Managing Certificates for Application Testing

A.     Adding Test Certificates to the Certificate Store and Devices

You need toadd test certificates to the following:

Personalcertificate store on the computer used to develop applications

WindowsMobile-based device

You addcertificates to the device by using the RAPIConfig.exe application and aprovisioning .xml file.

To add thecertificates to the personal certificate store

For theprivileged certificate, open Windows Explorer and double-click theTestCert_Privileged.pfx file located at C:/Program Files/Windows CETools/wce500/<platform>/Tools.

Click Nextthree times. A password is not associated with this certificate.

Confirm that Automaticallyselect the certificate store based on the type of certificate is selected,and then click Next.

Click Finish.

For theunprivileged certificate, double-click the TestCert_UnPrivileged.pfx file locatedat C:/Program Files/Windows CE Tools/wce420/<platform>/Tools, and thenrepeat steps 2–4.

To add thecertificates to the device

Connect theWindows Mobile-based device to the computer using ActiveSync.

Open a commandprompt window, and change to the folder that contains the RAPIConfig.exeapplication and the sdktestcerts.xml file. The files are located at C:/ProgramFiles/Windows CE Tools/wce500/<platform>/Tools.

At the commandprompt, type RAPIConfig.exe /p sdktestcerts.xml, and thenpress ENTER.

B.     Determining the Security Configuration of the Device

If the device security configurationrequires signed binary files and the application binary files are unsigned, theapplication will not run. You can use provisioning XML and the SecurityPolicyConfiguration Service Provider to determine the security configuration of thedevice.

C.      Querying for Certificates Contained in the Device Certificate Store

If yourapplication fails to install or run, it may be signed with a certificate thatdoes not match any of the root certificates contained in the device certificatestore. You can use provisioning XML and the CertificateStoreConfiguration Service Provider to determine which certificates are contained inthe certificate store.

To queryfor certificates contained in the device certificate store

Create theprovisioning XML document.

Save the XMLdocument as an ASCII file.

Add the .xmlfile to an installation .cab file by doing the following:

Open a commandprompt window and change to the C:/Program Files/Windows CETools/wce500/Windows Mobile 5.0 Pocket PC SDK/ folder for Pocket PC, orC:/Program Files/Windows CE Tools/wce500/Windows Mobile 5.0 Smartphone SDK/folder for Smartphone.

Run themakecab.exe tool as follows:

For WindowsMobile-based Smartphones: makecab XML file name myprovxml.cab

For WindowsMobile-based Pocket PCs: makecab /D COMPRESS=OFF XML file namemyprovxml.cab

Note   /D COMPRESS=OFFturns off file compression, which Windows Mobile software for Pocket PCsrequires.

Sign the .cabfile using signtool.

D.    Signing Applications for Testing and Distribution

You sign .cab and binary files usingsigntool.exe. This will enable you to certify and distribute the applicationthrough the Microsoft Mobile2Market program.

E.      Importing and Exporting Test Certificates

a)      Installing the PVK Digital Certificate Files Importer

You can use the PVK Digital CertificateFile Importer tool for packaging import and export certificate files.

To download and install the PVK DigitalCertificate Files Importer

Download the PvkImprt.exe setup program,located at PVK Digital Certificate Files Importer.

Double-click the file.

Follow the instructions on the screen.

You can also use the command line toinstall for the application. The following example shows the syntax forinstalling from the command line.

pvkimprt [option]

The following table shows the command lineoptions for the installation.

Option

Description

/Q

Quiet mode for the installation package

/T:<full path>

Specifies a temporary working folder

/C

When used with the /T option, extracted for folder specified

/C:<Cmd>

Overrides the install command defined by author

b)     Importing Digital Certificate Files into the Personal CertificateStore

You can importthe digital certificate files (.cer or .spc file and a .pvk key pair file) intothe personal certificate store on a computer by running PVK Digital CertificateImporter (PvkImprt.exe) with the -IMPORT option.

To importthe digital certificate files into the Personal certificate store

Open a commandprompt window.

Type PVKIMPRT-IMPORT and the full path of the .cer or .spc file and a .pvk file.

The followingexample shows the syntax for using PvkImport.exe to import the .cer or .spcfile and a .pvk key pair file:

<fulldirectory path/>PvkImprt -import <full directory path/><.spc or.cer file> ,<full directory path/><.pvk file>

In thefollowing example, the TestCert_Privileged.cer and TestCert_Privileged.pvkfiles are imported:

C:/SDK/Tools/pvkimprt-import C:/SDK/Tools/TestCert_Privileged.cerC:/SDK/Tools/TestCert_Privileged.pvk

Click Next,and then select Place all certificates in the following store.

Click Finish.

The importwas successful messagedisplays.

To confirmthat the import was successful, view the certificate in the personalcertificate store.

 

 

c)      Packaging Digital Certificate Files for Export

You canpackage digital certificate files (.cer or .spc and .pvk) in a .pfx file. A.pfx file is encrypted according to the PKCS #12 standard and a single passwordhelps protect a .pfx file. Packaging enables you to back up the files andimport them into the personal certificate store on another computer.

Run thePvkImprt tool from the directory you installed it in, or supply the completepath to the install directory.

To packagedigital certificate files in a .pfx file for export

Open a commandprompt window.

Type PVKIMPRT-PFX and full path of the .cer or .spc file and a .pvk file.

The followingexample shows the syntax for packaging files in a .pfx file:

<Fulldirectory path/>pvkimprt -PFX <Full directory path/><.cer or .spcfile name> <Full directory path/><.pvk file name>

In thefollowing example, the TestCert_Privileged.cer and TestCert_Privileged.pvkfiles are packaged in a .pfx file:

pvkimprt -PFXc:/SDK/Tools/TestCert_Privileged.cer c:/SDK/Tools/TestCert_Privileged.pvk

Click Next.

Select Yes,export the private key, and then click Next.

Select Enablestrong protection, and then click Next.

Select PersonalInformation Exchange - PKCS#12 (.PFX).

Type thepassword you want to use to help protect the file, and then click Next.

Type the filename or click Browse to select the file, and then click Finish.

d)     Viewing Certificates in the Personal Certificate Store

You can useMicrosoft Internet Explorer to view certificates in the personal certificatestore.

To viewcertificates using Internet Explorer

Open InternetExplorer.

On the Toolsmenu, click Internet Options.

Click the Contenttab, and then click Certificates.

Click the Personaltab to view the certificates in the personal certificate store

You shouldhave access rights to the private keys of all certificates in the personalcertificate store. You can determine whether you have access rights to aprivate key by double-clicking a certificate to view the certificateinformation.

e)     Troubleshooting the PVK Digital Certificate Files Importer

Due to adifference in default key lengths between Microsoft® Windows® Millennium,Microsoft® Windows® XP and other versions of Windows, the PvkImprt.exe tool mayfail when used to import keys between Windows Millennium or Windows XP andother Windows platforms. You can solve this problem by doing the following:

UsePvkImprt.exe to export the .pvk and .spc or .cer files as type .pfx on aWindows platform that is the same as the one on which the keys were generated.For example, if the key pair was generated on a Windows Millennium or WindowsXP computer, perform the .pfx export on a Windows Millennium or Windows XPcomputer.

Once the keyshave been exported as type .pfx, they can be imported on any Windows platformusing a certificate import tool. For example you could import the files byusing the Certificate Import Wizard.