Smooth root certificate deployment for mobile devices
By Fredrik "DXter" JonssonOne of the most common question regarding root certificate distribution in an internal IT-infrastructure is:
“How do we install it to our mobile devices?”
Active Directory is very good to automatically provide our domain members with the root certificate for our internal PKI structure (and if you have a two tier PKI, you use group policies). But our mobile devices, such as cell phones or PDA’s, do NOT get it automatically since they are usually not members of the domain and therefore does not get the necessary group policies applied.
I have a cell phone with Windows Mobile 6.1 that I am very satisfied with. However, even if I am fully capable of installing our root certificate on my cell phone, I still want to deploy our root certificate in a good and easy way, since not everybody are as geeky as I am, or know which exact store the certificate should be installed in. 
To be able to create a CAB file that install our root certificate for our mobile devices, first we need to create a XML file called _setup.xml and fill it with the following content using notepad or your favorite text editor:
<wap-provisioningdoc>
<characteristic type="CertificateStore">
<characteristic type="ROOT">
<characteristic type="#THUMBPRINT">
<parm name="EncodedCertificate" value="#THEROOTCERTIFICATEASBASE64"/>
</characteristic>
</characteristic>
</characteristic>
</wap-provisioningdoc>
This XML file basically needs two inputs; the root certificates thumbprint and our root certificate in a text form encoded with Base64.
Since I am really in love with the certificate management that is provided by PowerShell, I use PowerShell to get the thumbprint of our root certificate with the command: Get-ChildItem cert:\CurrentUser\Root
In this example, I use the root certificate for ASCI, the company were I am employed. 
I replace the #THUMBPRINT with the actual thumbprint of our root certificate, which results in:
<wap-provisioningdoc>
<characteristic type="CertificateStore">
<characteristic type="ROOT">
<characteristic type="8651A074F15E0198B78DF13FEF230F8CFE253685">
<parm name="EncodedCertificate" value="#THEROOTCERTIFICATEASBASE64"/>
</characteristic>
</characteristic>
</characteristic>
</wap-provisioningdoc>
Next, we need our root certificate in a Base64 format, to be able to include it as a clean text string.
We open up certmgr.msc, go to Trusted Root Certification Authorities. We right click on the certificate and choose All Tasks –> Export.
In the screen where we can specify which format we want our root certificate, we choose Base64.
After we have specified the path to our exported root certificate. We can actually open it with notepad (if the certificate is encoded according to Base64) which looks like this:
We remove the —–BEGIN CERTIFICATE—– and the —–END CERTIFICATE—– rows, and copy all the remaining text into our XML file, resulting in this:
<wap-provisioningdoc>
<characteristic type="CertificateStore">
<characteristic type="ROOT">
<characteristic type="8651A074F15E0198B78DF13FEF230F8CFE253685">
<parm name="EncodedCertificate" value="MIIDdTCCAl2gAwIBAgIQNc11bx1dq75MSUDtFDuvFjANBgkqhkiG9w0BAQUFADBB
MRIwEAYKCZImiZPyLGQBGRYCc2UxFDASBgoJkiaJk/IsZAEZFgRhc2NpMRUwEwYD
VQQDEwxBU0NJIFJvb3QgQ0EwHhcNMDkwNTA0MTA0MzQ0WhcNMTQwNTA0MTA1MzQz
WjBBMRIwEAYKCZImiZPyLGQBGRYCc2UxFDASBgoJkiaJk/IsZAEZFgRhc2NpMRUw
EwYDVQQDEwxBU0NJIFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQDgKb9MZEJKZisxCMjnOggIksagv31att2JjVOLOoZt5oT1MxXiZ8WKDITS
otcH4JSINns5DDQ4COlbD/xx0awtxu21STeAvUQTJbVNatcO+viT5AOtVZjvo2v9
zPoXRIHSY7Zv2HBL0GQOQYKbc+4I+z92ywbkelV1AcOi3mUzzZNCgOYfsSsrgTJI
Ecp1H2FwXO0l6IfuA5W1QcwwMs7U1jI0kslVpfgY7oPsGlvwKtwDmbDy7s0bO4/n
ETx/aqyIdT5BlSiKfH1wtn0yFshrhEFpBxjfrZs2yL02rMbfuUzIflat3SCrRMx+
Z8v12rcKi1V1Xc2NbruxolRJlMtdAgMBAAGjaTBnMBMGCSsGAQQBgjcUAgQGHgQA
QwBBMA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTb
nl2wQWvWZ7nz+LkbDbcTTAQnAjAQBgkrBgEEAYI3FQEEAwIBADANBgkqhkiG9w0B
AQUFAAOCAQEAKB7O99qiVqXPl9bzDz0Ha9ryYC+pG6t0ujkvU/bM/dlHyeeVEUNU
JcdBMlFasp+IlLsnGJobjOhfSJBCYzUW8dckEi2NslmkxnIoM7iyOFUqJI7URP09
/v9U0s/e89NFCSuWqd49eu/s04szUDc3larZFLdbpTOvfBY3zgnpqBXjk5rREpOb
BnWxWLepjQp9lYpavegOKkxIWbrqV3e5QL6RSi02ynzwivRjf8vAxa0y9QZJEci5
LMhi6TX5Wv8bnLjfgFsTD4LOa36×6NBokQibMYm7zPds72BjnTs9VuQQv1qcobJK
noUAm3DFF+hzpT8F+xFHt6IJG2cGMQHl9Q=="/>
</characteristic>
</characteristic>
</characteristic>
</wap-provisioningdoc>
Save the XML file somewhere, I saved it on my desktop. Then we run the following command to create a CAB file from our XML:
makecab _setup.xml /L . root_ca.cab
Now we have our root certificate as a CAB file, which we can distribute as any other software package for our mobile devices. Of course, this package can also be installed just like any other “software” with a simple one click installation on the device.
// Fredrik “DXter” Jonsson
Related posts:
Comments
[...] The guide can be found on two Swedish IT consultants Blog (Yes I am swedish – No it’s not me), I find it worrying how many posts include stuff I work with as well, including some info about my beloved WRT54GL that I am pondering swapping with something faster soon. The blog post about how to install Root SSL certificates on Windows Mobiles, with a CAB setup file, and a simple XML format can be found here: http://poweradmin.se/blog/2009/11/15/smooth-root-certificate-deployment-for-mobile-devices/ [...]
[...] to distribute root certificates as exe files By Fredrik "DXter" Jonsson DXter, PKI In my post Smooth root certificate deployment for mobile devices I explained how to distribute your root certificates as .cab files for mobile devices. This post [...]