<div class='os_post_top_link'><a href='http://blogs.msdn.com/windowsmobile/archive/2007/02/07/certificate-improvements-in-windows-mobile-6.aspx' target='_blank'>http://blogs.msdn.com/windowsmobile/archive/2007/02/07/certificate-improvements-in-windows-mobile-6.aspx</a><br /><br /></div><i>"As faithful blog readers already know, there were several limitations related to certificates that caused tons of customer pain on WM5. ... Thanks for all your input and feedback on these issues. Several of the work items and design decisions involved in this were shaped or prioritized directly due to your feedback."</i><br /><br /><img src="http://www.smartphonethoughts.com/images/Kris-2007feb-seccert.jpg" alt="User submitted image" title="User submitted image"/><br /><br />It is a good thing that most of us don't have to mess around with certificates on our Windows Mobile 5 devices. For those of us who had to deal with the hassle of getting a certificate installed in the past will be happy to find out that Windows Mobile 6 will feature a bunch of improvements. Some of the improvements are:<br /> Certificate Installer built into the platform<br /> Installs CER, P7B, and PFX files<br /> No more Access Denied messages.<br /> Installs certs to the ROOT, Intermediate, and MY store<br /> Wildcard Certificate support for SSL<br /> The Intermediate ("CA") store shows up in the control panel now<br /> Even more root certs installed by default<br /> Delete will work from the control panel on any user-installed certs

This is great news! It would have been nice if it was done sooner, but at least it's there now and can take some of the headache out of setting up corporate access.

But they still don't provide a tool for enrolling certificates over a network connection!

Microsoft's recommended best practice for 'corporate' certificates is not to allow the export of the private key. With that in mind, you can't create a file to import, therefore certs must be enrolled directly from the server (via the network). So far as I can find, only tools like the enroller that comes with the Odyssey wireless client enable you enroll a cert over wire. What a pain!

Microsoft provides these tools for Windows 2k, XP, and Vista, so why not on the WM platform????

"But they still don't provide a tool for enrolling certificates over a network connection! ":

Actually, they do. You'll be able to enroll via the device itself (using the new certificatestore CSP) or via a desktop activesync enrollment proxy (UI configured on the desktop via ActiveSync 4.5).

Of course, this won't generally be offered via the public internet by corporates for security reasons, but over the air enrollment of a cert will be technically possible. In general, enrollment will occur on the corp private netowork behind the firewall.