Windows Phone 7 for IT professionals

Windows Phone 7 and certificates

This article is part of an ongoing series designed to help IT pros evaluate Windows Phone 7 and understand how it can play a role in their organization. The articles in this series will focus on different topics of interest, such as the architecture of Windows Phone 7, using Windows Phone 7 devices with applications such as Microsoft Exchange and Microsoft SharePoint, security, and management. This article provides basic information about the use of digital certificates on Windows Phone 7. It includes information about the following topics: Installing certificates on Windows Phone 7 devices Certificates and Windows Phone 7 applications Certificates and SSL Certificates and user authentication

Digital certificates are electronic files that bind a users or computers identity to a pair of electronic keys that can be used to encrypt and sign digital information. Certificates are issued by a certification authority (CA) that vouches for the identity of the certificate holder, and they enable secure client communications with websites and services. Digital certificates do the following: Authenticate that their holderspeople, websites, and even network resources such as routersare truly who or what they claim to be. Protect data that's exchanged online from theft or tampering.

Installing certificates on Windows Phone 7

Certificates on Windows Phone 7 are primarily used in the following scenarios: To create a secure channel using Secure Sockets Layer (SSL) between a Windows Phone 7 and a web server or service. To authenticate a user to a reverse proxy server that is used to enable Microsoft Exchange ActiveSync (EAS) for email.

Certificates are also used for installation and licensing of Windows Phone 7 applications from the Marketplace Hub.

Certificate installer
The certificate installer on Windows Phone 7 is a smart installer. It automatically detects what certificates need to be installed and stores them in the appropriate certificate store. We recommend that you restart the phone to activate the installed certificates after installation is complete. Its possible to install certificates on Windows Phone 7 using either of the following two methods:

OEG 3.2.3 12/2010

Windows Phone 7 for IT professionals

Installing certificates via Windows Internet Explorer

A certificate can be posted on a website and made available to users through a device-accessible URL that they can use to download the certificate. When a user accesses the page and taps the certificate, it opens on the device. The user can inspect the certificate, and if they choose to continue the certificate is installed on the device.

Installing certificates via email

The certificate installer on Windows Phone 7 supports .cer, .p7b, and .pfx files. When installing certificates via email, make sure your mail filters do not block .cer files. Certificates that are sent via email appear as message attachments. When a certificate is received, a user can tap to review the contents and then tap to install the certificate. Typically, when an identity certificate is installed the user is prompted for the passphrase that protects it.

Root certificates on Windows Phone 7

Its possible to use self-signed root certificates with Windows Phone 7, but we recommend chaining off an existing root certificate that is already installed on the phone. For additional information about which root certificates are installed on the phone, see the Windows Phone 7 root certificates article on the Windows Phone 7 Guides for IT Professionals page on the Microsoft Download Center. This article includes a list of CAs and their root certificates that are pre-installed on Windows Phone 7 devices. For more information about digital certificates, SSL, and using other trusted certificates, see the Digital Services Best Practices section of Understanding Digital Certificates and SSL on Microsoft TechNet.

Certificates and Windows Phone 7 applications

The Marketplace Hub is the only source of applications for Windows Phone 7. Users can browse the Marketplace from their phones or through the Microsoft Zune software on their PCs to purchase or install applications. Windows Phone 7 applications are signed with certificates that are unique to the application and that establish a license for the application. Only signed applications will run on Windows Phone 7. Applications and games can be submitted for availability in the Windows Phone Marketplace through the App Hub on the Microsoft Developers Network (MSDN). Submission information is available in the article app hub application submission walkthrough on MSDN. All submissions are reviewed for compliance with Marketplace policies. Approved applications and games are signed with VeriSign certificates.

Certificates and SSL

Organizations might prefer to establish connections between devices and a Microsoft Exchange Server through reverse proxy communications that use SSL to securely encrypt the traffic. For more information about digital certificates, SSL, and reverse proxies, see the Digital Certificates and Proxying section of Understanding Digital Certificates and SSL on Microsoft TechNet.

OEG 3.2.3 12/2010

Windows Phone 7 for IT professionals

Certificates and user authentication

On Windows Phone 7, certificatebased authentication only applies to the messaging scenario with Microsoft Exchange Server. When you install Microsoft Exchange Client Access Server and EAS, the default configuration uses Basic authentication and SSL.

Basic Authentication
Basic authentication is the simplest method of authentication. With Basic authentication, the server requests that the client submit a user name and password, which are sent in plaintext over the Internet to the server. The server verifies that the supplied user name and password are valid and grants access to the client. Basic authentication is enabled by default for EAS. However, we recommend that you disable Basic authentication unless you also deploy SSL. When using Basic authentication over SSL, the user name and password are still sent in plaintext, but the communication channel is encrypted.

CertificateBased Authentication
Certificatebased authentication uses digital certificates to verify identities. This approach uses another form of credentials, in addition to the user name and password, to prove the identity of the user who is trying to access the protected resources. In a certificatebased authentication scenario, the device has a valid client certificate installed that was created for user authentication. In addition, the device has a trusted root certificate for the server to which it establishes an SSL connection. Deploying certificatebased authentication prevents users who have only a user name and password from synchronizing with Exchange.

Resources
Understanding Digital Certificates and SSL on Microsoft TechNet Windows Phone 7 root certificates on the Windows Phone 7 Guides for IT Professionals page

OEG 3.2.3 12/2010

Windows Phone 7 for IT professionals

Legal Disclaimer The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication. Schedules and features contained in this document are subject to change. This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT. Features and services may vary by area, phone, carrier, plan and version of Windows Phone software. Fees may apply. See windowsphone.com/versions and your phone provider for more information. Available programs, features, and functionality may vary by device. Connectivity and synchronization may require separately purchased equipment and/or wireless products (e.g., Wi-Fi card, network software, server hardware, and/or redirector software). Service plans are required for Internet, Wi-Fi and phone access. Features and performance may vary by service provider and are subject to network limitations. See device manufacturer, service provider and/or corporate IT department for details. Access to and use of the Internet may require payment of a separate fee to an Internet service provider. Local and/or long-distance telephone charges may apply. Flash functionality requires Adobe Flash Lite player, which may not be available on all devices. Direct Push Technology requires Exchange Server 2003 Service Pack 2 or newer version. Office Mobile programs must be purchased separately for some devices. Office Mobile is not included in Office 2010 applications, suites, or Web Apps. Office Mobile will be released on Windows Phone 7 devices in the second half of the 2010 calendar year. Office Web Apps must be installed to host a Microsoft PowerPoint presentation broadcast via SharePoint 2010. Broadcasting via Windows Live is a free service that enables up to 50 attendees per broadcast. Viewing a broadcast on the phone does not require add-ons or additional components. 2010 Microsoft Corporation. All rights reserved. Microsoft, ActiveSync, Internet Explorer, MSDN, PowerPoint, SharePoint, Windows, and Zune are trademarks of the Microsoft group of companies. The names of actual companies and products mentioned herein may be the trademarks of their respective owners. Published: December 2010

OEG 3.2.3 12/2010