Certificate How-to .... confused

  • Thread starter Thread starter Steve B.
  • Start date Start date
S

Steve B.

Hi,

I'm quite confused about how to deploy device application on WM5.

Our company has developed an application with VS 2005, Compact Framework 2.0
and sometimes C++. This application is deployed on PP 2003 apps today.

The application is deployed using a storage card with a folder 2577 in which
an autorun.exe file installs severals CAB files and CPF files.
The application also provide an auto update feature that can download CAB
files and install them silently.

The audience of the application is in-house only (80 users today, but it
will grow up to 4000 in 2 years).


Now, we are upgrading the application to work on a WM5 device. The
application itself does not change, but the deployment does.
We have to digitally sign the application using a certificate. The SDK is
not very clear about what is possible.

Since the application is a private application, we do not want to query
microsoft (Mobile 2 Market) or anyone else.
We would like to have a "home" certificate deployed on each devices and sign
each application files (or cab files ?) using this certificate.

So :

1. I it the "best practice" for deploying in-house application ?
2. How can I add a specific certificate to the device, allowing app with the
same certificate to be run with full privileges, without any user validation
?
3. Can this certificate be generated without buying one at a root autority ?

Thanks for any clarification,
Steve
 
Whether your "home" certificate story can fly is up to the physical
device, not anything else like your code or your certificate. The basic
idea for your application to have "full privilege" is to sign it with a
certificate which can chain to a certificate stored in the device's
privileged store. Some devices (assuming you are talking about Pocket
PCs, not Smartphones) are open (one-tier-prompt) and allow you to
provision such a certificate, then you are done. Others are locked
(rarely for Pocket PC) and you cannot provision the certificate. But if
the device is open, any application can run fully-privileged with the
user's consent to a dialog, then you do not need any certificate.

I suggest you reading more on documentation on MSDN site, otherwise
what I said above might be too abstract. I was thinking about writing a
series of posts, as I've seen so many such question on various forums.
 
Thanks for your answer.

After some hours reading to doc and several resources across the WWW, I
think the following solution is quite easy to maintain.

The device is a Pocket PC with Windows Mobile 5 with phone capabilities.
Our mobile operator can sign cab files or cpf files. The idea os to create a
cpf file that can provision our internal certificate into the device. This
CPF files must be signed by the mobile operator.
After that, all cab files and application will be signed with our internal
certificate which is now trusted by the device.

I'll test this solution ...

Thanks,
Steve
 
Back
Top