of the policy. If you can see certificate listed on the device you should be ok though.
The next part then is definitely looking at the CA to see if there’s any clues there.
You don’t need to know anything about OMA CP/DM to work with the xml above. If you manage to pack the xml into a cab/cpf file it should work. Are you getting any error on the device (other than “installation unsuccessful”)? You could try removing username/password from the xml as I have seen issues doing silent enrollments with the xml. The user will then be prompted to enter credentials when the xml executes. (Haven’t got my own source code accessible right now, but I believe I had to include a silent parameter when the user isn’t prompted for credentials.)
Andreas, Thanks for your help, but there is no any progress.
I was looked through logs and didn’t find anything interesting. After this I create new .xml file without username and password keys, make a .cab-file by makecab.exe and try to install it to device. The only thing I have is message “installation unsuccessful”. No any other errors or request (like name, password). May be you can recommend any step-by-step guides about .xml creation.
P.S.
I try to enroll certificate from device using xml which described here:
http://bansky.net/blog/2008/11/enrolling-user-certificate-into-windows-mobile-over-the-air/
and make changes to IE on device using follow xml:
But none of them work
CAB where made by makecab and signed by EM CAB Signing Utility. Root certificate is installed on device. Where can I make a mistake?
Sorry, xml code was filtered, so I copy it one more time, but without “more than”&”less than”
wap-provisioningdoc
characteristic type=”BrowserFavorite”
characteristic type=”MSN Search”
parm name=”URL” value=”http://search.msn.com/”
/characteristic
/characteristic
/wap-provisioningdoc
The XML from bansky.net is ok, but keep in mind a few things:
- The quoute characters (“”) are often corrupted into a very similar quote sign when copying from a webpage to notepad. Make sure you have the correct quotes.
- The xml file should be called _setup.xml before you run makecab on it.
- When “NoSSL” is set to 1 the device will attempt to enroll over plain HTTP. A default install of an enterprise CA will not let you enroll without SSL. (Set NoSSL = 0.)
- You need to change the guid in the xml (and thus rebuild the cab) for each attempt.
I tested creating a cab like this, and it worked.
I was able to replicate your error with my own utility. If I try to enroll without the root certificate installed on my device I get the same error code.
After installing the root certificate it worked with both methods. If you have the root cert available as a .cer file I would recommend copying to the device and run it just to be sure.
Many thanks for your help, Andreas! It’s very important for me.
I can’t right now make new tests, but I can see some of my mistakes:
1. My xml’s name is not _setup.xml before I start make cab
2. I was tried to enroll certificate only with NoSSL = 1
3. I think it would be better to reimport root certificate to device
Tomorrow I will try again and write here about my results.
Andreas,
Today I rename my .xml to _setup.xml as you wrote and now it’s work fine.
After that I clear my device by hard reset, install root certificate and your utility, try to get user certificate by DojoCert and receive an error
Can you answer on some of my questions:
1. Username – there must be only username, or domain\username, or username@domain?
2. Server – there must be FQDN, or IP is correct too? In xml IP is acceptable.
3. Does your tool by default work without SSL – I mean “NoSSL = 1″?
And thank you for your help one more time…
Alex
Progress – that’s good.
1. This would be dependent on your AD setup – should probably work with all the formats you listed. You can check by opening https://ca-fqdn/certsrv in the browser on your desktop you’ll be prompted to authenticate. This would also flag any SSL errors.
2. Server can be either FQDN or IP, but make sure it matches the common name in your certificate. Usually SSL certificates aren’t issued to IP so FQDN is probably your best bet. Make sure the address is resolvable by the device.
3. My tool assumes you are using SSL. (NoSSL = 0)
Since it works building the xml, and my tool basically does the same thing, I’m not sure what it is. The settings you type into the xml are the same you should use in DojoCert. So the only difference is that SSL is optional in the XML.
Hi, Andreas.
I found a trouble – my CA wasn’t set to work with SSL. After I enable SSL and enroll certificate for web server your tools works fine. Thank you for your help.
P.S.
May you can add in DojoCert additional switch about using SSL?
Then you’re ready to roll
It’s no problem adding an option for disabling SSL. Obviously recommended to use SSL, but for debug purposes it could be useful.
I’ll add a checkbox and build a new version – hope to have it online later today or tomorrow.