Problems using the ‘sharedUserCertificates’ capability in the Windows Phone 8.1 Developer Preview

Windows Phone 8.1 introduces the long awaited support for certificate management. From the very first version of Windows Phone 7 it was possible to install certificates to the phone, e.g., by downloading them using Internet Explorer or by opening them from an e-mail message. But once installed, the only way to view and/or remove those certificates was to wipe your phone. Not very convenient.

As you may know from my earlier articles I did some sniffing of Windows Phone traffic using Fiddler. To enable the sniffing of SSL-traffic you need to install a Fiddler-generated root certificate, the infamous DO_NOT_TRUST_FiddlerRoot, to the phone. This enables Fiddler to perform man-in-the-middle attacks against the encrypted SSL connection.

Fiddler Root CA

Yesterday I tried to remove the Fiddler certificate from my phone, but was surprised I couldn’t find a certificate management settings app anywhere on the phone. As it turns out the Windows Phone 8.1 Developer Preview doesn’t come with a built-in certificate management app! Yes, the OS does now support certificate management, but only through the use of MDM software (i.e. Mobile Iron or Microsoft’s Intune/SCCM) or custom apps using the new certificate API’s.

Hey JoeB, was it that hard to add a simple Settings app for this? 🙂

Anyway, this gave me a good reason to check out those new certificate management API’s and I decided to write my own little certificate manager app. I inspected the Windows 8.1 ‘Cryptography and Certificate’ sample code and created a simple Windows Phone app using parts of that code (don’t you just love the converging of the Windows and Windows Phone API’s? 😉 ). To enable access to the certificate API’s I added the following capability to the package.appxmanifest:

<Capabilities>
    <Capability Name="sharedUserCertificates" />
</Capabilities>

Then I added the following lines of code (copied straight from said sample) to enumerate all certificates installed on the phone, so I could see if the Fiddler root certificate I had installed on the phone would show up:

private void Page_Loaded(object sender, RoutedEventArgs e)
{
    var task = CertificateStores.FindAllAsync();
    task.AsTask().Wait();
    var certlist = task.GetResults();
    Debug.WriteLine("Cert count: {0}", certlist.Count);
    LoadCertList(certlist);
}

private void LoadCertList(IReadOnlyList<Certificate> certificateList)
{
    CertListBox.Items.Clear();

    foreach (Certificate cert in certificateList)
    {
        CertListBox.Items.Add(cert.Subject);
    }
}

I fired up one of the Windows Phone emulators and installed the FiddlerRoot certificate by e-mailing it to myself and opening it from the e-mail message. Then I ran my test app. To my surprise I got zero results. I installed the FiddlerRoot cert again and reran my app. Again nothing… :-/

Well, maybe this was just emulator weirdness. So I deployed the app to a real phone, my trusty Lumia 920. This time another surprising thing happened. The deployment of the app failed and the following error message appeared in Visual Studio’s Output Window:

Error : DEP0001 : Unexpected Error: Package could not be registered. (Exception from HRESULT: 0x80073CF6)

I tried multiple times. I added some extra capabilities to the Package.appxmanifest, but it always failed with the above error message. A quick search turned up a StackOverflow topic of someone who experienced the exact same behavior. There Claus Jørgensen, a Skype developer, said the ‘sharedUserCertificates‘ capability was only available for first party developers (i.e. Microsoft, OEM’s and carriers).

So I contacted my buddy Matthijs Hoekstra, who happens to be a product marketing manager for Windows Phone and does a lot of the enterprisy stuff. Coincidentally, last week during the ‘Building Apps for Windows Phone 8.1 Jump Start’ he had talked about just this topic in his session ‘Windows Phone 8.1 for the Enterprise Developer’ and I was pretty sure this should be a supported scenario.

Building Apps for Window Phone 8.1 Jump Start Session 18

To cut a long story short: it’s a bug in the Windows Phone 8.1 Developer Preview!

Matthijs was able to confirm the behaviour. In fact, his Jump Start sample app (Session 18 Demos) also currently cannot be deployed to a real phone, as it also uses the 'sharedUserCertificates' capability.

Matthijs told me the ‘sharedUserCertificates‘ capability should be available to all Windows Phone developers, not just first party developers. 1 The fix for this bug will probably be included in the post-RTM updates that I expected to be released before General Availability of Windows Phone 8.1.

This still leaves me with the question why my app, when successfully deployed to the emulator, didn’t find any certificates. The code works fine in a Windows 8.1 WinRT app. Maybe it’s related to the deployment bug. Or maybe the phone is more restrictive about giving access to root certificates that haven’t been installed by the querying app itself? Heck, I may even be using the wrong piece of code 😀 Anyway,I’ll look into it. So as soon as I’ve got the answer, I’ll update this article.

1 Note that apps that require the ‘sharedUserCertificates‘ capability can only be deployed by sideloading or through a MDM solution. If you want to release such an app through the Windows Phone Store, you need special permission from Microsoft.

Posted on May 9, 2014, in developing, security, windows phone, Windows Phone 8.1 and tagged , . Bookmark the permalink. 7 Comments.

  1. hello lzandman, i have same issue with vpn. is there any news that bug is fixed?

    • I don’t know yet. There have been some updates to the Developer Preview lately, but I haven’t checked if they fixed this issue.

  2. Mike Stephens

    The most likely reason no certificates were returned is because each application has its own certificate store– per appcontainer. Typically the Fiddler certificate is installed the MY store of the user or computer. WinRT APIs cannot view certificates in the computer’s MY store. The API can see the user’s my store if the application’s manifest has the ShardUserCertificate capabilities enabled. Without this capability, you can only see the certificates for the currently running application.

    Mike

  3. I also ran into this issue with real device, 1520 running Lumia Cyan. So I guess it has something to do with type of application.

    However, on emulator, I can get the list of certificates from the certificate store. As the “sharedUserCertificates” implies, only the Client Authentication Certificates are in the list.

    (NOTE: the Client Authentication Certificates are those with EKU 1.3.6.1.5.5.7.3.2 )

  4. Hi All,

    I’ve also faced the same issue. i received the same error
    Error : DEP0001 : Unexpected Error: Package could not be registered. (Exception from HRESULT: 0x80073CF6)

    I’ve set all the Images with respected dimensions in package.windows.appxmanifest & package.phone.appxmanifest it worked for me. I’m able to deploy the app in Emulator and Phone device as well.

    Thanks,
    Dilip

  5. We are still having issues with “sharedUserCertificates” on the latest Windows Phone 8.1 release, as well on the Windows 10 Mobile beta. Trying to install a client auth certificate for usage by system browser, to authenticate to enterprise resources on the Intranet when using VPN. Can you confirm that “sharedUserCertificates” still does not work, or would that be a scenario not covered by this?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: