How to make a self-signed SSL certificate work with Windows RT’s Mail App on a Microsoft Surface RT

Long title, I know…

I was trying to get Windows RT’s Mail App to access the email on my own server. The server uses IMAPS with s self-signed certificate as I only want SSL for it encryption and don’t really need it for authentication purposes as well. As long as it is the correct self-signed certificate I’m happy.

The Mail app however rejects certificates that weren’t signed by a trusted authority and doesn’t offer an obvious exception mechanism (like Thunderbird or Apple Mail) that circumvents the need for a trusted certificate. The original Mail app that came with my surface also displays only a very cryptic error messages, but the latest update from earlier this week correctly suggests that one needs to add the self-signed certificate to the certificate storage in order to get Mail to recognize the certificate.

In my case the saving grace is that I use the same cert to secure the webmail access so IE can easily access the certificate. However as Joe User, you can’t add another certificate to the certificate store – you have to be Administrator to be able to add a certificate and I initially couldn’t find an obvious way to run IE as Administrator.

The trick turns out to be that you have to run IE from the desktop (yes, the Surface RT has a standard Windows Desktop, too). The easiest way to get there is to run IE from the ’tile’ UI, pull up the bottom menu and select ‘view on desktop’ from the settings icon menu. Once you are on the desktop, right-click (two-finger click on the ZX81 keyboard cover) on the IE icon. Bummer, no ‘Run as Administrator’ menu entry. However, there is an entry in this menu that says ‘Internet Explorer’. Right click/two finger click on that one and you get ‘Run as Administrator’. I fired up IE as administrator and the buttons to install the certificate were no longer greyed out.

At this point there was one last hurdle to climb over – if you let IE determine where the certificate is saved, Mail still does not recognize the certificate. You have to install it in ‘Trusted Root Certification Authorities’. And now, I can finally read my email on my Surface RT. Just be aware of the security implications of doing so as your certificate can now act as a root certificate for other certificates. Of course, you could simply get a ‘real’ certificate and not have that sort of security issue.

The above worked for me because I use the same certificate for two purposes. If you can’t simply access the certificate via a browser you’ll have to download the certificate onto your machine as a file and then use certmgr to import it. Again, you’ll most likely will have to run certmgr as Administrator as it won’t allow file operations otherwise.