This allows those of us that use self-signed certificates (e.g. Microsoft Certificate Authority) to secure our communications, to automate the installation of the root certificate.
In the example below,  we are just installing the certificate, which will require the user to execute the cab file on the device. Which is pretty redundant as they might aswell just click on the certificate on the device and install it that way.. This is meant to be added to other cab files. E.g. The ActiveSync cab file. We provision our companys SSL cert and then provision activesync settings that utilise that cert.

To start it off,  we have our basic code, once again, xml provisioning using configuration service providers.

<wap-provisioningdoc> <--- Opens the code
   <characteristic type="CertificateStore"> <--- Tells the device we are using the CertificateStore CSP, as we want to modifiy the certificate stores
     <characteristic type="ROOT"> <--- Tells the device what store we are using (There are actually a few on windows mobile! The others are more for development and signing cab file certificates, so we won't be using those!)
       <characteristic type="Hash of certificate"> <--- the Thumbprint hash of the certificate
          <parm name="EncodedCertificate" value="Contents of certificate"/> < --- the raw text contents of the certificate
       </characteristic>
     </characteristic>
   </characteristic>
</wap-provisioningdoc>

So,  in this example, I'm just going to export a generic CA certificate from my desktop for the example. The following steps aren't neseary if you already have a copy of your root certificate.

I've opened up Certificates on my XP machine 

Start > Run > "mmc"
File Menu > Add/Remove Snapin - Then click "Add"
Select "Certificates" - Then click "Add"
Then choose "My User Account" (Or which ever store your root certificate resides in)
Click Close, and OK, and you should be back at your MMC page with the "Certificates" as an expandable tree on the left.
Open this up. Expand out Trusted Root certificate authorities.
Find Exuifax secure eBusiness CA-1 or whichever certificate you want to export (This is just my example)
Right click on it, select All tasks and then Export. 
Click Next, change to base64 encoded certificate and click Next again
Specificy the file you want to output and click Next. Then Finish.  (I usually use "rootcert.cer" so i remember.)

So now we have our certificate.  How do we put that into the cab?

Open the certificate from where ever you output it to.
Go to the Details tab of the resulting page. 
Scroll down the bottom and you should see a Thumbprint Field. with a value next to it.
In my case the value is - da 40 18 8b 91 89 a3 ed ee ae da 97 fe 2f 9d f5 b7 d1 8a 41
Now,  we need to place this into the "Hash of certificate" in our xml code (And remove the spaces)
So we should have -

<wap-provisioningdoc>
   <characteristic type="CertificateStore">
      <characteristic type="ROOT">
         <characteristic type="da40188b9189a3edeeaeda97fe2f9df5b7d18a41">
            <parm name="EncodedCertificate" value="Contents of certificate"/>
         </characteristic>
      </characteristic>
   </characteristic>
</wap-provisioningdoc>

Now open the certificate in notepad. (Easiest is to open notepad and drop the certificate onto the notepad window.)
You should end up with something like this-
-----BEGIN CERTIFICATE-----
MIICgjCCAeugAwIBAgIBBDANBgkqhkiG9w0BAQQFADBTMQswCQYDVQQGEwJVUzEc
MBoGA1UEChMTRXF1aWZheCBTZWN1cmUgSW5jLjEmMCQGA1UEAxMdRXF1aWZheCBT
ZWN1cmUgZUJ1c2luZXNzIENBLTEwHhcNOTkwNjIxMDQwMDAwWhcNMjAwNjIxMDQw
MDAwWjBTMQswCQYDVQQGEwJVUzEcMBoGA1UEChMTRXF1aWZheCBTZWN1cmUgSW5j
LjEmMCQGA1UEAxMdRXF1aWZheCBTZWN1cmUgZUJ1c2luZXNzIENBLTEwgZ8wDQYJ
KoZIhvcNAQEBBQADgY0AMIGJAoGBAM4vGbwXt3fek6lfWg0XTzQaDJj0ItlZ1MRo
RvC0NcWFAyDGr0WlIVFFQesWWDYyb+JQYmT5/VGcqiTZ9J2DKocKIdMSODRsjQBu
WqDZQu4aIZX5UkxVWsUPOE9G+m34LjXWHXzr4vCwdYDIqROsvojvOm6rXyo4YgKw
Env+j6YDAgMBAAGjZjBkMBEGCWCGSAGG+EIBAQQEAwIABzAPBgNVHRMBAf8EBTAD
AQH/MB8GA1UdIwQYMBaAFEp4MlIR21kWNl7fwRQ2QGpHfEyhMB0GA1UdDgQWBBRK
eDJSEdtZFjZe38EUNkBqR3xMoTANBgkqhkiG9w0BAQQFAAOBgQB1W6ibAxHm6VZM
zfmpTMANmvPMZWnmJXbMWbfWVMMdzZmsGd20hdXgPfxiIKeES1hl8eL5lSE/9dR+
WB5Hh1Q+WKG1tfgq73HnvMP2sUlG4tega+VWeponmHxGYhTnyfxuAxJ5gDgdSIKN
/Bf+KpYrtWKmpj29f5JZzVoqgrI3eQ==
-----END CERTIFICATE-----

Delete the Begin and end lines. Also delete the line breaks.
You should have a continuos string like -MIICgjCCAeugAwIBAgIBBDANBgkqhkiG9w0BAQQFADBTMQswCQYDVQQGEwJVUzEcMBoGA1UEChMTRXF1aWZheCBTZWN1cmUgSW5jLjEmMCQGA1UEAxMdRXF1aWZheCBTZWN1cmUgZUJ1c2luZXNzIENBLTEwHhcNOTkwNjIxMDQwMDAwWhcNMjAwNjIxMDQwMDAwWjBTMQswCQYDVQQGEwJVUzEcMBoGA1UEChMTRXF1aWZheCBTZWN1cmUgSW5jLjEmMCQGA1UEAxMdRXF1aWZheCBTZWN1cmUgZUJ1c2luZXNzIENBLTEwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAM4vGbwXt3fek6lfWg0XTzQaDJj0ItlZ1MRoRvC0NcWFAyDGr0WlIVFFQesWWDYyb+JQYmT5/VGcqiTZ9J2DKocKIdMSODRsjQBuWqDZQu4aIZX5UkxVWsUPOE9G+m34LjXWHXzr4vCwdYDIqROsvojvOm6rXyo4YgKwEnv+j6YDAgMBAAGjZjBkMBEGCWCGSAGG+EIBAQQEAwIABzAPBgNVHRMBAf8EBTADAQH/MB8GA1UdIwQYMBaAFEp4MlIR21kWNl7fwRQ2QGpHfEyhMB0GA1UdDgQWBBRKeDJSEdtZFjZe38EUNkBqR3xMoTANBgkqhkiG9w0BAQQFAAOBgQB1W6ibAxHm6VZMzfmpTMANmvPMZWnmJXbMWbfWVMMdzZmsGd20hdXgPfxiIKeES1hl8eL5lSE/9dR+WB5Hh1Q+WKG1tfgq73HnvMP2sUlG4tega+VWeponmHxGYhTnyfxuAxJ5gDgdSIKN/Bf+KpYrtWKmpj29f5JZzVoqgrI3eQ==

This goes into the Contents of the certificate.
So now we have our XML that looks like this:

<wap-provisioningdoc>
   <characteristic type="CertificateStore">
      <characteristic type="ROOT">
         <characteristic type="da40188b9189a3edeeaeda97fe2f9df5b7d18a41">
            <parm name="EncodedCertificate" value="MIICgjCCAeugAwIBAgIBBDANBgkqhkiG9w0BAQQFADBTMQswCQYDVQQGEwJVUzEcMBoGA1UEChMTRXF1aWZheCBTZWN1cmUgSW5jLjEmMCQGA1UEAxMdRXF1aWZheCBTZWN1cmUgZUJ1c2luZXNzIENBLTEwHhcNOTkwNjIxMDQwMDAwWhcNMjAwNjIxMDQwMDAwWjBTMQswCQYDVQQGEwJVUzEcMBoGA1UEChMTRXF1aWZheCBTZWN1cmUgSW5jLjEmMCQGA1UEAxMdRXF1aWZheCBTZWN1cmUgZUJ1c2luZXNzIENBLTEwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAM4vGbwXt3fek6lfWg0XTzQaDJj0ItlZ1MRoRvC0NcWFAyDGr0WlIVFFQesWWDYyb+JQYmT5/VGcqiTZ9J2DKocKIdMSODRsjQBuWqDZQu4aIZX5UkxVWsUPOE9G+m34LjXWHXzr4vCwdYDIqROsvojvOm6rXyo4YgKwEnv+j6YDAgMBAAGjZjBkMBEGCWCGSAGG+EIBAQQEAwIABzAPBgNVHRMBAf8EBTADAQH/MB8GA1UdIwQYMBaAFEp4MlIR21kWNl7fwRQ2QGpHfEyhMB0GA1UdDgQWBBRKeDJSEdtZFjZe38EUNkBqR3xMoTANBgkqhkiG9w0BAQQFAAOBgQB1W6ibAxHm6VZMzfmpTMANmvPMZWnmJXbMWbfWVMMdzZmsGd20hdXgPfxiIKeES1hl8eL5lSE/9dR+WB5Hh1Q+WKG1tfgq73HnvMP2sUlG4tega+VWeponmHxGYhTnyfxuAxJ5gDgdSIKN/Bf+KpYrtWKmpj29f5JZzVoqgrI3eQ=="/>
         </characteristic>
      </characteristic>
   </characteristic>
</wap-provisioningdoc>

Save this file as "_setup.xml" in C:\Cabs

Open up a command prompt window. Type cd C:\Cabs
Run our make cab:
MakeCAB.exe /D COMPRESS=OFF _setup.xml cert.cab

Copy Cert.cab to your device and then install it! you now should have a certificate in your devices root store.

I've attached "certifticate.zip" which contains the source _setup.xml and the compiled cab file

Vista specific instructions soon!