User certificates has been sort of an illusion when it comes to Windows Mobile. It’s been around for a while, but there’s been a few obstacles implementing this. Granted it’s part due to the fact that not everyone’s comfortable setting up a CA, and possibly not require one either. The general understanding of how Windows Mobile works. (Maybe there is a PKI guru in the company, but he doesn’t know what provisioning xml means, and the Windows Mobile guru doesn’t know how the CA works, and you’ve got things going.) Maybe I’m painting a dark picture, but I’m just saying it’s a possible obstacle. And there are of course many companies who are using certificates with success too for that matter.
But the primary obstacle in my mind has been the requirement to tether your device to your computer, and performing the enrollment process through ActiveSync. This bugs me for two reasons; if you’re deploying to 400 users who doesn’t have much of a concept what a Windows Mobile device is, and then you get the added bonus of helping them with ActiveSync in addition. Good luck to that. Not to mention that there are companies out there with policies requiring devices not to be connected to a computer. And do you really feel mobile when you’re killing a few moments in an airport hard resetting your device, and you need to bring out your laptop, and pull up VPN to get things going?
With SCMDM and Mobile VPN we have finally have the tools to say “haha” to those who tether their devices. I thought I’d step through a couple of options you have in the certificate enrollment department.
But first things first. What do we need these certificates for? Well, the typical need would probably be authenticating your ActiveSync account with a client certificate, or against a line-of-business application, maybe WiFi authentication. No need to type in passwords on a daily basis, and with a good setup server side we’re talking decent security as well. Hey, if you’re reading this you’ve probably had some ideas about this already without me telling you 🙂
Nice, but doesn’t the SCMDM enrollment process place a certificate on your device? Yes, but this certificate is issued to the device and is a computer certificate. Sure, the AD object of the device is tied to a specific user, but it’s purpose is authenticating the device itself, not the user pushing the buttons on it.
While SCMDM creates a couple of certificate templates, it does not create one intended for users. So we could either make our own certificate template, or go for one of the other predefined templates on your CA. I’m probably going to create my own template, not necessarily anything being wrong with the existing ones but to highlight one as specific for usage on a mobile device. Let’s call it “Mobile User”. More about that later, it’s not needed for your garden variety enrollment scenario.
There are a couple of different options as far as to how you actually enroll this certificate.
- Using the “CertSrv” web site on the CA.
- XML Provisioning.
- Program with a user interface prompting the user to perform an action.
- Program without a user interface (aka unattended enrollment).
I know that there’s an option to connect to ActiveSync/Windows Mobile Device Center and “Get Certificate”, but one of the main points here is how to avoid that 🙂
Let’s look a little closer into these options.
On your ordinary computer using the web site on the CA (https://ca.domain.com/CertSrv) is a plausible option for enrolling for certificates. You’d think this was a viable option on your Windows Mobile device too. Well… On my W2K8 SP2 Beta CA the index page said that it was not viewable in a text-based browser. On my W2K3 CA I managed to get as far as the “Submit” button. But it still didn’t work. Got some cryptic errors and no go. According to Microsoft there is a patch to make things work. Tried it on my W2K8 box. Apparently it was not intended for the SP2 Beta since it said it did not apply to my system. At this point I realized that this option wasn’t really all that workable in the bigger picture, and moved on…
This is a good alternative for testing. Using the following xml you can trigger an enrollment from the device with a minimum of fuss.
//A unique template name on the device.
<parm name="ServerName" value="ca.mobilitydojo.net" />
//This is the name of the template on the CA.
<parm name="Template" value="user"/>
<parm name="NoSSL" value="1" datatype="boolean"/>
//This a guid that must be unique on the device.
<parm name="CertificateTypeFriendlyName" value="UserCertificate"/>
<parm name="Username" value="username" />
<parm name="Password" value="password" />
For all the details on the characteristics in this xml MSDN is your friend:
You can either package it in a cab/cpf file and copy to device, or you can provision it via RapiConfig.exe. I used RapiConfig as this is quite easy when in “debug” mode, and allows for an output from the provisioning as well. It does require the device to be connected to a host computer through ActiveSync, but that’s ok as long as it’s still work in progress at this stage. When pressing the “Enter” key on the computer I’m triggered for the credentials on the device, and notified when the certificate is ready to install itself. If you include the password in the xml, (which for obvious reasons is discouraged mind you), you’ll get a silent install with no prompts.
If we are able to perform an enrollment through this method we know everything is good on the CA side, and our chosen template works on our device as well. Still not very user-friendly though, and you don’t want to generate individual cab files that you send out to the users. So we need to step up things a notch before we can actually present something to your generic/average user.
Program with GUI
On some devices this option is already included. For instance on iPaqs HP has included a utility called “CertEnroll” where you input username, password and server address and the rest is done for you. (It uses the “User” template, and you don’t get to change this.) So by no means am I doing anything new here, but for completeness I’ve created a small utility that basically does the same as the xml code above. The server address you don’t have to enter as the device already knows this as a result of the device enrollment process in SCMDM. That is, at the moment I can make a qualified guess as to what the address to your CA is, but in case I got it wrong you may change the address to the correct one. I can only guess the address if your device has been enrolled in SCMDM. (If you want to get technical I query the contents of the MY/System certificate store, and look into the details of the first certficiate in the store. If you haven’t performed any other enrollments there is only one certificate here; which would be the device certificate.)
Just fill in the details, and press “Enroll”. Hopefully you’ll get a status telling you everything went ok. Be aware that the server address must match the subject name for the SSL certificate on the CA server.
That should cover the basics shouldn’t it? At this time you might be asking a few questions however:
This seems fair enough – where do I find the download link?
Hey, you mentioned an application without any user interaction – where is it?
Great – I’ve got a personal certificate on my device. Now what?
I’ll provide some input in the order listed 🙂
I have a few things to sort out in the certificate enroller above. I’ll just wrap it up in a nice little cab, and release in a couple of days. Not sure if I’ll make a WM Standard version as well (not much demand for Standard apps with the current devices).
As for the silent enroller. I’m working on it. I thought this article would be rather short and sweet, but it turned out to become more verbose than expected. So I realized it would probably be better to break it up in a two-parter. So why didn’t I call this “Part 1”? Well, you see… While I normally have most technical details ready when making a multi-parter I’m still working on this one. Since unattended enrollment still requires some authentication and security mechanisms I need to think things through and do some experiments. And I can’t actually promise what I’m able to deliver. (Yes, I am probably able to do a “hack”, but I want to make something that could actually be considered usable.) If something good comes out of it, I’ll be sure to keep you updated.
Just having a certificate on the device does nothing magic by itself I agree. I’ll be playing around doing some things here as well, and hope to return with something interesting at a later point in time. I get the feeling all the time that I’m not pushing out new content at a fast enough rate, but I guess it’s more important that I feel I have more things to be opining about 🙂