Problem solve Get help with specific problems with your technologies, process and projects.

Adding self-signed root certificates to Windows mobile devices

Learn how you can avoid the cost of third-party SSL certificates by turning a self-assigned root certificate into a .CAB file that you can deploy to your Windows mobile devices.

Generating self-signed SSL encryption certificates is one way to beat the high cost of third-party SSL certificates, which can run as much as $100 a year.

If you're a small shop and you don't think you need to have third-party certificates generated for you, you can always create one yourself by setting up Certificate Services and fulfilling a certificate request from yourself.

The process has been fairly well documented for creating a self-signed certificate to use on a server. (See the article, SSL-enabling OWA 2003 using your own certificate authority.) But what if you want to take your self-signed root certificate and manually add it to one or more mobile devices?

There are a few ways to do this, although they all require management access to the mobile devices. One particularly interesting way is to take the root certificate, turn it into a .CAB file, and then deploy it to the mobile devices.

Some types of management systems (such as OTA or "over-the-air") will only deploy .CAB files., and Installing certificates via .CAB files may work if you're trying to add the certificate to a store on the mobile device other than the root store.

The full technique has been published on the Windows Mobile Team Blog:, How to add your own root cert via CAB file. There aren't a lot of steps involved, but be aware of these critical issues before you get started:

  1. You must export the root certificate, not a leaf, for this to work correctly. If you've generated and self-signed the certificate, this is probably easier than if you're using a third-party certificate authority. Be sure to go as far up the certificate chain as you possibly can. If you have intermediate certificates to be installed, export the root first, then the intermediates.

  3. This technique will not work for wildcard certificates. You need to have a certificate for the specific URL being accessed via the mobile device.

  5. When you create the "thumbprint" for the certificate, as per the instructions, make sure that the thumbprint listed in the XML files has no spaces or carriage returns. Otherwise, the thumbprint will not validate.

About the author: Serdar Yegulalp is editor of Windows Insight, a newsletter devoted to hints, tips, tricks, news and goodies for all flavors of Windows users.

Do you have comments on this tip? Let us know.

Related information from


Dig Deeper on Outlook management

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.