Jump to content


Photo

Installing certificates

- - - - -

  • Please log in to reply
35 replies to this topic

#1
sidsmut

sidsmut

    Newbie

  • Members
  • Pip
  • 5 posts
  • Devices:I-Mate SP3i/SP5/JasJar
Has anybody managed to get a "freebie" M$ certificate (i.e. one generated by your own Root authoirty/AD controller(s)) installed on an I-Mate SP5? I remember having trouble when I did this on my JasJar but I did get it working eventually (I didn't disable certificate checking as I recall). The problem is that neither the "old" CERTCHK utility nor adding the .cer file work (CERTCHK doesn't work on WM5 and tiy get "permission" problems when either using SPADDCERT for WM2003 or just "executing" the .cer file from the device using File Manager)

I REALLY need to get my SP5 working with secured GPRS AtiveSync direct to my Exchange server or I will be forced to revert to my SP3i. Sniff, Snif..... ;)

  • 0

#2
sidsmut

sidsmut

    Newbie

  • Members
  • Pip
  • 5 posts
  • Devices:I-Mate SP3i/SP5/JasJar
Solved it! I found this today:-

YEEEEEEEEEEEEEEEEEEEEEEEEESSSSSSSS!!!!

I cannot tell you how relieved I am. I've finally managed to get my i-mate
SP5m WM5 Smartphone to sync with my Exchange server.

I thought I'd post this just as a more definitive guide, if you will, than
the ones I've found so far, because it took me forever and a day to find
that extra step that was required.

So, to application unlock the WM5 smartphone (and actually any other HTC
device I think), and to install the root certificate from your internal CA
(this is all assuming you have your own Windows-based Certificate Authority,
not a public certificate):

1. Go to http://www.modaco.co...50-t222786.html.
2. Download the HTC-signed "regeditSTG.zip" and move it to your smartphone.
IMPORTANT: Put it on the phone, not on a memory card - this was my first
sticking point.
3. Extract the zip file using Explorer on the device (if it's a WM5 device).
4. Run the Regedit exe and follow the instructions on the page above for
registry changes to make. It was also suggested by a Microsofty a few posts
down to change 00001017 (4119) to 144 (in the same part of the registry),
although I'm not sure what each entry does. I did all three. :-)
5. Download SDA_ApplicationUnlock.exe from
http://www.modaco.co......0_app_locked...,
connect the device, run this app, click "Unlock" or whatever, then restart
the device.
6. Export the root certificate from the Certificate Authority in your domain
(in DER format), copy it to the phone (again NOT the memory card) and simply
run it from Explorer. Bob's yer uncle.

In case you don;t know how to export the root cert, follow these
instructions:
1. Run MMC on the CA server.
2. File, Add/Remove Snap-in.
3. Add... select Certification Authority, and select Local Computer.
4. Finish, Close, OK.
5. In MMC, right-click the CA, select Properties. View Certificate, go to
Details tab, select Copy to File...
6. Next, make sure DER encoded binary is selected, Next, put something like
"c:\rootcert".
7. Finish and you're done. Copy it to the phone, run it and you're done.

Can't believe it took me 4 days of frustration to get that far. It also took
i-mate support just as long (as if they actually bothered reading my plea
for help! hahaha). They really do suck.

Hope this helps folks, I know there's a lot of people asking these same
questions around the place.

Many thanks to Fergus and the power of Google :idea:

  • 0

#3
pede1977

pede1977

    Newbie

  • Members
  • Pip
  • 1 posts
  • Devices:Qtek 8020

Solved it! I found this today:-

YEEEEEEEEEEEEEEEEEEEEEEEEESSSSSSSS!!!!

I cannot tell you how relieved I am. I've finally managed to get my i-mate
SP5m WM5 Smartphone to sync with my Exchange server.

I thought I'd post this just as a more definitive guide, if you will, than
the ones I've found so far, because it took me forever and a day to find
that extra step that was required.

So, to application unlock the WM5 smartphone (and actually any other HTC
device I think), and to install the root certificate from your internal CA
(this is all assuming you have your own Windows-based Certificate Authority,
not a public certificate):

1. Go to http://www.modaco.co...50-t222786.html.
2. Download the HTC-signed "regeditSTG.zip" and move it to your smartphone.
IMPORTANT: Put it on the phone, not on a memory card - this was my first
sticking point.
3. Extract the zip file using Explorer on the device (if it's a WM5 device).
4. Run the Regedit exe and follow the instructions on the page above for
registry changes to make. It was also suggested by a Microsofty a few posts
down to change 00001017 (4119) to 144 (in the same part of the registry),
although I'm not sure what each entry does. I did all three. :-)
5. Download SDA_ApplicationUnlock.exe from
http://www.modaco.co......0_app_locked...,
connect the device, run this app, click "Unlock" or whatever, then restart
the device.
6. Export the root certificate from the Certificate Authority in your domain
(in DER format), copy it to the phone (again NOT the memory card) and simply
run it from Explorer. Bob's yer uncle.

In case you don;t know how to export the root cert, follow these
instructions:
1. Run MMC on the CA server.
2. File, Add/Remove Snap-in.
3. Add... select Certification Authority, and select Local Computer.
4. Finish, Close, OK.
5. In MMC, right-click the CA, select Properties. View Certificate, go to
Details tab, select Copy to File...
6. Next, make sure DER encoded binary is selected, Next, put something like
"c:\rootcert".
7. Finish and you're done. Copy it to the phone, run it and you're done.

Can't believe it took me 4 days of frustration to get that far. It also took
i-mate support just as long (as if they actually bothered reading my plea
for help! hahaha). They really do suck.

Hope this helps folks, I know there's a lot of people asking these same
questions around the place.

Many thanks to Fergus and the power of Google  :idea:

<{POST_SNAPBACK}>


Where is the (4. Run the Regedit exe and follow the instructions on the page) that you are talking above?. I am missing the reg valus. And the program SDA_ApplicationUnlock.exe is not working on WM5....

  • 0

#4
sidsmut

sidsmut

    Newbie

  • Members
  • Pip
  • 5 posts
  • Devices:I-Mate SP3i/SP5/JasJar

Where is the (4. Run the Regedit exe and follow the instructions on the page) that you are talking above?. I am missing the reg valus. And the program SDA_ApplicationUnlock.exe is not working on WM5....

<{POST_SNAPBACK}>


If you follow the llink mentioned in step 1) it will give you a signed registry editor that works on the SP5 as well as the other two registry keys you need to change. Also I ran SDA_ApplicationUnlock.exe and it worked just fine for me. It is run on the ActiveSync host (i.e. the PC) and is NOT a WM5 executable.

Let me know if you are still stuck.

  • 0

#5
michehrlich

michehrlich

    Regular

  • Members
  • PipPip
  • 99 posts
This mostly worked for me, except that to install the certificate I followed:
http://support.micro...kb;en-us;841060

(this article only mentions WM 2002 and WM 2003 but the engineer who sent me the link says it's been tested on WM 5.0, and indeed I can confirm that it works for WM 5.0. The only difference is that for 5.0 you need to first create a directory off the root called Storage, because that's where SPAddcert looks for the certificate on 5.0).

Anyway, I now have air sync with Exchange -- it DOES work!

Next thing will be to get e-mails pushed to my phone as soon as they arrive in my Exchange mailbox -- any ideas, anyone?

  • 0

#6
Newchurch

Newchurch

    Regular

  • Members
  • PipPip
  • 61 posts

Next thing will be to get e-mails pushed to my phone as soon as they arrive in my Exchange mailbox -- any ideas, anyone?

<{POST_SNAPBACK}>


Maybe this blogcast can help you (sorry, it´s German :) ).

Greetings Peter

  • 0
:: Apple iphone - 4GB - with T-Mobile SIM working ; )))
:: HTV Touch - 4GB Micro-SD, T-Mobile Germany
:: Polished Orange SPV C500 - "Polished Edition" *** phone sold ***

:: mobilejoe.de - the german windows smartphone community

#7
michehrlich

michehrlich

    Regular

  • Members
  • PipPip
  • 99 posts

Maybe this blogcast can help you (sorry, it´s German  :) ).

Greetings Peter

<{POST_SNAPBACK}>


Thanks Peter! I checked that out -- you can read my reply on that blog.

Here's a rough translation:

Very helpful!

A couple questions:

- How did you get MSFP? From everying I have seen online, it's not available yet.

- Unless I missed something, this is not about real Push, but just sync. Real push is: when an e-mail lands in my Exchange inbox, it immediately gets pushed to my phone without waiting for the next scheduled sync.

Or did I miss something? Don't mean to complain, just trying to get to a real Push situation!

- Michel

  • 0

#8
willcheng

willcheng

    Newbie

  • Members
  • Pip
  • 7 posts
  • Devices:MDA Vario
Hi there,

I've got a MDA Vario from T-Mobile (same as HTC Wizard, 02 XDA mini S or i-mate K-Jam) As far as I can tell I've followed the exact steps that have been laid out in the original post and also followed the "How to add root certificates to Windows Mobile..." - everything seems fine until I try to install the cert using SpAddCert.exe - I still get an error saying "This is not a valid certificate file...etc.etc."

I'm thinking maybe I've not edited the registry correctly. Here's what I've done:

1. Using PHM Registry Editor I navigate to HKLM\Security\Policies\Policies\
2. Then I've changed 00001001 to 1, 00001005 to 40 and 00001017 to 144

In previous post it says "change 00001017 (4119) to 144". The only thing that I can't see in PHM regedit is "(4119)". I only see 2 columns - Name (e.g. 00001017) and Data(e.g. 144 (0X000090)). Am I doing this step incorrectly?

Don't know if you can help - I'm pulling my hair out ;)

  • 0

#9
rsearley

rsearley

    Addict

  • Members
  • PipPipPip
  • 171 posts
  • Devices:PDA2K SP5m M600 Ubq501
On the imate website is a utility called: i-mate™ SP5m Certificate Installer

i am guessing they have one for the SP5.. the utility is described as follows:

Use this application to enroll root certificates in your SP5m. These certificates can be used for authentication in SSL connections for Outlook Email, Web Sites, etc The Certificate must be available as a binary .cer file.

could you not have used this?????

  • 0
When? Where? Why?.

#10
michehrlich

michehrlich

    Regular

  • Members
  • PipPip
  • 99 posts

On the imate website is a utility called:  i-mate™ SP5m Certificate Installer

i am guessing they have one for the SP5..  the utility is described as follows:

Use this application to enroll root certificates in your SP5m. These certificates can be used for authentication in SSL connections for Outlook Email, Web Sites, etc The Certificate must be available as a binary .cer file.

could you not have used this?????

<{POST_SNAPBACK}>


I used this on my SP5, and it worked like a charm. However, when I tried it on my colleague's QTEK 8310 (which is exactly the same HTC phone as the SP5 and which I bought because pdashop.nl was out of SP5s), I got a screen that said that this certificate installer is for i-mate phones only. So I had also assumed that it could work on all, or at least many HTC devices, but that was not correct.

So I did the following, and it worked:
A. Make sure you have the following:
- the certificate
- smartphoneaddcert.exe
- RegeditSTG.zip
- SDA_ApplicationUnlock
B. Then do this (with your phone connected to PC via ActiveSync throughout the process):
- Copy the file RegeditSTG.zip to the phone; then extract it on the phone (it won't copy over as an exe file; must be copied first as zip, then extracted).
- Then using RegeditSTG find the key HKLM\Security\Policies\Policies\00001017 and change value from 128 to 144
- Then run SDA_ApplicationUnlock on your PC. This should unlock the phone. If you try it without the registry change, it will not succeed in unlocking the phone.
- Create a folder called "Storage" in the root directory of the phone (this is where SPAddCert will look for the certificate; if it's not there, it won't be found)
- Copy the certificate there
- Unzip smartphoneaddcert.exe on your PC, which produces a number of files; just copy the file "SpAddCert.exe" onto the phone.
- Run the SpAddCert on the phone. It will find the certificate in the "Storage" folder you have created and will offer to add it. Complete the wizard.
- Re-start the phone.

  • 0

#11
michehrlich

michehrlich

    Regular

  • Members
  • PipPip
  • 99 posts

Hi there,

I've got a MDA Vario from T-Mobile (same as HTC Wizard, 02 XDA mini S or i-mate K-Jam)  As far as I can tell I've followed the exact steps that have been laid out in the original post and also followed the "How to add root certificates to Windows Mobile..." - everything seems fine until I try to install the cert using SpAddCert.exe - I still get an error saying "This is not a valid certificate file...etc.etc."

I'm thinking maybe I've not edited the registry correctly.  Here's what I've done:

1. Using PHM Registry Editor I navigate to HKLM\Security\Policies\Policies\
2. Then I've changed 00001001 to 1, 00001005 to 40 and 00001017 to 144

In previous post it says "change 00001017 (4119) to 144".  The only thing that I can't see in PHM regedit is "(4119)".  I only see 2 columns - Name (e.g. 00001017) and Data(e.g. 144 (0X000090)).  Am I doing this step incorrectly?

Don't know if you can help - I'm pulling my hair out ;)

<{POST_SNAPBACK}>


Willcheng, see my reply to rsearly -- there is a possible solution for you there. I'm also attaching a zip file (UnlockAndAddCert.zip) containing the three tools I mention in A (not the certificate, obviously).

Attached Files


  • 0

#12
willcheng

willcheng

    Newbie

  • Members
  • Pip
  • 7 posts
  • Devices:MDA Vario

Willcheng, see my reply to rsearly -- there is a possible solution for you there. I'm also attaching a zip file (UnlockAndAddCert.zip) containing the three tools I mention in A (not the certificate, obviously).

<{POST_SNAPBACK}>


Hi michehrlich, Thanks for your help. It seems like your version of regiditSTG is a little different to mine. I've attached the one that I've been using. The difference seems to be that I can only edit the data value in binary format. Unless I'm using the app incorrectly - can you give me some tips on how to navigate to HKLM\Security\Policies\Policies\ using your version of regeditSTG.

Incidently I tried not editing the registry and then using the SDA_ApplicationUnlock.exe and the application still says that the phone has been "successfully unlocked, please reboot" - so I'm not really sure if the application unlock has worked - is there any way of checking.

Anyway - I've followed the steps but the Certificate is still seen as invalid.Attached File  programs.zip   34.91KB   632 downloads

I'm persevering :?:

Will

  • 0

#13
michehrlich

michehrlich

    Regular

  • Members
  • PipPip
  • 99 posts

Hi michehrlich,  Thanks for your help.  It seems like your version of regiditSTG is a little different to mine.  I've attached the one that I've been using.  The difference seems to be that I can only edit the data value in binary format.  Unless I'm using the app incorrectly - can you give me some tips on how to navigate to HKLM\Security\Policies\Policies\  using your version of regeditSTG. 

<{POST_SNAPBACK}>

Unfortunately I'm not quite sure how to communicate that to you since I don't know how to do screenshots -- it's just normal navigation to the correct key and to go into it and change the value (or to go into the value and change the value -- as you can see I'm not even sure what is a key and what is a value and I did it anyway!) and change the number by moving the joystick to the right, which adds 1 to the number each time, until you reach the number you need. Remember that you need to be doing this ON the phone. I should add that I have only ever done this on an i-mate SP5 and a Qtek 8310; I can't speak for other devices.


Incidently I tried not editing the registry and then using the SDA_ApplicationUnlock.exe and the application still says that the phone has been "successfully unlocked, please reboot" - so I'm not really sure if the application unlock has worked - is there any way of checking.

<{POST_SNAPBACK}>

What happens for me if I DON'T change the registry is that when I run SDA_ApplicationUnlock, I get a screen warning that "the phone is locked, do you want to proceed?" (or something like that) and if I click yes, it does indeed tell me that the phone has been successfully unlocked, but it's not true. After I do the registry change and run SDA again, I don't get the screen warning that the phone is locked; it just goes straight to the success screen, and then it's true.

  • 0

#14
dm.wood

dm.wood

    Regular

  • Members
  • PipPip
  • 50 posts
  • Devices:Qtek 8310

Hi michehrlich,  Thanks for your help.  It seems like your version of regiditSTG is a little different to mine.  I've attached the one that I've been using.  The difference seems to be that I can only edit the data value in binary format.  Unless I'm using the app incorrectly - can you give me some tips on how to navigate to HKLM\Security\Policies\Policies\  using your version of regeditSTG. 

Incidently I tried not editing the registry and then using the SDA_ApplicationUnlock.exe and the application still says that the phone has been "successfully unlocked, please reboot" - so I'm not really sure if the application unlock has worked - is there any way of checking.

Anyway - I've followed the steps but the Certificate is still seen as invalid.Attached File  programs.zip   34.91KB   632 downloads

I'm persevering :?:

Will

<{POST_SNAPBACK}>



I have a Qtek 8310 and I am using it successfuly to Synchronise with my Exchange 2003 mail server.

I also used PHM Registry Editor to navigate to HKLM\Security\Policies\Policies\
Then I changed 00001001 to 1, 00001005 to 40 and 00001017 to 144 as well

Make sure you are viewing the key values in decimal not hex.

The one thing I did not do was use the SPAddCert application you mention.

I manually installed root Cert from on my Qtek. I just copied it across to a temp folder that I created and installed it by selecting it in file explorer. I did have to application unlock the phone first though using the SDA_ApplicationUnlock.exe

The Cert I used was issued from my own internal MS CA server as well, it was not a commercial cert.

My root cert is now listed in the Certificates section on the phone and Exchange Activesync works a treat. ;)

Edited by dm.wood, 05 January 2006 - 09:05 AM.

  • 0

#15
willcheng

willcheng

    Newbie

  • Members
  • Pip
  • 7 posts
  • Devices:MDA Vario

Unfortunately I'm not quite sure how to communicate that to you since I don't know how to do screenshots -- it's just normal navigation to the correct key and to go into it and change the value (or to go into the value and change the value -- as you can see I'm not even sure what is a key and what is a value and I did it anyway!) and change the number by moving the joystick to the right, which adds 1 to the number each time, until you reach the number you need. Remember that you need to be doing this ON the phone. I should add that I have only ever done this on an i-mate SP5 and a Qtek 8310; I can't speak for other devices.
What happens for me if I DON'T change the registry is that when I run SDA_ApplicationUnlock, I get a screen warning that "the phone is locked, do you want to proceed?" (or something like that) and if I click yes, it does indeed tell me that the phone has been successfully unlocked, but it's not true. After I do the registry change and run SDA again, I don't get the screen warning that the phone is locked; it just goes straight to the success screen, and then it's true.

<{POST_SNAPBACK}>


Thanks for this - I'm probably doing some of the steps wrong - I'll have another go.

I don't think this could be an issue with my device - I think it is a WM5 issue so hopefully if it works on your QTeks then it should work on my MDA Vario (which is a Qtek 9100).

Btw - Did you have a look at the version of regedit that I attached?

  • 0

#16
dm.wood

dm.wood

    Regular

  • Members
  • PipPip
  • 50 posts
  • Devices:Qtek 8310

Thanks for this - I'm probably doing some of the steps wrong - I'll have another go.

I don't think this could be an issue with my device - I think it is a WM5 issue so hopefully if it works on your QTeks then it should work on my MDA Vario (which is a Qtek 9100).

Btw - Did you have a look at the version of regedit that I attached?

<{POST_SNAPBACK}>


PHM Registry editor that you attached is the same one that I used. Whats the Numlocker.exe for? ..I havent seen that application before.

  • 0

#17
willcheng

willcheng

    Newbie

  • Members
  • Pip
  • 7 posts
  • Devices:MDA Vario
Hmmm strange...

1. I've managed to navigate to the right keys and change the values.
2. I then run SDA_ApplicationUnlock.exe (I've attached the screenshots for this: Attached File  ss.zip   12.17KB   824 downloads)
3. I've then rebooted the device went back into regedit to check the values and for some strange reason they have gone back to the original values.

If I don't run SDA_ApplicationUnlock.exe the values stay changed.

Everytime I run SDA_ApplicationUnlock.exe the values change back to the original factory settings.

(Wish I could take SS of my device)

  • 0

#18
willcheng

willcheng

    Newbie

  • Members
  • Pip
  • 7 posts
  • Devices:MDA Vario

PHM Registry editor that you attached is the same one that I used. Whats the Numlocker.exe for? ..I havent seen that application before.

<{POST_SNAPBACK}>


I'm not sure what the numlocker does - I downloaded the regedit off a site and it all came in a zip file. I've not used it.

  • 0

#19
dm.wood

dm.wood

    Regular

  • Members
  • PipPip
  • 50 posts
  • Devices:Qtek 8310

Hmmm strange...

1. I've managed to navigate to the right keys and change the values.
2. I then run SDA_ApplicationUnlock.exe  (I've attached the screenshots for this: Attached File  ss.zip   12.17KB   824 downloads)
3. I've then rebooted the device went back into regedit to check the values and for some strange reason they have gone back to the original values.

If I don't run SDA_ApplicationUnlock.exe the values stay changed.

Everytime I run SDA_ApplicationUnlock.exe the values change back to the original factory settings.

(Wish I could take SS of my device)

<{POST_SNAPBACK}>


Hmmm....After you have run the SDA_ApplicationUnlock.exe... if you change the registy values do they stay? I think you may need to change the values after unlocking the device ;)

  • 0

#20
willcheng

willcheng

    Newbie

  • Members
  • Pip
  • 7 posts
  • Devices:MDA Vario

Hmmm....After you have run the SDA_ApplicationUnlock.exe... if you change the registy values do they stay? I think you may need to change the values after unlocking the device ;)

<{POST_SNAPBACK}>


Either way I still can't install the certificate. I think you need to make the registry changes first in order for SDA_ApplicationUnlock.exe to work anyway. :D

I've had a chat with T-Mobile and they say that the only lock on my phone is the sim lock (which I managed to unlock anyway) - I might have to try and talk to them again.

It's SDA_ApplicationUnlock.exe that is changing the values. And for some strange reason it's changing the values to 16.

Weird.

(Why O why has M$ not got a fix for this.... Why why why!!)

  • 0




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users