I found a colleague at work with a new O2 Xda mini was having the same issues as I was a month ago with my Orange C600 in trying to add a ROOT Certificate to the WM5 device once you have upgraded to the MSFP/AKU2 standard and now found that it has upgraded your security to higher a level.
For disabling handset Security on Orange SmartPhones visit this Link, but be aware that if you have the C600 you will have to submit a request via email and await a reply with the security tool that will be "hand-crafted" to your IMEI number.
So in an effort to help him and others I have compiled this post, please let me know if it helps or hinders?
Thanks ;-))
Here is an FAQ from MS explaining why the issue exists:
Q: What is required to install a new certificate to the ROOT store?
A: Adding ROOT certificates currently requires trusted code or manager access. On most Pocket PC devices this won't be a problem, but some Smartphone devices are deployed in a restricted configuration where this will be a problem.
Q: Okay, I have a restricted Smartphone device. What are my options for getting a root certificate on there?
A: In the general case, you will need a signed certificate installer. Some operators provide this tool. There's a more in-depth discussion of this issue at the blog post here.
Q: Does Windows Mobile support wildcard certificates?
A: Not in the current versions.
Q: Does the certchk tool work for disabling SSL validation for Exchange ActiveSync?
A: Not on Windows Mobile 5.0 devices. There is currently no workaround for this beyond adding the root certificate as described above, or disabling SSL altogether.
Next, if you are looking for a resolution to SP5 have a look at the second post here at MoDaCo by Sidsmut, this is pretty good effort.
1. Go to http://www.modaco.com/INFO_Decert_SIM_Unlo...50-t222786.html.
2. Download the HTC-signed "regeditSTG.zip" and move it to your smartphone.
IMPORTANT: Put it on the phone, not on a memory card - this was my first
sticking point.
3. Extract the zip file using Explorer on the device (if it's a WM5 device).
4. Run the Regedit exe and follow the instructions on the page above for
registry changes to make. It was also suggested by a Microsofty a few posts
down to change 00001017 (4119) to 144 (in the same part of the registry),
although I'm not sure what each entry does. I did all three. :-)
5. Download SDA_ApplicationUnlock.exe from
http://www.modaco.com/Motorola_MPx220_and_...0_app_locked...,
connect the device, run this app, click "Unlock" or whatever, then restart
the device.
6. Export the root certificate from the Certificate Authority in your domain
(in DER format), copy it to the phone (again NOT the memory card) and simply
run it from Explorer. Bob's yer uncle.
In case you don't know how to export the root cert, follow these
instructions:
1. Run MMC on the CA server.
2. File, Add/Remove Snap-in.
3. Add... select Certification Authority, and select Local Computer.
4. Finish, Close, OK.
5. In MMC, right-click the CA, select Properties. View Certificate, go to
Details tab, select Copy to File...
6. Next, make sure DER encoded binary is selected, Next, put something like
"c:\rootcert".
7. Finish and you're done. Copy it to the phone, run it and you're done.
How can I add root certs to my Windows Mobile 5.0 device?
In WM 5.0, the certchk tool no longer works for disabling SSL certificate verification on the Exchange ActiveSync connection. What are the options for secure connections to the server?
- Buy a SSL certificate from a major vendor. You should be able to get one for < $100. If you do this, the connections will just work. Launchpad page to find a SSL cert vendor here.
- If you have management access to the device, you can add your self-signed cert to the ROOT store directly via rapiconfig, a CAB file, or the certinst.exe tool. This depends on the security configuration of the device. On a Pocket PC in the default configuration this will be possible, but on a default Smartphone, you cannot. In some cases you will need to add the intermediate certs as well. (details)
- Some OEMs or mobile operators provide certificate installers for their platform.
Advanced issues you might run into when trying to add your own SSL certificates to the device for browsing or Exchange ActiveSync. (summary and discussion of the core problem here)
Some servers do not send down the entire certificate chain at the beginning of the SSL session. This is a configuration option on the server. Windows Mobile 5.0 devices do not have the ability to dynamically get the intermediate certificates. (big Windows can do this) A symptom of this is that you have added the root certificate for your site, but the browser on the device still isn't recognizing the certificate. To make this scenario work, you need to grab the intermediate certs (every cert except the first and the last) and add them to the device using the XML method previously discussed on this blog. When creating the XML for the intermediate certs, change the certificate store in the XML from "ROOT" to "CA". Another way to figure out if you have this problem is to check out the site in Firefox. Firefox doesn't chase down the intermediate certs either, so if it complains about the SSL connection then you probably have this problem.
The browser and the sync client use the same underlying APIs for SSL connections, so if the browser can make a secure connection to your site without prompting that the SSL connection is bad, then SSL is not the problem. It's easiest to use this method to isolate any SSL problems - once the browser can connect to your server then move on to troubleshooting the sync connection. (check Exchange server logs, etc.)
Alert - Security permission was insufficient to update your device
from Bernt Lervik
If you’re like me and just got out and bought the new i-mate SP5 (or QTek 8310) getting it up and synchronizing with Exchange 2003 sort of fails when you try to install a (private) root certificate.
This is because the default security settings on the SP5 prohibits such an action. Now, personally I’m all in favour of security, but if I can’t install my own root certificate, how on earth will I get my phone to synchronize?
Here is how:
1) Download regeditSTG.zip (24.01 KB) (or from Modaco.com regedtSTG.zip where I found it myself), this is a freeware registry editor made by PHM but digitaly signed by HTC (the actual hardware maker behind the SP5 model).
2) Copy the zip file (don’t unpack it) over to your phone using ActiveSync (or an SD card if you have that)
3) Unzip the file through the SP5s own File Explorer. If you unpack this file on your computer first, copying it over to your phone through ActiveSync will fail.
4) Start regeditSTG and navigate to the hive key HKLM\Security\Policies\Policies
5) Change the following three registry keys (hint: hit Values first)
a. 00001001 to 1 (was 2)
b. 00001005 to 40 (was 16)
c. 00001017 to 144 (was 128)
6) You can now doubleclick your .cer certificate. The import will now silently succeed
7) To make sure that is worked, go to Start – Settings – Security – Certificates – Root – Moore and verify that your root certificate is installed
8) Optional, you can now set the registry back to it’s original settings, this will prevent future certificates to be installed but we want that don’t we, mr EveryoneFullControl?
Edit:
Added regeditSTG.zip as direct download from my page. Kept the original link to Modaco as well
The way I figure it is that if you've got this far - you're desperate right? so if you have US based Smartphones you may find these Registry tools will let you in?
From MS's How to add root certificates to Windows Mobile 2003 Smartphone and to Windows Mobile 2002 Smartphone
These downloads were designed for earlier versions, but as they are *Security Signed and Certificated* Applications from the Carrier, the likelyhood is that they should work?
Verizon Smartphones
Microsoft has worked with VerizonWireless to create a signed version of the SPAddCert.exe utility to run on VerizonWireless Windows Mobile Smartphones. Download the VZW_SPAddCert.exe file.
Sprint Smartphones
Microsoft has worked with Sprint PCS to create a signed version of this SPAddCert.exe utility to run on Sprint PCS Windows Mobile 2003 SmartPhones. To download the SPCS_signed_SPAddCert.exe file.
Microsoft has worked with Sprint to create a signed version of this SPAddCert.exe utility to run on Sprint iDEN Windows Mobile 2003 SmartPhones. To download the SprintIden_signed_SPAddCert.exe file.
Failing all of this you could always resort to hacking the WM5 device? Advice available here:Hacking your Windows Mobile 5.0 Registry
Devin Ganger at 3Sharp blogged about the inability to add Root SSL certificates on some WM 5.0 devices, which is true. What isn't mentioned much of anywhere (you have to look around pretty hard) is that you actually can still disable Certificate Checking - you just can't use the old DisableCertChk tool from Windows Mobile 2003. Microsoft doesn't recommend this, but it's a necessary evil in some situations. Two that I can think of are:
1. Your company uses a Wildcard SSL Certificate. (i.e. *.company.com). Windows Mobile 5.0 (or any other version for that matter) does NOT support wildcard certs. Why, I'm not sure, but it doesn't.
2. You have a manufacturer locked device that prevents you from adding additional Root Certificates. Again, WHY a manufacturer would prevent folks from adding additional root certificates is beyond me, but it happens.