WM5 SSL Cert issue - MDA III, XDA III, PDA2k, 9090 Software Upgrading

Basically when i sync to exchange, they expect both the exchange server + client to have a valid ssl cert. We dont have, so during the WM2003, there is a file call disablecertcheck, that would disable the cert checking
so it will be able to sync without the cert but in WM5, i cant find the files yet, so i need to know is the file disablecertcheck out for WM5, + if it isnt, any patches / cabs / registrys i can change
i downloaded it http://www.microsoft.com/downloads/...B8-8B3A-4F1D-8E94-530A67614DF1&displaylang=en

any updates on this issue ?

I never had luck with DisableCertChk. I found this posting awhile back and it was the most informative I've seen. http://jayseae.cxliv.org/2004/11/04/smartphone_activesync.html
What I did is search Google with "usercerts.msc site:microsoft.com". You'll see a TID referring to Pocket PC 2002, don't worry. Download the addroot cert which is actually ... http://download.microsoft.com/download/pocketpc/addroot/1.0/wce/en-us/addrootcert.exe. Export the certificate per Ethan's instructions from the first link, copy and install it to your device. I hope that this helps.
Steven

hi guys,
i tried the way as mentionned but, i get the following error
The security cert on the server is invalid. Contact your exchange server administrator or ISP to install a valid cert on the server

I assume you're running Exchange 2003? A perhaps even easier way is to open your OWA page with Internet Explorer and install the certificate on your PC when prompted. Then open Internet Options, Content, Certificates, Trusted Root Certification Authorites. Find your server's certificate and export to a DER encoded binary which you can install on your device. I always put my certificates on my SD card so's I can install easily whenever I upgrade my Pocket PC.... which is quite often ;-)
Luckily with WM5 I don't have to do that anymore!
If you need anymore help, just ask.
Steven

I tried this, but no luck. It still says that the certificate on the exchange server is invalid.

Related

Extended ROM - Some CABs don't Execute

I'm trying to customize a few Extended ROMs here and I'm running into some stubborn CABs. When installed manually, everything works fine. No warnings, no errors. Just click the CAB, let it do its thing, then click OK.
Put these same ROMs into an Extended ROM and hilarity ensues. Some will work, others will not and I don't know why. Any suggestions on what I might be missing will be greatly appreciated.
Quick question?
Are the CAB's signed, if not are you installing the 'signed' unsign CAB 1st .
Edit: Thinking more about this (and realising that the 1st thing you do is disable signing in your ROM's ) can you provide a little more info about the CAB's (maybe an offending CAB if the content is not private?).
I managed to replicate this issue with a CAB that had a warm reset as part of it's install process (seems to bork the autoexec batch process) and I have had a similar issue with a CAB that just contained some simple OMA in the _setup.xml.
John
yes, that's the point. But how to make any Unsigned CABs become Signed?
huangyz said:
yes, that's the point. But how to make any Unsigned CABs become Signed?
Click to expand...
Click to collapse
Without wanting to sounds facetious you sign them ;-)
You would use a private key to generate an Authenticode signature for the CAB (and maybe the apps inside if you need to) however you would still need to install the ROOT certificate into the code stores on your device. Or get your app signed by a 3rd party with a certificate that has it's ROOT already on the device (MS's MobileToMarket and things like that take care of this for ISV's that need it).
Once you have the ROOT cert on the device in the correct store signing is trivial, you either use SignTool.exe from many of the MS SDK’s or just use the GUI options if Visual Studio is your poison. All you need is an export of the PKF (Private key) and the password to the certificate.
In enterprises one of the 1st things people often do before giving Windows Mobile devices out to users is to install a ROOT certificate for the enterprise onto the device in both the code and transmission stores. This means from then on you can sign in-house apps and CAB’s and they behave as signed commercial apps and you can use features like internal signed SSL for ActiveSync etc. etc.
Don’t forget you can also do away with a lot of this by installing the HTC signed “Disable Certificates” CAB 1st and then the signatures are not checked on subsequent CAB’s, EXE’s or anything code related for that matter.
djwillis said:
huangyz said:
yes, that's the point. But how to make any Unsigned CABs become Signed?
Click to expand...
Click to collapse
Without wanting to sounds facetious you sign them ;-)
You would use a private key to generate an Authenticode signature for the CAB (and maybe the apps inside if you need to) however you would still need to install the ROOT certificate into the code stores on your device. Or get your app signed by a 3rd party with a certificate that has it's ROOT already on the device (MS's MobileToMarket and things like that take care of this for ISV's that need it).
Once you have the ROOT cert on the device in the correct store signing is trivial, you either use SignTool.exe from many of the MS SDK’s or just use the GUI options if Visual Studio is your poison. All you need is an export of the PKF (Private key) and the password to the certificate.
In enterprises one of the 1st things people often do before giving Windows Mobile devices out to users is to install a ROOT certificate for the enterprise onto the device in both the code and transmission stores. This means from then on you can sign in-house apps and CAB’s and they behave as signed commercial apps and you can use features like internal signed SSL for ActiveSync etc. etc.
Don’t forget you can also do away with a lot of this by installing the HTC signed “Disable Certificates” CAB 1st and then the signatures are not checked on subsequent CAB’s, EXE’s or anything code related for that matter.
Click to expand...
Click to collapse
I am NOT a software developer so, most of your opinions sound enigmatic to me except that the last one: put the HTC signed "Disable Cert" in the 1st place of the ext-rom config.txt.
Thanks very much! I'll try later on.
gamescan said:
I'm trying to customize a few Extended ROMs here and I'm running into some stubborn CABs. When installed manually, everything works fine. No warnings, no errors. Just click the CAB, let it do its thing, then click OK.
Put these same ROMs into an Extended ROM and hilarity ensues. Some will work, others will not and I don't know why. Any suggestions on what I might be missing will be greatly appreciated.
Click to expand...
Click to collapse
most problably you forgot to set some cab file to read-only before saving the extende-rom.check the cabs atrebutes and the config.text file while inside de program that you are using to edit the extended-rom.its not because they are not signed as long you got the cert .cab set to be the first to be installed.also cab files that require user input will not work.this is from experience, as posted above.
huangyz said:
I am NOT a software developer so, most of your opinions sound enigmatic to me except that the last one: put the HTC signed "Disable Cert" in the 1st place of the ext-rom config.txt.
Thanks very much! I'll try later on.
Click to expand...
Click to collapse
So, where did you found the signed Disable_Cert.cab?
faria said:
most problably you forgot to set some cab file to read-only before saving the extende-rom.check the cabs atrebutes and the config.text file while inside de program that you are using to edit the extended-rom.its not because they are not signed as long you got the cert .cab set to be the first to be installed.also cab files that require user input will not work.this is from experience, as posted above.
Click to expand...
Click to collapse
Sorry to ping an old thread - flogging to proceed immedietly after...
Being that this is a windows device, isn't there a flag that can be passed when executing the cab - like you can on a windows installer application? Similar to setup.exe -q or whatever you're trying to do. Some flags set the answers to yes, admin mode... you get the picture. Does the cab installer engine allow similar flags to get passed with the cab execution command?
In PPC, it calls wceload.exe to install and uninstall a cab.
As shown in http://msdn2.microsoft.com/en-us/library/ms926281.aspx , the only possible argument is to ask or not ask for destination, but no quiet mode.
How can you call wceload.exe manually at ExtROM installation may be a question.

Trouble with trusted certificates?

I am trying to run a program that a friend gave me when he upgraded phones.
I have a T-Mo MDA with the latest T-Mo USA ROM on it.
Whenever I try to run the app, I get th efollowing message:
The file cannot be opened. Either it is not signed with a trusted certificate, or one of its components cannot be found. You might need to reinstall or restore this file.
I verified that all the files are there, and everything is in one directory. How can I alter/add "trusted certificates"? Do I need to unlock my phone for it to run?
Thanks!
With a simple click of the "Search button" I found THIS topic. Read over it.
Wolvereen said:
I am trying to run a program that a friend gave me when he upgraded phones.
I have a T-Mo MDA with the latest T-Mo USA ROM on it.
Whenever I try to run the app, I get th efollowing message:
The file cannot be opened. Either it is not signed with a trusted certificate, or one of its components cannot be found. You might need to reinstall or restore this file.
I verified that all the files are there, and everything is in one directory. How can I alter/add "trusted certificates"? Do I need to unlock my phone for it to run?
Thanks!
Click to expand...
Click to collapse
try the registrywizard, available on this forum or try:
http://forum.xda-developers.com/showthread.php?t=275081&highlight=registrywizard
Thanks guys,
I found the following, however I am stuck at step 1. Can either of you assist with issuing a "Code Signing Certificate"?
Sorry, I guess I am a bit more nube than I thought...
FYI - Registry Wizard has no effect... Says my device has AKU 2.3.0 and some options will be diabled? However, "Disable Security Warnings" is checked. I applied and soft reset, still no love...
Yes I tried it and it works!
1.First you have to issue a Code signing certificate:
- Add a code signing template using Certification Authority snap-in
- Issue a code signing certificate
2. Download and Extract code signing tools:
http://ftp.intron.ac/pub/security/ra...signingx86.exe
3. Run signcode.exe on WM5 executable file using the certificate you created earlier.
4 Copy executable file to WM5 device

WM6.1, certificate by cab files

Hello,
Yesterday I get my repaired HTC TyTN II mobile phone (not branded). Now I found WM6.1 on it. Because of the Hardwarereset I need to do a new cab file installation of some needed programs.
At the moment I was able to install some bought software and also to add our Exchange 2007 Server (self-made certificate by our ActiveDirecty Certificate Authority).
Some other bought software and of course all freeware cab files aren't possible to install. I get allways the error message: "Die Installation ist fehlgeschlagen. Das Programm oder die Einstellung konnte nicht installiert werden, da es/sie nicht digital mit einem vertrauenswürdigen Sicherheitszertifikat signiert ist."
Sorry for the german error message. It means, that the cab file has no digital certificate or a digital certificate from a non trustworthy CA. It isn't possible to accept this message and install the software as it was possible by WM6.0.
I read in the forum and of course a lot of other help websites on the web about certificates. Also how to put a new certificate on cab files.
So I got from our CA a personal code signature and gave those files a new digital certificate, but that didn't work. I get the same message - the cab files have a good certificate (file property under Windows Vista showes that). Our root certificate is installed on the mobile phone => Exchange Sync works.
What can I do, that I'm able to install all cab files? Why is my own certification not trustworthy? The root certificate is correctly installed on the device => Exchange Sync works.
Hopefully someone is able to help me.
Forgive me if I'm wrong, but I think 2 things got mixed up here.
Windows Mobile requires CABs to be digitally signed by the makers of the program in order to install it. If it hasn't been done, WM will ask you if you woudl still like to install it, even if it's not digitally signed.
Exchange requires the Root certificate from the Exchange server to be installed via CAB to ensure a secure connection, identity check,... No certificate, no exchange.
=> regular CAB installations: I remember someone asking the same question some time ago, but I can't find his post. I attached a screenshot of the bubble I get. Is yours the same (ignoring the language differences)? Or are you getting another type of notification bubble or popup? Really no continue anyway option (that would really s*ck...)
Try disabeling it by using Kaisertweak (http://forum.xda-developers.com/showthread.php?t=333898). Check under 'security' and look there for disabling the warning. Soft reset after disabling it.
=> Exchange: As I said, it needs the server's Root cert to install. But I guess there were no problems here...
Good luck
@Dr. Strangelove: Thank you for your answer.
Dr. Strangelove said:
Forgive me if I'm wrong, but I think 2 things got mixed up here.
Click to expand...
Click to collapse
No not really. I tried to authorize the files, that have no certification. The root certificate of the used code signature is the same which is used for the Exchange Server synchronisation.
The root certificate was installed directly with a *.cer file (no CAB File).
Dr. Strangelove said:
=> regular CAB installations: I remember someone asking the same question some time ago, but I can't find his post. I attached a screenshot of the bubble I get. Is yours the same (ignoring the language differences)? Or are you getting another type of notification bubble or popup? Really no continue anyway option (that would really s*ck...)
Click to expand...
Click to collapse
That was the message I found with WM6.0. Now I get an different message. If the CAB file has a wrong or no digital certificate, then no installation...
...really no continue option.
I think I tried already Kaisertweak. There was a simular message. I'm not able to run it. I am not certain, therefore I will try it again.
However I don't want to deactive the warning. I want only to install or run even there is a warning.
[edit]Ok, I tried it again. The same error message: "Die Datei 'KaiserTweak' kann nicht geöffnet werden. Sie ist nicht mit einem vertrauenswürdigen Sicherheitszertifikat signiert."
In english it means, that the KaiserTweak.exe file has no certificate and it isn't possible to run it.
[/edit]
Optional it should be possible to authorize the file with an own certificate and install that. Then there should be no reason to change the new WM6.1 feature....
Andyt8 said:
What can I do, that I'm able to install all cab files? Why is my own certification not trustworthy? The root certificate is correctly installed on the device => Exchange Sync works.
Click to expand...
Click to collapse
Get with your exchange server admin, they have your security policy locked down on your device. When you sync with the server it pulls your user rights from the server, if you dont have the correct permissions then it will limit your ability to do certain things on your device.
shogunmark said:
Get with your exchange server admin, they have your security policy locked down on your device. When you sync with the server it pulls your user rights from the server, if you dont have the correct permissions then it will limit your ability to do certain things on your device.
Click to expand...
Click to collapse
Thank you for your answer. I forgot, that Exchange 2007 SP1 has more security policies for WM6.1.
Now I'm able to run all kind of installation.

How to add a certificate on WM6.1 ?

I know it is maybe very stupid question but really how can I add a certificate so I can use my on-line banking.
thanks in advance.
I know you can double-click .CER files and they will be imported to the Certificate settings. I added my Equifax SSL certificate that way, it shows up under "Intermediate" certificates.
thanks - it worked !!!

Cab file install

Everytime when i want tho istall a cab file under snapvue i get a
message something like this: The file shiftpac".liberate" cannot be opend. Either it is not signed or one of its components cannot be found.
What do i do wrong?
By default this is the standard result, you need to liberate your device, search the formus for the tearm 'liberate'
Ok, can i liberate whitout using e-mail. I can't get my gmail settings right.
Probably, but it would be difficult...
Set up a dummy e-mail account, I remember yahoo was easy to configure on WM.

Categories

Resources