Risto Helin's Forum Nokia Blog - SSL certificates in S60 3.0

Install SSL certificate in code?

Hi,
How can I install a SSL certificate in code?

Installing Exchange client in my N95

I have the same trouble with my N95, when i conect to my exchanger server, tell me tht is a not secure conection, and always i muts answer yes to make the conection

I hace de owa certificaction but i cant inslla in my phone, , using vista software , cant create cer file but when i try to open it with de file manegar in phone, can't run and "Unable to open file. File type not supported".

how can i import a certificate in my N95?

After installing a root CA I have created

After installing a root CA I have created, I had two trust settings on my Nokia N75, Internet and Online Certif. Check. Does the Internet trust setting include all SSL or TLS connections including those made by the request of a MIDP application, or just HTTPS?
What is Online Certif. Check? Checking CRLs or OSCP? Is it possible to install a root CA for Midp or Symbian signing or does that require special access to the Phone and SIM card?

every new connection asks for my certificate and i have to enter password. that happens at every ajax request fi. how can i set a default certificate and how can i remove the password for certificate manager?

regards
thomas

i got it working with my E51

created a ca certificate in DER format ca.der
created a personal certificate signed with my ca as myname.p12
copied both to sd card and opened both files in filemanager. now you can import ca.der and myname.p12
now can i access a ssl secured website with client certificate authentication. works also with imap4.

all done with openssl

greets
thomas

Root CA Import Fails, Corrupt File and/or File Type Unknown

Hello,

I hope you can point me in the right direction, I have read through many threads on this site, as well as others, and googled this subject quite often. I have a N95 8GB, runnning Version 30.0.018 Dated July 23, 2008. I have created a Self Signed Certificate using OpenSSL, as well as GNUTLS certtool and converted the pem to der. I want to use this certificate to connect with a TLS server using a preshared key. I am able to import the Certificate into my web browser and view the extensions, which have Basic Constraints of CA, & Usage: Signer , CRL Signer.

I have tried to put the CA on the phone, in the phone memory partition with the extension(s) of cer, der, crt. Every time I tried to open, and start the importing process I get an error, "Unable to open file. File type not supported".

So, then I try to use the web method, setting the mime type on the directory, then using wlan I browse to the certificate, root.cer/der/crt. The cer, crt attempts, download the certificate, then i see the "Save Ceritficate" label in the background, at that point, the "File Corrupt" popup is displayed. When i download the file root.der, it downloads and i can save it to the phone partition, though, when i try to open the file, i get the "unable to open file. file type not supported".

Is there a way to view some sort of log file that I can trace and find a solution to this issue? Could it be the firmware? Any suggestions on how to get this certificate on the phone?

Thanks in advance

personal certificate for S40

Hello.
I have a question.
Is there any way to import personal certificate for Nokia s40 ?
What's user cetificate in S40? how does it work?
Can i insert a security module ?

I've been make SSL connecttion (With Client cetificate require) as well with S60 but I need to do with S40.

sorry for my poor english

Private Key ?

hello,

I have some difficulties to understand this topics, so, I won't probably ask some new question:

1 - I have a exchange server 2007 with SSL
2 - I have a certificate (.cer not a .p12)
3 - I have to configure my Nokia N95 with Mail for Exchange to connect to this server.

Questions:
1 - how to create a P12 file with this .cer without private key ?
2 - if it's not possible, how to find the prive key ? Does all server, which have SSL, have a private key ?
3 - what's the option "SSLAlwaysNegocClientCert="TRUE" ? where do we find this file "metabase.xml" ?

Thanks a lot for your reaction and answers.

Root Certificate Usage

After installing a root CA I have created, I had two trust settings on my Nokia N75, Internet and Online Certif. Check. Does the Internet trust setting include all SSL/TLS connections including those made by the request of a MIDP application, or just HTTPS? Also, what is Online Certif. Check? Checking CRLs or OSCP? Is it possible to install a root CA for Midp or Symbian signing or does that require special access to the Phone and/or SIM card?

Re: SSL certificates in S60 3.0

Rippe,

Can you please post an example of where to add de SSLAlwaysNegocClientCert="TRUE" tag in the metabase.xml

Thanks in advance,
Martin

i have the same problem:
tried to install .p12 files on my Nokia N73: I copy the files to Documents folder in the phone, but when I select the file in Nokia File Manager it says "Cannot open file".
why???
i executed the procedure with der format
i can only import CA in der format in a file .cer as authority, but i can not importing personal certificate

Secure connection with MfE - is it really possible ?!

Hello,

I've recently purchased an E61i.

I would like to be secure connected with MfE (Mail for Exchange - IIS server of course) with a legal certificate.
1) is it possible ?
2) how to know the release of the operating system in the mobile ?
3) how to import the certificate in the mobile ?
4) do I need to change something in the IIS server (I don't understand what to do with the .xml file) ?

Thank you,

Alain

How about S40

It is painful to pay for the midlet to sign? Why should we pay it? It is my phone, if I want to install some application that I developed, why should I pay Verisign money!!! And also I hate the operators that disabled the J2ME API. Why? Because some API be disbaled onpurpose by the operator, like AT&T. Fox eample, nokia phone model 6085, when release in other country you can access getSnapshot() while in US you can't. Why the AT&T or cingular disable the getSnapshot API. It is my phone and I as the owener of the mobile phone, should control the phone myself. Agree?

certificate not valid

HI I am using a n73 and can not raed the display againtst the theams thats avail from nokia- like to load a BLACK theam -but all give me a cert. not valid yet??
I have change the date as some sugg. to 2004-2008 NO luck can you help

Adding SSLAlwaysNegoClientCert="TRUE"

Hi, Could you please tell what is right line in metabase.xml file to put string SSLAlwaysNegoClientCert="TRUE"

There is many sections in this file and can´t find the right line to add it.

Certificate Authentication on ISA

Hi Risto, I hope you're still reading the comments here and can help.

I'm experiencing similar issues to miiflin, however I'm using ISA 2004 to publish our website instead of IIS. Do you know of any setting similar to that of IIS you've stated in your response that applies to ISA? Or is there a known problem using certificate authentication with ISA/Symbian?

I'm using an s60 3rd edition phone, and when I hit my website the browser crashes with "Web: Unable to perform operation". When I remove the certificate authentication the site work fine.

Any help would be greatly appreciated.

Cheers,
Brendon

DER encoded?

I have the same problem as Marco.

I have an .pfx file, and from that I have 'generated' the pem. file wich has both the -----BEGIN RSA PRIVATE KEY-----
data
-----END RSA PRIVATE KEY-----
and the
-----BEGIN CERTIFICATE-----
data
-----END CERTIFICATE-----
sections

but how do I move on from here?, and can I do that with openssl?

How do I create the der file?
How do I create the .p12 file?

Regards

Gert

The only advice I can give is to assure that:
-The certificate is a general X.509 certificate
-It is DER encoded
-The private key and certificate file are in the PKCS 12 package

My guess is the DER encoding.

Any luck?

Risto

I tried to install .p12 files on my Nokia N73: I copy the files to Documents folder in the phone, but when I select the file in Nokia File Manager it says "Cannot open file".

How can I make my N73 recognize and install .p12 files?

Thank you very much,

Marco

Miika, sorry, no idea.

Btw, the document I was referring can be found in the Platform Security pages (see my signature for the link).

..and that did the trick! Now I can access the web site nicely. Thanks!

One question more; do you know is there a way to get rid of the phone key store's password
query when accessing page in S60v3? It seems that there is the option in "module pin" in Security Module that says"Module PIN request" - which is on and cannot be changed to off-status?
Is there a way in certificate import procedure or some other way to set that to off?

Thanks and regards,

--Miika

A correction, there is a typo in the link:

SSLAlwaysNegoClientCert="TRUE"

Risto

I asked around and this is what I got:

"S60 3.0 has limited TLS client authentication support. It doesn't allow user to select client certificates. If there is a matching client certificate, first matching certificate is selected without prompting user.

Another thing is that there has been problems with making secure connection with client authtication against IIS servers. This was happening because IIS 5.1 and 6.0 as default starts with normal handshake and then they send "hello request" to start another handshake that includes asking client certificate. This is not supported by S60 3.0. But It is possible to configure IIS 6.0 so that it won't send hello request. This can be configured by adding the following link to Metabase.xml

SSLAlwaysNegocClientCert="TRUE""

Risto

Thanks Risto,

I've managed to import the client certificates to phone using OpenSSL certs according your specs.

But,

Do you know whether S60v3 native web browser should support client authentication mechanism?
At least I haven't been able to make it work, it seems that browser hangs after connecting to website (Webserver send ack for need for client certificate). If I import the same client certificate to
IE, it works fine and browser prompts for client certificate to choose from.

Or could there be something still wrong with the importing certificate? One thing which seems quite
odd is that the cert usage is marked as <unknown> althought in IE it's "Proves your identity to a remote computer"?

Regards,

Miika Flink