Has anyone actually used S/MIME signing for email on their Windows Mobile 5 device and Exchange 2K3 SP2? I recently upgraded to a WM5 AKU3 Smartphone and one of the features I was looking forward to using was the S/MIME signatures and encryption. When I try to send a signed email the device says "The message cannot be signed because you do not have a certificate for sending signed email. Insert a smart card with the certificate."

I have selected the appropriate certificate via Activesync -> Configure Server -> Next -> Next -> (highlight E-mail) -> Settings (from menu) -> Advanced (from menu) -> Choose Certificate (from menu).

I have seen the Jacco de Leeuw page (http://www.jacco2.dds.nl/networking/crtimprt.html), which offers tools for importing a pfx certificate into Windows Mobile. This seems to work although WM5 doesn't provide much detail on the status of a particular certificate (such as thumbprint data or whether the private key is assocated with the certificate).

I also tried the PFX -> OpenSSL PEM method suggested on Jacco's page (under the crtimprt section). This also seems to work fine but no change.

I have a Thawte freemail certificate, which requires an intermediate certificate to be installed. I created the necessary cab file to import this. There's no way I know of to verify this, but importing the root CA the same way seemed to work fine.

I have my Thawte certificate working fine from the desktop. I have published it to the Exchange GAL via Outlook.

I'm stumped as to what else I could possibly do to enable this feature!

Yes, I've used WM5 AKU2 S/MIME. To sign an outgoing email, you have to use a user identity cert out of the MY certificate store. The certificate has to have an associated private key in the key store to sign the outgoing email or to decrypt an incoming email.

Jacco's app is a PFX import app as I recall. You have to make sure that the PFX you created really does include the private key. That might be the problem.

You can enroll a certificate into the MY cert store too using one of the many enroll apps that come on WiFi-capable devices. They will only work against Microsoft Windows Certificate servers running web-based enrollment though.

Note that the WM S/MIME feature can only use S/MIME with other users in an Active Directory domain. It can't be used across the internet between users.

All of those are good suggestions. However, the actual problem was that Thawte S/MIME freemail certs don't work on WM5. :( I was able to get it to work with a Comodo certificate.

Now, why the WM5 device can't find anyone's certificates for encrypting and why it encrypts at 40-bit (already broken!) encryption are another discussion. :(

All of those are good suggestions. However, the actual problem was that Thawte S/MIME freemail certs don't work on WM5. :( I was able to get it to work with a Comodo certificate.

Now, why the WM5 device can't find anyone's certificates for encrypting and why it encrypts at 40-bit (already broken!) encryption are another discussion. :(

8O This is interesting!
I just struggled to setup s/mime on WM6. (http://forum.xda-developers.com/showthread.php?t=302344) I succeed so far to get the decryption part working (POP3 account)
But the signing and encryption part is still not working. Could be the reason that this is only supported using MS Exchange?

The option to decide if the message should be signed or encrypted is unfortunately disabled but its there.How is this with WM5 for a normal POP3 account?

You have to use PFXimprt for S/MIME on WM5. My other programs Crtimprt and P12imprt won't install the cert correctly. I don't know why exactly. It would take time and a copy of VS2005 to research the problem and currently I'm not willing to spend time and money on it when there is a working alternative (PFXimprt).

I have not yet tried to use my Thawte Freemail cert. I can install it on the device. The problem is that Exchange is required as a mailserver.

I had not looked at POP3 and SMTP with S/MIME until Mr GAN mentioned it (thanks for the tip). It looks like POP3 will work but it turns out to be fairly useless because the mail app does not tell if the message was encrypted/signed or not.

You can find more info on my webpages (http://www.jacco2.dds.nl/networking/windowsmobile-smime.html).