Generating and Installing an SSL Client Certificate to a Windows Mobile Device (Pocket PC/Smartphone)

To Use a Client Cert from a Exchange OWA server that is not trusted by your Mobile device follow the following directions.

1. Go to the OWA website: ie. https://mail.consoto.com

1. In the lower Right hand corner (IE 6) you will see a lock symbol indicating that the site is SSL secured. Double click on it.
2. In IE 7 you will see the Lock on the Address bar in the upper right hand corner.

You may also get the following prompt

2. Click on View Certificate

3. Click on Details

4. Click on Copy to file

5. Click Next

6. Choose DER encoded binary x.509 (.cer)
7. Click Next

8. Type a file name ie. C:\cllientcert.cer

9. Click Finish

You now have a .cer file located at C:\cllientcert.cer

To install the file on the device

1. Copy the file to a SD card or Copy the file via Activesync to the device.
2. Use the on device file viewer to find the cllientcert.cer
3. double tap the .cer file on the device to install

Advanced issues you might run into when trying to add your own SSL certificates to the device for browsing or Exchange ActiveSync:

Some servers do not send down the entire certificate chain at the beginning of the SSL session. This is a configuration option on the server. Windows Mobile 5.0 devices do not have the ability to dynamically get the intermediate certificates. (big Windows can do this) A symptom of this is that you have added the root certificate for your site, but the browser on the device still isn't recognizing the certificate. To make this scenario work, you need to grab the intermediate certs and add them to the device using the XML method previously discussed.

The browser and the sync client use the same underlying APIs for SSL connections, so if the browser can make a secure connection to your site without prompting that the SSL connection is bad, then SSL is not the problem. It's easiest to use this method to isolate any SSL problems.