Using S/MIME Signed/Encrypted Email with a Windows Mobile Device


S/MIME support for Exchange Active Sync (EAS) version 2.5 was introduced in Exchange 2003 Service Pack 2 (SP2) and Windows Mobile 5 (WM5) device.  In Exchange 2007 SP1, we are adding S/MIME support for EAS version 2.5, 12.0 and 12.1.  While working on EAS S/MIME implementation, I was asked how users could enable their devices work with S/MIME.  Below I have provided some simple end-to-end steps to exemplify using S/MIME on a Windows Mobile device.

1.       Where can I get an email certificate?

There are several services issuing email certificates (ex. Comodo, VeriSign).  The choice of certificate authority is up to the user though Comodo currently provides a free email certificate without a trial period expiration.

·         Comodo : http://www.comodo.com/products/certificate_services/email_certificate.html

·         VeriSign: https://digitalid.verisign.com/cgi-bin/OEenroll.exe?name=&email=

 

2.       Export the certificate with a private key

Once you have requested an email certificate from a certificate authority (e.g. Comodo), you will receive an email informing you how to get, and install, the certificate on your local machine.  After the installation, you can export the certificate with its private key and put it onto your device.  This is required for viewing the encrypted message and signing outgoing messages from the mobile device. 

Here are the steps:

a.       Open the certificate management console snap-in on your local machine

For Vista:

1. Press the Windows logo button on your start bar

2. Type MMC in the Start Search box and press enter

          You may be prompted for permissions to run the Microsoft Management Console (MMC).  If so, select Continue

3. Select File from the menu bar of the management console that appears

4. Select Add/Remove Snap-in from the drop down list

5. Select Certificate

6. Press the Add > button

7. Make sure the radio button “My user account” is selected and press the Finish button

8. Press the OK Button on the Add or Remove Snap-Ins window

For Win 2K, Win XP, Win 2K3:

1. Press Start

2. Click on Run…

3. Type MMC in the run dialog that appears and press enter

4. Select File from the menu bar of the Management Console that appears

5. Select Add/Remove Snap-in from the drop down list

6. Select Certificate

7. Press the Add >button

8. Make sure the radio button “My user account” is selected and press the Finish button

9. Press the OK button on the Add or Remove Snap-Ins window

b.      Export your private key

1. In the MMC console (which you opened in section a) Left click Certificate under Console Root > Certificates à Current User à Personal

2. Right click the certificate you acquired from your certificate authority

3. Select All task à Export…

4. An export wizard will appear, select the radio button that says “Yes, export the private key” and press the Next > button

5. Do not check any items on the next screen (only the “Personal Information Exchange “ radio button should be selected) and press the Next > button

6. Type in a password in the Password field and confirm it by retyping the same password in the Type and confirm password (mandatory) field and press the Next > button

7. Enter a file name for your .pfx in the File Name: field  and press the Next > button

8. Press the Finish button on the final screen of the wizard

9. Press OK on the confirmation dialog that your certificate was exported successfully

 

3.       Import the .pfx certificate on your Windows Mobile device

Below is a simple way to take your exported certificate and install it on your Windows Mobile device.

a.       If you are using a Windows Mobile 6 (WM6) device

1. Send yourself an email with the .pfx certificate as an attachment

2. When you receive the email with the attached certificate, open it

3. select the certificate attachment and it will import the certificate automatically (you will prompted to type in the password you used to export the certificate)

b.      If you are using a Windows Mobile 5 (WM5) device

1. You need a tool to import the certificate.  For this document we will use a tool called pfximport.  This tool is available at http://www.jacco2.dds.nl/networking/pfximprt.html

2. Send yourself an email with the pfximport tool and your .pfx file attached

3. Sync down the email

4. Save the .pfx file and the tool to a location on your device

5. Navigate on your device (using your file explorer) to the directory where you saved pfximport and the .pfx file.

6. Run the pfximport tool and import the cert (you need to type in the password)

On the other hand, you can also cradle your device and drop the certificate onto your device from your local machine.  But it requires the desktop Microsoft ActiveSync.

 

4.       Verify the certificate has been imported properly

On Windows Mobile 5 and 6 Standard (usually non-touchscreen) devices select Start à Settings à Security à Certificates à Personal à <select the certificate you just exported and view its details>

On Windows Mobile 5 and 6 Professional (usually touchscreen) devices, go to Settings à System à Certificates à <click the cert and look at the details>

 

 

5.       Sync S/MIME encrypted email

After installing the certificate on your device, you can start to sync, and view, encrypted messages.  If you use a Windows Mobile 6 device, there is a small chance that your device won’t support S/MIME (all WM5 devices can use S/MIME).  Below are the steps to check if you can use S/MIME on your device:

1.       Press Start

2.       Select Settings

3.       Select About (this may not be on the first screen of options)

4.       Look at the build number. if the build number is above 17740 (ex. Build 17742.0.2.1) then you can use S/MIME on your WM6 device

 

6.       Validate a certificate on an email

1.       Open a signed email

2.       Select the “View signature status” link to open the Signature Information page

3.       Check the certificate by pressing Menu and selecting “Check Certificate” (This will let the device validate the certificate against the server.  The result of this check will be displayed in the Signature Status field)

7.       Sending an S/MIME encrypted email

To send an S/MIME signed/encrypted email, you will need to turn email encryption on for your device. 

Windows Mobile 5 & 6 Standard (usually non-touchscreen devices)

1.       Press Start

2.       Select ActiveSync

3.       Press Menu

4.       Select Options (note: This will be grayed out if your device is connected to your desktop via a USB cable)

5.       Highlight Email

6.       Press Settings

7.       Press Menu

8.       Select Advanced

9.       Check the Encrypt messages and/or Sign messages checkboxes

10.   Press Done

Windows Mobile 5 & 6 Professional (usually touchscreen devices)

1.       Select Start

2.       Select ActiveSync

3.       Press Menu

4.       Select Options…

5.       Select Email

6.       Press Settings…

7.       Select Advanced…

8.       Check Encrypt all outgoing e-mail messages  and/or Sign all outgoing e-mail messages

9.       Press OK

All the messages sent from this device will now be signed and/or encrypted.

Note: to send an encrypted message, the recipient’s public certificate needs to be available.  It can be acquired in two ways: 

1.       After receiving a signed message from the recipient, add him/her to your contacts with his/her certificate using Outlook.

2.       The recipient publishes his/her certificate to the Global Address List (GAL) on the Exchange Server that you sync with.  You can publish your certificate to the GAL through Outlook 2007 by doing the following:

1)      Open Outlook 2007

2)      Select Tools

3)      Select Trust Center…

4)      Click on Email Security 

5)      Push the Publish to GAL… button

– James Chen, Adam Glick


Comments (15)
  1. Edward, Song says:

    Thanks Exchange!!

    And, can we use Microsoft Windows CA solution? I thinks that it’s possible!

  2. james says:

    Yes

  3. Dick Fung says:

    Thanks! However can it use in the environment of Exchange 2003 and WM5 without using S/MIME?

  4. aaronmarks says:

    I have been trying to do this for a few weeks now with my HTC 8525 that is running 17745.0.2.3, but I keep running into the problem that the certificate options are greyed out.

    After selecting my certificate in the ActiveSync setup and then clicking select, I get taken right back to the security options screen where "Encrypt all outgoing e-mail messages" and "Sign all outgoing e-mail messages" are greyed out.

    I have two 8525’s running the same firmware, and I have had this problem on both and can’t figure it out for the life of me.  Is it possible that the build of WM6 that I’m using is missing some certificate extensions, or something along those lines?

    Thank you, looking forward to your response.

  5. james says:

    The EAS SMIME support was added in E2k7 SP1.  If you are syncing against a CAS server with E2K7 RTM or earily version of SP1 beta bits, the two check-boxes will be greyed out. You can check your CAS version by going to:  OWA -> Options -> About -> Microsoft Exchange Client Access server version.  The full EAS SMIME support should be available after build 08.01.0122.

  6. Jacco says:

    I am the author of the certificate import tool referenced in this article. I’m glad to see there is finally some documentation from Microsoft. Of course, most of this info has already been independently researched by me (see link above).

    Sadly, this blog entry fails to mention that WM5.0 is almost useless for S/MIME because it uses weak crypto. For more details, see my webpage.

  7. aaronmarks says:

    James, thanks for the follow-up.  I missed the part before where you stated that it was being introduced in SP1, but now this makes much more sense.

    I’m really excited for a the production build of SP1, good luck to all of you guys working on it!

  8. Ralf says:

    Sadly, the ROMs delivered with the Windows Mobile 6 SDK (Windows Mobile 6 Professional Images (GER).msi) are build 17740.0.2.0, so it’s impossible to test S/MIME. I can’t decrypt mails on the mobile device emulator, everything else seems to work. No problems opening these Mails in Outlook.

    Is there a chance to get working Images?

  9. james says:

    Ralf,  from my talk to WM folks, SMIME should be supported after 17735 (17742 is for AKU).  So, the 17740 emulator should already be able to handle SMIME.  Did you check if your CAS server is recent enough?  

  10. Ralf says:

    James,

    Sorry, I am not sure if I’m getting this right …

    I am using Exchange 2003 SP2 with all recent changes. Does this mean I need Exchange 2007 to use S/MIME with Windows Mobile 6?

  11. mike says:

    Ralf:

    WM 6 will work with Exchange 2003 SP2.  WM 6 will not work with Exchange 2007 SP1, b/c there was an issue with how the device was interacting with the S/MIME functionality in Exchange 2007 SP1.  As a result, the WM team made the necessary fixes in the upcoming WM 6.1 version, so with Exchange 2007 SP1, you will need the updated WM 6.1.

    Hope that helps clarify things.

  12. Peter says:

    Is exchange required to use S/MIME?  I work at a security company and we exchange a lot of encrypted email.  My main reason from staying away from a Windows Mobile Smartphone was that I can’t read half my email with it.  We don’t have exchange (our email is outsourced) but we are comfortable with importing certificates.  If I just set up a plain IMAP account on the WM device, will I be able to decrypt my email messages?

  13. Andrew Becherer says:

    I imported my certificate (with private key) using pfximprt. The certificate showed up in Settings>Certificates. When I attempt to send an email I get the message:

    "The message cannot be signed because you do not have a certificate for sending signed email. Insert a smart card with the certificate."

    Any suggestions?

  14. james says:

    Pls make sure the cert can be used for Secure Email.

  15. Marcus says:

    Is it still not possible to use S/MIME with anything else than MS-servers?

    I’d like to use my certificate to encrypt outgoing gmail IMAP emails, but that seems to be impossible with Wws mobile. :@

Comments are closed.