Desktop Certificate Enrollment

  • Article

4/8/2010

With the Windows Mobile 6.5 release, corporate system administrators can deploy and manage certificate-based authentication using the CertificateEnroller Configuration Service Provider and desktop enrollment. Desktop ActiveSync and the Get Certificate user interface allow the user to enroll for a certificate from a cradled Windows Mobile powered device using the existing corporate desktop logon protocol. A password, smartcard, or any other means of user authentication can be used to authenticate the enrollment.

Desktop certificate enrollment can be used to query for and to renew certificates on mobile devices. You can also use the CertificateEnroller Configuration Service Provider to define certificate types and to create the provisioning XML that can be pushed to the mobile devices.

Certificate Enrollment Requirements

The following are needed to set up desktop certificate enrollment:

  • A Windows Mobile 6 device. The device-side enroller is included in ROM on all Windows Mobile 6 devices.
  • Desktop ActiveSync 4.5 leverages the security of the desktop logon and allows the creation of certificate enrollment settings from Active Directory information.
  • Windows Certificate Server. Desktop certificate enrollment relies on Web-based enrollment against a Windows 2000 or 2003 enrollment Web site which requires a Windows Certificate Server. It cannot be used against a third party enrollment site.

When to Use Desktop Certificate Enrollment

Desktop certificate enrollment is designed for the following uses:

  • Deploying Enterprise-wide Exchange ActiveSync or SSL TLS certificate-based authentication
  • Renewing existing certificates
  • Distributing 802.1x wireless certificates
  • Providing certificates for S/MIME digital signing

Preparation

The corporate system administrator should do the following to utilize desktop certificate enrollment:

  • Set up a Windows 2000, 2003 or later Windows Certificate Server.
  • Create the certificate type or use an existing certificate published to Active Directory.
  • Inform users of name and type of the certificate they should select.
  • Provide users with instructions for using Get Device Certificate.

Desktop Certificate Enrollment Process

Once Enterprise IT Pro has published the certificate to Active Directory and directed the users to enroll for the certificate, the users will step through the following process:

To enroll for a certificate with a Windows Mobile 6 powered device

  1. From Advanced Tools, the user chooses Get Device Certificate, navigates to Active Directory on the corporate network, selects the desired certificate, and clicks Add.

  2. The desktop processes the enrollment while the user waits a short period of time. During this time, the device generates a public/private key set and proxies the enrollment to the Windows Certificate Server through the desktop.

  3. The CA returns a signed certificate to the desktop which, in turn, delivers the certificate to the device.

  4. The device stores the certificate and its chain of certificates to the root CA. If the root certificate is not already in the root certificate store of the device, the user is asked to accept the certificate.

  5. The user sees a success dialog to denote the end of the enrollment process.

Once the certificate is in the user Root or CA store, the mobile device will be ready to authenticate with the desired protocol.

Troubleshooting and Support

The Get Device Certificate user interface provides feedback during the desktop certificate enrollment process. This includes status messages and error messages.

During the desktop certificate enrollment process, logs are created on both the device and the desktop computer.

Troubleshooting Actions

Follow the steps below to troubleshoot the use of Desktop Certificate Enrollment.

Check log files on both the desktop and device

Log files are created on both the desktop and the device at the following path:

\Windows\logfiles\GetCertificates\DeviceEnrollLog.txt.

The log contains information about the following:

  • Date
  • Time
  • Device Name
  • Domain\Username:
  • Certificate Type Friendly Name
  • CA Server
  • Template
  • Request Page path/name
  • Pickup Page path/name
  • Request ID For Enrollment
  • Desktop Initiated
  • Silent Enrollment
  • Status Upon Completion
  • Error Code

Use Internet Explorer to connect to the Web-based enrollment site

Attempt to connect to your Web-based enrollment site to verify that it is accessible from the device.

Confirm that the requested certificate template is available

Navigate to the internal server site where you store your certificates. Make sure that the certificate type template is in place.