Picking the Right SSL Server Certicate for Windows Mobile

A lot of Enterprise Software for Mobile devices utilizes SSL for security.  SSL is the de facto choice because it can traverse NATs and routers whereas many VPNs cannot.

So, you’ll need to purchase an SSL certificate for your web server and any Windows Mobile clients should have the root of your SSL certificate in the device’s root certificate store.

The problem comes when the root certificate is not already in the device root certificate store by default.  You can add certificates to the root store (this got a lot easier in Windows Mobile 6.0).  But, this will likely require a user trying to perform the task or the support tech will need to “touch” the device.  And, if the device is cold reset, you have to perform this task all over again.  It is much easier just to use an SSL server certificate from a Public Certificate Authority  that chains to a root certificate that’s already resident on the device.

Unfortunately, Windows Mobile has no root certificate updating service as included in Windows XP and Windows Vista.  With Windows Mobile, you get the root certifcates that were added when the image was built.

If you are using Windows Mobile 5.0 devices, you should not use GoDaddy or Comodo root certificates for the most part.   Here is a table showing which versions of Windows Mobile includes which Public CA certificates:

Windows Mobile Root Certificates

Another consideration is the use of wildcard certificates.  As you probably already know if you are reading this, a wildcard certificate allows the use of a wildcarded DNS name prefix such as “*.acme.com”.  You can use the same SSL certificate for many different web servers that all have assigned DNS names that end in “.acme.com”.  It is important for SSL security that the server’s internet DNS name matches the subj or subj alt name on the certificate.  So, if you wildcard th prefix in the certificate, you can use one cert for a lot of servers.

Windows Mobile started supporting wildcard certificates in Windows Mobile 6.0.  If you have Windows Mobile 5.0 devices, you should take a look at the offering from Digicert.  They allow you to pre-populate the subj alt name of the certificate with a list of server names.  This ends up giving you something approaching wildcard certificate features.  However, you do need to know the internet DNS names of all the web servers you’ll be using.  See more details on the Digicert site. Note that digicert is not shown on the list above because they actually chain back to the Entrust root.

Dave Field, CISSP, MCP
Device Management and Security Architect
Enterprise Mobile, Inc.


The “Save Password” checkbox does not work in Mobile IE

Here is a little issue that I researched this week and I thought I’d share it on the blog.

PROBLEM: When accessing a website that is secured to use an NTLM authenticated password, the “Save Password” option does not work on Windows Mobile Pocket PCs and Smartphones.

Here are detailed steps that outline how to reproduce this problem using a Motorola/Symbol MC70 Pocket PC. Note that the test device was running Windows Mobile 5.0 AKU3. Read the rest of this entry »