The Code Project

Title:       Article Title Goes Here
Author:      Author Name 
Email:       author@email.com
Environment: VC++ 5.0-6.0, NT 4.0, Win95/98
Keywords:    Control, Dialog, MFC
Level:       Intermediate"
Description: An article on something-or-other
Section      Miscellaneous
SubSection   General

Sample Image - maximum width is 600 pixels

Introduction

With WM5 Microsoft has implements a new security schema on PocketPC too.
The new schema requires that the applications must be signed with a valid certificate to run without problems on devices.
For simple applications the schema is not a problem, you'll get some borings popup to run the applications or to install cabs the first time. We have more problems when we try to deploy services or drivers, our dlls or applications will not run because the schema is loaded after service.exe and device.exe processes!
In this article i'll explain how we can deploy our own certificate on device and sign our code.

Step 1 - Create the certificate

The first step is create our certificate. To do this we'll use the utility makecert.exe:

makecert -r -sv MyCert.pvk -n "CN=MyCert" -b 01/01/2000 -e 01/01/2099 MyCert.cer

For more information about makecert.exe parameters refer to MSDN library.
Now we have our certificate (MyCert.cer) and private key (MyCert.pvk) but we need of .pfx to pass it to signtool.exe, so go on step 2.

Step 2 - Create .pfx from the .cer

To create .pfx file from .cer file we've to run pvk2pfx.exe tool:

pvk2pfx.exe -pvk MyCert.pvk -spc MyCert.cer -pfx MyCert.pfx

The command will creates .pfx file (MyCert.pfx).

Step 3 - Create the provisioningdoc xml

Ok, now we are ready to build our cab which will installs our certificate on devices. To do this we've to create our wap-provisioningdoc xml.

<?xml version="1.0" encoding="utf-8" ?>
<wap-provisioningdoc>
<characteristic type="CertificateStore">
	<characteristic type="Privileged Execution Trust Authorities">
		<characteristic type="[cert_sha1]">
			<parm name="EncodedCertificate" value="[cert_base64]" />
		</characteristic>
	</characteristic>
</characteristic>
<characteristic type="CertificateStore">
	<characteristic type="SPC">
		<characteristic type="[cert_sha1]">
			<parm name="EncodedCertificate" value="[cert_base64]" />
			<parm name="Role" value="222" />
		</characteristic>
	</characteristic>
</characteristic>
</wap-provisioningdoc>

This is the standard schema for our provisioningdoc.
We've to fill [cert_sha1] and [cert_base64] with our values get from MyCert.cer. To obtain these values we've to use openssl.exe tool:

openssl sha1 MyCert.cer > MyCert_sha1.txt
openssl base64 -in MyCert.cer > MyCert_base64.txt

With these commands we get two files with sha1 and base64 values of our certificate. So create an empty file '_setup.xml' and past the content into:

<?xml version="1.0" encoding="utf-8" ?>
<wap-provisioningdoc>
<characteristic type="CertificateStore">
	<characteristic type="Privileged Execution Trust Authorities">
		<characteristic type="2bd9dd0aadf266f9810a1210a2052144bf2e3f22">
			<parm name="EncodedCertificate" value="MIIB8jCCAVugAwIBAgIQztL5fI8kyrFE9be6IfYcXTANBgkqhkiG9w0BAQQFADAS
MRAwDgYDVQQDEwdDcmlTb2Z0MCAXDTk5MTIzMTIzMDAwMFoYDzIwOTgxMjMxMjMw
MDAwWjASMRAwDgYDVQQDEwdDcmlTb2Z0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB
iQKBgQDSNfTSjNJy4zZKi9wen/9CLt1cwWcYIaIp4xIuDd9VIXy3hBj+FpL11E9d
O7Sa5FXcIo8P9WttLHkd9TS8GXUEJShU+b/JtPDQ3EvpuJcSpo0CEuAI3fr7+LpI
VtfZto+lA8/8Ch7cssZQqPaNClIP2+9DrR5l7t5XvCGLltfrcQIDAQABo0cwRTBD
BgNVHQEEPDA6gBDsxeAuaLF3Ax+fxz0bWdqvoRQwEjEQMA4GA1UEAxMHQ3JpU29m
dIIQztL5fI8kyrFE9be6IfYcXTANBgkqhkiG9w0BAQQFAAOBgQC2Tsg8FhGLhCgT
IxKEErFzZw1bNxrnxAjao3hkA2jtv3jGkejWMnnBODogUPbwnkxRTlmKEjBhFilt
P4c4djE4cDApXpnj26R7eX6PmhPmvJHRJP4JM8WEzq/saWyCBEyfhslSSKCVQeNS
SJZ6//5FFqAJIQZ8DklQpSP6mIG3mw==" />
		</characteristic>
	</characteristic>
</characteristic>
<characteristic type="CertificateStore">
	<characteristic type="SPC">
		<characteristic type="2bd9dd0aadf266f9810a1210a2052144bf2e3f22">
			<parm name="EncodedCertificate" value="MIIB8jCCAVugAwIBAgIQztL5fI8kyrFE9be6IfYcXTANBgkqhkiG9w0BAQQFADAS
MRAwDgYDVQQDEwdDcmlTb2Z0MCAXDTk5MTIzMTIzMDAwMFoYDzIwOTgxMjMxMjMw
MDAwWjASMRAwDgYDVQQDEwdDcmlTb2Z0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB
iQKBgQDSNfTSjNJy4zZKi9wen/9CLt1cwWcYIaIp4xIuDd9VIXy3hBj+FpL11E9d
O7Sa5FXcIo8P9WttLHkd9TS8GXUEJShU+b/JtPDQ3EvpuJcSpo0CEuAI3fr7+LpI
VtfZto+lA8/8Ch7cssZQqPaNClIP2+9DrR5l7t5XvCGLltfrcQIDAQABo0cwRTBD
BgNVHQEEPDA6gBDsxeAuaLF3Ax+fxz0bWdqvoRQwEjEQMA4GA1UEAxMHQ3JpU29m
dIIQztL5fI8kyrFE9be6IfYcXTANBgkqhkiG9w0BAQQFAAOBgQC2Tsg8FhGLhCgT
IxKEErFzZw1bNxrnxAjao3hkA2jtv3jGkejWMnnBODogUPbwnkxRTlmKEjBhFilt
P4c4djE4cDApXpnj26R7eX6PmhPmvJHRJP4JM8WEzq/saWyCBEyfhslSSKCVQeNS
SJZ6//5FFqAJIQZ8DklQpSP6mIG3mw==" />
			<parm name="Role" value="222" />
		</characteristic>
	</characteristic>
</characteristic>
</wap-provisioningdoc>

We're ready to build our cab to deploy on our devices.

Step 4 - Build the .cab

This is the most simple step, we've to run makecab.exe tool:

makecab.exe _setup.xml mycert_cert.cab

Our certificate is now ready to install on devices!

Step 5 - Sing our application code

makecab.exe tool:

makecab.exe _setup.xml mycert_cert.cab

Our certificate is now ready to install on devices!

Points of Interest

Did you learn anything interesting/fun/annoying while writing the code? Did you do anything particularly clever or wild or zany?

History

Keep a running update of any changes or improvements you've made here.