Sembee Blog of Exchange MVP Simon Butler

Windows Mobile Compatible Certificates

When you are deploying Windows Mobile in to your Exchange environment, you should be using an SSL certificate to secure the deployment.
However the number of SSL certificates that Windows Mobile trusts is much smaller than the number supported by Internet Explorer or Firefox on your desktop. This means one of two things.

1. You need to purchase a certificate from one of that small list.
2. You have to import the SSL certificate in to your device.

For the second option, I have instructions elsewhere: http://www.amset.info/pocketpc/certificates.asp

For the first option, which may be preferable if you are going to deploy a large number of the devices, you need to get a certificate that is issued by one of the roots supported by Windows Mobile.
The root certificates can be easily seen in the device, but the name of the certificate does not always match the name of the company who can issue the certificates. The root certificates have changed hands, companies have merged or simply changed their names.

Therefore what I have done is taken the list of root certificates from a standard emulator image, which is what Microsoft would have supplied the hardware suppliers as their base image and then found who is currently issuing the certificates.
You should check whether the root certificate list I have here is the same as what you have in your device, as there have been reports of some root certificates being removed.

Where it isn't clear who is the current owner of a root, I have put a question mark. Also note that not all providers are using the root certificates to issue NEW certificates - they may be using them for legacy support only. You should note that some issuers are using multiple roots and you may have to ask for a certificate to be issued from a specific root to get Windows Mobile support.

If you are deploying a mixture of Windows Mobile 5 and Windows Mobile 6 devices, then use the list of root certificates on Windows Mobile 5 to ensure maximum compatibility.
If you are tempted by wildcard certificates - remember that Windows Mobile 5 does not support any wildcard certificates.

Windows Mobile 6

Thawte Server CA (Thawte)
Thawte Premium Server CA (Thawte)
Starfield Class 2 Certification Authority (GoDaddy - http://www.certificatesforexchange.com/)
Secure Server Certification Authority (Verisign)
http://www.valicert.com (GoDaddy - http://www.certificatesforexchange.com/)
GTE CyberTrust Global Root (GlobalSign)
GoDaddy Class 2 Certification Authority (GoDaddy - http://www.certificatesforexchange.com/)
GlobalSign Root CA (GlobalSign - was InstantSSL.com)
Geotrust Global CA (Geotrust)
Equifax Secure Certification Authority (Geotrust)
Entrust.net Secure Server Certification Authority (Entrust)
Entrust.net Certification Authority (2048) (Entrust)
Class 3 Public Primary Certification Authority (Verisign)
Class 2 Public Primary Certification Authority (Verisign)
Baltimore CyberTrust Root (Cybertrust?)
AddTrust External CA Root (AddTrust)
AAA Certificate Services (Comodo?)
GTE CyberTrust Root (InstantSSL.com)

Windows Mobile 5

Thawte Server CA (Thawte)
Thawte Premium Server CA (Thawte)
Secure Server Certification Authority (Verisign)
http://www.valicert.com (GoDaddy  - http://www.certificatesforexchange.com/)
GTE CyberTrust Global Root (GlobalSign)
GTE CyberTrust Root (InstantSSL.com)
GlobalSign Root CA (GlobalSign - was InstantSSL.com)
Equifax Secure Certification Authority  (Geotrust)
Entrust.net Secure Server Certification Authority (Entrust)
Entrust.net Certification Authority (2048) (Entrust)
Class 3 Public Primary Certification Authority (Verisign)
Class 2 Public Primary Certification Authority (Verisign)