Microsoft System Center Configuration Manager 2007 can be used to deploy certificates to mobile devices. Common scenarios for certificate deployment to mobile devices include the following:

Before deploying certificates, you must acquire exported certificates for your root certification authority and any intermediate certification authorities in the form of X.509 .cer files.

Configuration Manager 2007 can deploy certificates using the following methods:

For more information about certificate installation on mobile devices, see Deploying the PKI Certificates Required for Native Mode.

Deploying Certificate Using the Certificate Installation Configuration Item

Certificates can be deployed to Configuration Manager 2007 managed mobile device clients using the Certificate Installation configuration item. For more information about using the Configuration Items Wizard, see How to Create Configuration Items for Mobile Devices.

Certificate Stores on Mobile Devices

Windows Mobile devices include the following stores for certificates:

  • Root—The root certificates for the mobile device. Root stores are primarily used to validate that a presented certificate successfully chains to a trusted root authority. This store is not used for code execution. A copy of the site server signing certificate is stored here.

  • Software Publishing Certificate (SPC)—SPC certificates define the level of privilege for third-party software programs. There are two types of SPC certificates:

    • Privileged—Privileged certificates have manager rights on the mobile device and unrestricted access to the registry.

    • Unprivileged—Unprivileged certificates have restricted rights on the mobile device and cannot access certain portions of the registry.

  • Intermediate—Intermediate certificates authenticate an uninterrupted chain of authority to the root authority.

Deploying Certificates During Mobile Device Client Installation or Upgrade

The Configuration Manager 2007 mobile device client installation or upgrade process uses an enroller program to deploy certificates to mobile devices. For more information about certificates required by mobile devices in native mode, see About Native Mode Certificates for Mobile Device Clients.

Deploying certificates during mobile device client installation or upgrade requires the following:

For more information about mobile device client installation or upgrade, see How to Install or Upgrade the Mobile Device Management Client.

Certificate Values in DMCommonInstaller.ini and ClientSettings.ini

The DMCommonInstaller.ini and ClientSettings.ini files define values for certificate deployment and must be edited for your specific environment. The following are categories of values for deploying certificates to devices:

  • Certificate enroller

  • Importing certificates

  • Renewing the site server signing certificate

Certificate enroller values

The following values in the DMCommonInstaller.ini file or the ClientSettings.ini file are used to define certificate enrollment during client installation or upgrade. Define these values for the site environment if certificates are to be enrolled:

  • CertEnrollAction=Enroll

  • CertEnrollServer=certserver.contoso.com

  • CertEnrollServerPort=80

    Note
    HTTPS is not supported by the Configuration Manager 2007 mobile device certificate enroller.
  • CertRequestPage=/certsrv/certfnsh.asp

  • CertDownloadPage=/certsrv/certnew.cer

  • CertChainDownloadPage=/certsrv/certnew.p7b

If the CertEnrollAction value is Enroll, the enroller application (Enroll_ARM.exe, Enroll_WinCE5.0_x86.exe, or Enroll_WinCE5.0_ARM.exe) will check for a valid client authentication certificate on the mobile device in the personal store. If no client authentication certificate is found, the mobile device user will be prompted to authenticate and a client authentication certificate is enrolled in the personal store of the mobile device. Additional values in the DMCommonInstaller.ini file or ClientSettings.ini file define the parameters for the enrollment process. For more information, see How to Edit the DMCommonInstaller.ini File for Mobile Device Management or How to Edit the ClientSettings.ini File for Mobile Device Management.

Importing certificates values: ImportCerts

If the ImportCerts value in the DMCommonInstaller.ini file or ClientSettings.ini file is set to True, the setup program will import certificate files (.cer) located in the client transfer directory into the root store on the mobile device. This option is not required to set up native mode if the necessary certificates are already on the mobile device. Certificates to be imported must be in distinguished encoding rules (DER)-encoded binary X.509 format. Base64-encoded X.509 certificates are not supported.

Renewing site server signing certificates

The EnableSSSCRenewal value in the DMCommonInstaller.ini file or ClientSettings.ini file specifies whether a site server signing certificate should be downloaded and installed when a new certificate becomes available on the site server. If EnableSSCRenewal is set to false, the administrator will need to deploy an updated site server signing certificate manually.

See Also