Windows Phone 8

Certificates

This white paper is part of a series of technical papers designed for IT professionals. It provides
information about the use of digital certificates on Windows Phone 8.

v1.0 January 2013

Legal Disclaimer

© 2013 Microsoft Corporation. All rights reserved. This document is provided "as-is." Information and
views expressed in this document, including URL and other Internet Web site references, may change
without notice. You bear the risk of using it.

This document does not provide you with any legal rights to any intellectual property in any Microsoft
product. You may copy and use this document for your internal, reference purposes.

Published: January 2013

Windows Phone 8 Certificates

Table of contents

Windows Phone 8 Certificates 1

Introduction 1

Certificates in Windows Phone 8 1

Certificate installation 1
Certificates and Windows Phone apps 2
Certificates and SSL 3
Certificates and user authentication 3

Resources 4

Windows Phone 8 Certificates

Introduction
Digital certificates are electronic files that bind the identity of a user or
computer to a pair of keys that can be used to encrypt and sign digital
information. Certificates are issued by a certification authority (CA) that 1
vouches for the identity of the certificate holder, and they enable secure client
communications with websites and services.

Digital certificates do the following:

 Help to confirm that their holders—people, websites, and even network
resources such as routers—are who or what they claim to be (a process
called authentication).

 Help protect data that's exchanged online from theft or tampering.

Certificates in Windows Phone 8

Certificates in Windows Phone 8 are primarily used in the following scenarios:
 To create a secure channel using Secure Sockets Layer (SSL) between a
phone and a web server or service.

 To authenticate a user to a reverse proxy server that is used to enable

Microsoft Exchange ActiveSync (EAS) for email.

 For installation and licensing of applications (from the Windows Phone

Store or a custom company distribution site).

Certificate installation
Certificates can be installed on the phone using either of the following two
methods:

Installing certificates via Internet Explorer

A certificate can be posted on a website and made available to users through a
device-accessible URL that they can use to download the certificate. When a

Windows Phone 8 Certificates

user accesses the page and taps the certificate, it opens on the device. The user
can inspect the certificate, and if they choose to continue, the certificate is
installed on the device.

Installing certificates via email 2

The certificate installer supports .cer, .p7b, .pem, and .pfx files. To install certificates
via email, make sure your mail filters do not block .cer files.

Certificates that are sent via email appear as message attachments. When a
certificate is received, a user can tap to review the contents and then tap to
install the certificate. Typically, when an identity certificate is installed, the user
is prompted for the password (or passphrase) that protects it.

Certificates can also be installed via Mobile Device Management servers.

Information on certificate installation via this method can be found in the
Managing Windows Phone 8 with Windows Intune and SCCM white paper at
http://go.microsoft.com/fwlink/?LinkId=275525.

Certificates and Windows Phone apps

Windows Phone 8 applications are signed with certificates that are unique to
the application and that establish a license for the application. Only signed
applications are allowed to run on Windows Phone 8.

The only sources of apps for Windows Phone 8 are the Windows Phone Store
(windowsphone.com/store) and company sites that offer line-of-business apps
that are signed with enterprise certificates. A company can sign and distribute its
own apps by acquiring an enterprise certificate from Symantec, following the
procedures outlined in Company app distribution for Windows Phone
(msdn.microsoft.com/library/windowsphone/develop/jj206943.aspx).

Applications and games can be submitted for availability in the Windows Phone
Store through the Windows Phone Dev Center (dev.windowsphone.com). All
submissions are reviewed for compliance with Store policies. Approved
applications and games are signed with VeriSign certificates.

Windows Phone 8 Certificates

Certificates and SSL
Organizations might prefer to establish connections between devices and a
Microsoft Exchange Server through reverse proxy communications that use SSL
to securely encrypt the traffic.
3
For more information about digital certificates, SSL, and reverse proxies, see Digital
Certificates and Proxying in Understanding Digital Certificates and SSL
(technet.microsoft.com/library/dd351044.aspx).

Certificates and user authentication

The Windows Phone 8 email application supports certificate-based client
authentication with Microsoft Exchange Server.

When you install Microsoft Exchange Client Access Server and EAS, the default
configuration uses Basic authentication and SSL.

Basic authentication
Basic authentication is the simplest method of authentication: the server
requests that the client submit a user name and password, which are sent in
plaintext over the network. The server verifies that the supplied user name and
password are valid and grants the client access to the server.

Basic authentication is enabled by default for EAS. However, we recommend that

you disable Basic authentication unless you also deploy SSL. When using Basic
authentication over SSL, the user name and password are still sent in plaintext,
but the communication channel is encrypted.

Certificate-based authentication
Certificate-based authentication uses digital certificates to verify identities. This
approach uses another form of credentials, in addition to the user name and
password, to prove the identity of the user who is trying to access the
protected resources.

Windows Phone 8 Certificates

In a certificate-based authentication scenario, the device has a valid client
certificate that was created for user authentication. In addition, the device has a
trusted root certificate for the server to which it establishes an SSL connection.

Deploying certificate-based authentication prevents users who have only a user

name and password from synchronizing with Exchange.
4

Resources
For more information about all the aspects of using Windows Phone in your
company, see Windows Phone for Business
(http://go.microsoft.com/fwlink/?LinkId=266567).

For additional information about Certificates and Windows Phone, see the
following articles:

 “Company app distribution for Windows Phone” at

http://msdn.microsoft.com/en-
us/library/windowsphone/develop/jj206943.aspx

 “Understanding Digital Certificates and SSL” at

http://technet.microsoft.com/en-us/library/dd351044.aspx

 “Managing Windows Phone 8 with Intune” at

http://go.microsoft.com/fwlink/?LinkId=275525

Windows Phone 8 Certificates