Windows Phone 8.1 introduces the long awaited support for certificate management. From the very first version of Windows Phone 7 it was possible to install certificates to the phone, e.g., by downloading them using Internet Explorer or by opening them from an e-mail message. But once installed, the only way to view and/or remove those certificates was to wipe your phone. Not very convenient.

As you may know from my earlier articles I did some sniffing of Windows Phone traffic using Fiddler. To enable the sniffing of SSL-traffic you need to install a Fiddler-generated root certificate, the infamous DO_NOT_TRUST_FiddlerRoot, to the phone. This enables Fiddler to perform man-in-the-middle attacks against the encrypted SSL connection.

Yesterday I tried to remove the Fiddler certificate from my phone, but was surprised I couldn’t find a certificate management settings app anywhere on the phone. As it turns out the Windows Phone 8.1 Developer Preview doesn’t come with a built-in certificate management app! Yes, the OS does now support certificate management, but only through the use of MDM software (i.e. Mobile Iron or Microsoft’s Intune/SCCM) or custom apps using the new certificate API’s.

Hey JoeB, was it that hard to add a simple Settings app for this? 🙂

Anyway, this gave me a good reason to check out those new certificate management API’s and I decided to write my own little certificate manager app. I inspected the Windows 8.1 ‘Cryptography and Certificate’ sample code and created a simple Windows Phone app using parts of that code (don’t you just love the converging of the Windows and Windows Phone API’s? 😉 ). To enable access to the certificate API’s I added the following capability to the package.appxmanifest:

<Capabilities>
    <Capability Name="sharedUserCertificates" />
</Capabilities>

Then I added the following lines of code (copied straight from said sample) to enumerate all certificates installed on the phone, so I could see if the Fiddler root certificate I had installed on the phone would show up:

private void Page_Loaded(object sender, RoutedEventArgs e)
{
    var task = CertificateStores.FindAllAsync();
    task.AsTask().Wait();
    var certlist = task.GetResults();
    Debug.WriteLine("Cert count: {0}", certlist.Count);
    LoadCertList(certlist);
}

private void LoadCertList(IReadOnlyList<Certificate> certificateList)
{
    CertListBox.Items.Clear();

    foreach (Certificate cert in certificateList)
    {
        CertListBox.Items.Add(cert.Subject);
    }
}

I fired up one of the Windows Phone emulators and installed the FiddlerRoot certificate by e-mailing it to myself and opening it from the e-mail message. Then I ran my test app. To my surprise I got zero results. I installed the FiddlerRoot cert again and reran my app. Again nothing…

Well, maybe this was just emulator weirdness. So I deployed the app to a real phone, my trusty Lumia 920. This time another surprising thing happened. The deployment of the app failed and the following error message appeared in Visual Studio’s Output Window:

Error : DEP0001 : Unexpected Error: Package could not be registered. (Exception from HRESULT: 0x80073CF6)

I tried multiple times. I added some extra capabilities to the Package.appxmanifest, but it always failed with the above error message. A quick search turned up a StackOverflow topic of someone who experienced the exact same behavior. There Claus Jørgensen, a Skype developer, said the ‘sharedUserCertificates‘ capability was only available for first party developers (i.e. Microsoft, OEM’s and carriers).

So I contacted my buddy Matthijs Hoekstra, who happens to be a product marketing manager for Windows Phone and does a lot of the enterprisy stuff. Coincidentally, last week during the ‘Building Apps for Windows Phone 8.1 Jump Start’ he had talked about just this topic in his session ‘Windows Phone 8.1 for the Enterprise Developer’ and I was pretty sure this should be a supported scenario.

To cut a long story short: it’s a bug in the Windows Phone 8.1 Developer Preview!

Matthijs was able to confirm the behaviour. In fact, his Jump Start sample app (Session 18 Demos) also currently cannot be deployed to a real phone, as it also uses the 'sharedUserCertificates' capability.

Matthijs told me the ‘sharedUserCertificates‘ capability should be available to all Windows Phone developers, not just first party developers. ¹ The fix for this bug will probably be included in the post-RTM updates that I expected to be released before General Availability of Windows Phone 8.1.

This still leaves me with the question why my app, when successfully deployed to the emulator, didn’t find any certificates. The code works fine in a Windows 8.1 WinRT app. Maybe it’s related to the deployment bug. Or maybe the phone is more restrictive about giving access to root certificates that haven’t been installed by the querying app itself? Heck, I may even be using the wrong piece of code 😀 Anyway,I’ll look into it. So as soon as I’ve got the answer, I’ll update this article.

¹ Note that apps that require the ‘sharedUserCertificates‘ capability can only be deployed by sideloading or through a MDM solution. If you want to release such an app through the Windows Phone Store, you need special permission from Microsoft.