Adding Intermediate Certificates to the CA Store

Windows Mobile 6.5

When a Windows® phone connects to a Web server and authenticates by using Secure Sockets Layer (SSL), the client must validate the server's SSL certificate. In most cases, the certificate chains to a root certificate that the client has specified in the local device root store. For more information, see Certificate Chains.

Even if the client has the correct root certificate for server validation, validation will fail if the client does not have access to the correct intermediate certificates to build the chain.

There are two ways for OEMs to ensure that the Windows® phone has access to the necessary intermediate certificates:

  • Intermediate certificates are stored locally in the CA or ROOT store of the device.
CA is where intermediate certificates should be stored, but ROOT will also work.
  • The Web server is configured to support SSL 3.0 standard Transport Layer Security (TLS) where the certificate_list provided to the client can include intermediate certificates, in addition to the server's own certificates.

The Internet Information Services (IIS) administrator must add the intermediate certificates to the local machine certificate store with the name "Intermediate Certification Authorities." By adding all the intermediates to this store, IIS (running Secure Channel, or SChannel) will add the intermediate certificates to the certificate list.

The certificate_list cannot include the root certificate, because it must be included in the local device root store.

Community Additions