importing personal certificate
- Hello,
can I import a personal certificate to a Windows Mobile device in a way that the private key will be marked as "non exportable"? Otherwise, if the device gets lost, any unauthorized person can export the private key then.
Martin
Answers
- Well, it is kind of complicated :)
If a certificate is exportable is initially defined by the template used on the issuing CA. On an Enterprise CA (MSFT) you define whether the private key can be exported, and I would assume the same goes for other CAs. If this is set and you enroll on a Windows computer you cannot even export it to a pfx file.
When importing a pfx file you get to choose yourself when importing on the desktop whether you want to allow exporting the key. (As the template didn't set restrictions it's up to you.)
When importing on a Windows Mobile device you don't get the choice when importing through the GUI. To control the exact behaviour you would need to import programmatically. I'm not sure if it is documented exactly how the utility provided by the GUI works in this respect.
But as already stated it's different on a Windows Mobile device than on the desktop since you don't have a tool for exporting certificates at all. Once again - you could get out your Visual Studio and program something, but I've never written code to test this out. The private key is protected though.
If you enroll directly from the device to the CA the device will respect all the parameters in the template, and the you are guaranteed that it will not be exportable.- Proposed As Answer byWayne Phillips.MVPSunday, November 01, 2009 9:45 PM
- Marked As Answer byElvis Wei -MSFTMSFT, ModeratorWednesday, November 04, 2009 8:47 AM
All Replies
- Not sure what the value of that would be. What are you trying to prevent? They would still need to know the account password, and presumably if the device was lost you would remotely wipe it. I assume you are using 3rd party certificates for ActiveSync anyway correct?
- they can export the private key. It is the same private key I use on my desktop computer, laptop etc. So with that private key they could decrypt everything on my other devices. It is a 3rd party certificate and I use it to read my s/mime encrypted mails with Exchange. When I import a personal certificated for example on Windows Vista I can set if I want to have the private key exportable or not and also if I want to use strong private key protection. I miss that options on Windows Mobile.
Perhaps this thread will help answer your questions:
http://social.technet.microsoft.com/Forums/en/SCMDM/thread/d1c937a4-a39c-4232-976d-8378d51392e8- there are flags CRYPT_EXPORTABLE and CRYPT_USER_PROTECTED http://msdn.microsoft.com/en-us/library/aa924245.aspx
If someone knows if these flags in PFXImportCertStore are set or not that would help me a lot
Unfortunately the Windows Mobile UI does not offer to set these flags during the certificate import process
- The exportable attribute is set in the certificate during the initial enrollment. If you "export" it by copying a pfx file to your Windows Mobile device the private key is considered exportable. There is however not an interface for exporting certificates from a WM device, so if you delete the pfx file after importing it you should sit pretty comfortably. (As alluded to in the thread referenced above even exporting it programmatically is probably not that easy.)
If you want to make sure the device respects a non-exportable property you could enroll the certificates directly from the device instead of moving a pfx file around. Now this would be workable in a scenario where you use a MSFT Enterprise CA, but since you state that it's a third-party certificate I do not know if this is an option for you.
If you store data like certificates on a device I would consider enabling device encryption and power-on-password as additional security measures. With these mechanisms in place I'd say the odds of someone doing an untrusted copy of the certificate is seriously reduced. The exportable attribute is set in the certificate during the initial enrollment. If you "export" it by copying a pfx file to your Windows Mobile device the private key is considered exportable.
I thought the exportable attribute is set during the installation/import process. So you mean if I import the certificate from a pfx file to my Windows Mobile device the key is exportable then?
- Well, it is kind of complicated :)
If a certificate is exportable is initially defined by the template used on the issuing CA. On an Enterprise CA (MSFT) you define whether the private key can be exported, and I would assume the same goes for other CAs. If this is set and you enroll on a Windows computer you cannot even export it to a pfx file.
When importing a pfx file you get to choose yourself when importing on the desktop whether you want to allow exporting the key. (As the template didn't set restrictions it's up to you.)
When importing on a Windows Mobile device you don't get the choice when importing through the GUI. To control the exact behaviour you would need to import programmatically. I'm not sure if it is documented exactly how the utility provided by the GUI works in this respect.
But as already stated it's different on a Windows Mobile device than on the desktop since you don't have a tool for exporting certificates at all. Once again - you could get out your Visual Studio and program something, but I've never written code to test this out. The private key is protected though.
If you enroll directly from the device to the CA the device will respect all the parameters in the template, and the you are guaranteed that it will not be exportable.- Proposed As Answer byWayne Phillips.MVPSunday, November 01, 2009 9:45 PM
- Marked As Answer byElvis Wei -MSFTMSFT, ModeratorWednesday, November 04, 2009 8:47 AM
- Thank you, now I understand. I know there is no export interface on Windows Mobile, but I was concerned that it might be very easy to copy the certificate file from the device to a normal computer and there trying to export the private key.
