Install the root CA on Windows Phone
The root CA must be installed on the client device to ensure that the client trusts server certificates that are signed by your private CAs.
To establish trust for the server certificate, we must install the trust anchor certificate (root CA) on the client device.
Only the root CA certificate (trust anchor) must be installed. We do not need to install any other certificates, such as intermediaries, on the device.
- Ensure that the root CA is in DER file format and has a .cer file extension. The PEM with a .crt file extension is not supported. Convert
as needed.
- Run the following command to view the certificate details.
- openssl x509 -inform DER -in certificate.crt -text -noout
- Ensure that the certificate is of version X.509 v3. The certificate details must show Version 3.
The following openssl flag generates X.509 v3 certificates:
- -reqexts v3_req
- Ensure that the certificate is a certificate authority. The certificate details must show X509v3 Basic Constraints:
CA:TRUE
The following openssl flag generates the CA extension:
- -extensions v3_ca
- To download the certificate file on the device, send it as an email attachment or host it on a secure website.
- Click the link in the email or on the website, and then click Tap to open and confirm the installation.
Results
We can now use web servers that are secured with certificates that are based on this root CA.There is no way on Windows Phone to check whether the certificate was properly installed. Furthermore, after you install the certificate, Windows Phone provides no way to remove the certificate from the device.
Parent topic: Configure SSL using untrusted certificates