Certificate Authentication

Authentication is the process of determining if a remote host can be trusted. To establish its trustworthiness, the remote host must provide an acceptable authentication certificate.

Remote hosts establish their trustworthiness by obtaining a certificate from a Certification Authority (CA). The CA may, in turn, have certification from a higher authority, and so on, creating a chain of trust. To determine whether a certificate is trustworthy, an application must determine the identity of the root CA, and then determine if it is trustworthy.

Windows CE maintains a database of trusted CAs. When a secure connection is attempted by an application, Windows CE extracts the root certificate from the certification chain and checks it against the CA database. It delivers the root certificate to the application through a certificate validation callback function, along with the results of the comparison against the CA database.

Applications bear ultimate responsibility for verifying that a certificate is acceptable. Applications can accept or reject any certificate. If a certificate is rejected, the connection is not completed. At a minimum, a certificate should meet two requirements: The certificate is current, and the identity contained in the certificate matches the root CA identity.

The following root certificate authorities are included in the Windows CE 2.1x Schannel Certificate Authority database:

    To add certificates to the CA database through the registry:

  1. Create the key HKLM\Comm\SecurityProviders\SCHANNEL\CAs if one does not already exist.
  2. Create a subkey with the name of the certificate, for example My Certificate.
  3. Create the following values under the My Certificate key.
        DWORD:Enabled = 1
        DWORD:Type = 1
        BINARY:CACert = X509 certificate bytes

Schannel will pick up the root certificate next time it is loaded.

The certificate validation callback function must be implemented by all client applications that use secure sockets. The value it returns determines if the connection will be completed by Winsock. It must have the following syntax:

int SslValidate (
         DWORD      dwType
         LPVOID     pvArg
         DWORD      dwChainLen
         LPBLOB     pCertChain
         DWORD      dwFlags
);

The parameters contain the following data:

The following table shows values returned by the callback function.

Return value
Description
SSL_ERR_BAD_DATA The certificate is not properly formatted.
SSL_ERR_BAD_SIG The signature check failed.
SSL_ERR_CERT_EXPIRED The certificate has expired.
SSL_ERR_CERT_REVOKED The certificate has been revoked.
SSL_ERR_CERT_UNKNOWN The issuer is unknown, or some unspecified problem arose in the certificate processing, rendering it unacceptable.
SSL_ERR_OKAY The certificate is acceptable.