NewLC - install certificate on v9 devices - Comments

Re: install certificate on v9 devices

bassbuss — Mon, 19 Mar 2007 11:25:18 +0100

First: thanks Paul and NumptyAlert for your interest and answers.

Quote

Remember you are INSTALLING the certificate on the phone to provide verification for people who ask to prove who you are, otherwise anyone could copy your certificate onto any phone and say they were you.

Paul: NO, im not installing the certificate on MY device for people to prove I am ME.
In order to do THAT I would put my PRIVATE key into MY phone, then use it (the PRIVATE key) on some stuff I want OTHER people to be shure that came from ME. Together with the stuff, I also send my certificate. Now anyone that believes whats written in the certificate can be shure the stuff came from me.

I would gladly give away my certificate to anybody, because NOBODY can claim they are me UNLESS they have the PRIVATE key that matches the PUBLIC key in MY certificate.

And Paul, you are absolutely right, certificates are difficult matters. In fact you DEMONSTRATE it quite well in your previous post.

The question is still: "How do you install a certificate on a symbian S60 3ed device?"

Yes, I would like to use "xca" in the process, but what to do exactly?

Re: install certificate on v9 devices

NumptyAlert — Fri, 16 Mar 2007 01:34:00 +0100

Quote from: Paul

Certificates are never deployed to the phone, they are already in ROM

the installer ONLY looks in the ROM, it does not look at non ROM certificates.

Actually it is possible to install certficates in RAM/Disk that are consulted by the installer, however this is done indirectly by installing a new certificate store (which contains the certificates) in addition to the existing certificate store already in ROM. However the ability to do this is something that a mere mortal won't ever be granted.

But back to the original question, the poster says they want to know how to install certificates because people have asked him how to do it. How do you know their questions are valid in the first place however? What if they don't understand what and why they are asking?

Re: install certificate on v9 devices

paul — Thu, 15 Mar 2007 21:32:38 +0100

I wonder if you misundertand what you want to accomplish.

The code signing certificate is used to sign the sis file to submit to the test house, this house then removes this (after veryfying it via the signiture) and signs it with the symbian root certificate and this can be used to install the application on any phone. Certificates are never deployed to the phone, they are already in ROM

You cannot put a code signing certificate on the phone. You cannot add code signing certificates to the phone as the installer ONLY looks in the ROM, it does not look at non ROM certificates.

Remember you are INSTALLING the certificate on the phone to provide verification for people who ask to prove who you are, otherwise anyone could copy your certificate onto any phone and say they were you.

Typically PKCS12 is used to provide digital signatures.

However you can use some certificates to prove to the server you are who you are when the SSL session handshake occurs. Here you present your certificate "verified" by a passphrase to the web server and it presents its certificate to you to show who it is. This is done when the SSL session requires client validation (in which case the server must also have the client public certificate) so that a peice of data can be encrypted with the client's public key to validate the client is who they are.

Re: install certificate on v9 devices

bassbuss — Thu, 15 Mar 2007 15:43:25 +0100

Talking to myself am I?
(Selfsigning? Question is really: Do I trust myself?)

I read section 3.1 of the paper "Installing Certificates to S60 3ed Devices"
Quote:"A private key and a certificate file are to packaged into a PKCS 12 package (...)"

Which private key is this about? The private key accosiated with the certificate?
If so, it makes no sense. I should never give away my private key.

A certificate contains some information (Name, Company, Email etc), a public key, and a sign.
The sign is either by a 3ed trusted party, or the certificate is selfsigned.
So I use my private key in a certain way on some piece of information. Now any holder of
my certificate can be shure that I am the creator of the information by applying the public key contained
in the certificate in a certain way. Right?

You can be absolutely shure I wrote this, becuse Im selfsigned on behalf om my own trust in myself.

Re: install certificate on v9 devices

bassbuss — Thu, 15 Mar 2007 10:11:33 +0100

Right, certificates are difficult matters.

The certificate Im dealing with is issued by VeriSign Class 3 Code Signing 2004 CA

Yesterday I read through the paper IEEE P1363 "Standard Spesifications for Public Key Cryptography".
(I have also read a substansial part of the book about AES written by RijnDeal.)
((Next thing to read about is the X.509 standard/format.))

I realize that Signature Schemes (P1393) is the thing when talking about certificates (and signing).

Why do I want to install this certificate on my device? Several people ask me how to install certificates on symbian 3ed so I need to know alot about this. Its only a certificate to start with.

Thanks for the advices. Ill get the latest xca with doc and see what it brings.

p.s. I do understand, and can explain why GF (p) and GF(2^m) are fields

Re: install certificate on v9 devices

paul — Wed, 14 Mar 2007 18:53:24 +0100

Without seeing the cer file, it is impossible to know, but I would bet that the creator did not declare it as a CA type certificate.

You cannot install a pfx file that is not a CA type certificate. Go back to the person and ask them to regenerate it.

The other option is as the document stated, find a web server under your control and get it to deliver the file as x509 certificate which is doing some conversion under the covers (Never tried this)

Sorry, I am not going to anwer any more questions until you actually explain what you are trying to do as certificates are a) complex b) difficult and c) You need to really need to know what all the really stuff means (Crypto background)

I suggest you run the latest (not beta) of xca + follow the doc, which id s moing and create a certificate that way to learn how to install a self generated cert on the phone.

Re: install certificate on v9 devices

bassbuss — Wed, 14 Mar 2007 16:30:46 +0100

I have .cer and .key file.
Someone have also created a .pfx file from them. (The .pfx-file that my device doesent recognize)

.key is the private key. Where is my public key?

Re: install certificate on v9 devices

paul — Wed, 14 Mar 2007 15:58:46 +0100

So how did you create the pfx file?

AFAIK you can only create a pfx file when you have both the private and public key. You will then be required to create a passphrase for the exported pfx file.

So for example going to amazon.com and installing the certificate will just install the certificate in your local store, it won't allow you to create a pfx file as you do not have the private key. Of course you could create an untrusted certificate where you will have both keys, but that is a bit pointless.

What you are aree talking about is in IE you can go to say https://amazon.com, this will prompt you that the certificate is invalid as the domain is wrong.

You can then choose "View certificate" and install certificate, but its pretty useless for creating a pfx file. From the start menu select run and enter "certmgr.msc" which will run the certificate management program and you can view you certificates there

Try this new document for more help on configuring your web server to create the file.

http://forum.nokia.com/info/sw.nokia.com/id/4c2373a8-2b94-4b6a-8e70-95cc9ac9841c/Creating_Certificates_for_a_Web_Server_Using_XCA_v1_0_en.pdf.html

See http://www.source-code.biz/snippets/vbasic/3.htm on how to create a local pfx file

Re: install certificate on v9 devices

bassbuss — Wed, 14 Mar 2007 15:30:57 +0100

I put my .pfx file into my device, but it doesent recognize the file.

I have read that every browers supports exporting .cer and.key to pkcs 12, but certainly my internet explorer dont.

WTF, OMFG

Re: install certificate on v9 devices

paul — Thu, 08 Mar 2007 17:30:50 +0100

As was posted in the Installing certificates link:

You need to put the .pfx file onto the device and use that. When you run it, it will prompt for a password which is the password you will have used when you created the .pfx file.

This will add the certificate to the local certificate store.

Re: install certificate on v9 devices

bassbuss — Thu, 08 Mar 2007 15:14:20 +0100

Thanks again, but my issue is not about installing a sisfile signed with my own installed certificate in that resides in the c-drive.

Your refered article is good reading.

Magnus

Re: install certificate on v9 devices

paul — Thu, 08 Mar 2007 14:00:52 +0100

As mung beans says, what use is a certificate on the phone?
See http://www.forum.nokia.com/info/sw.nokia.com/id/8e3cda0c-8802-41d4-ad3a-661fe989985a/Installing_Certificates_to_S60_3rd_Edition_Devices_v1_0_en.pdf.html

For example, you cannot deploy a certificate and expect the installer to veriufy that the sis file is signed. The installer only uses code signing certificates in ROM.

Re: install certificate on v9 devices

bassbuss — Thu, 08 Mar 2007 13:55:38 +0100

Thanks a lot for your comments.

To be more presice: how do you take your .cer and your .key and put these together in a certificate in DER-format?

For a reference, read section 3.1 (page 10) in the .pdf contained in this .zip
http://forum.nokia.com/info/sw.nokia.com/id/1acf61ea-7c28-4e45-946e-48525a86e179/S60_Platform_End-to-End_DM_Example_v1_1_en.zip.html

Re: install certificate on v9 devices

Mr. Buttington F. Phucque Lewis — Wed, 07 Mar 2007 23:54:59 +0100

As Paul says. T
The fact that you don't know what .cer and .key etc. files are indicates you are trying to install a certificate when you don't know why. You have a problem, you think installing a certificate will solve that problem. 99.9% it won't and its the wrong solution.
Say what your problem is not what you think the solution is.

Re: install certificate on v9 devices

paul — Wed, 07 Mar 2007 19:51:07 +0100

For a start why do you want to install a certificate on the phone.

Look on the forum nokia site for a doc on how to install a SSL certificate which is the only useful certifcate you can use.

install certificate on v9 devices

bassbuss — Wed, 07 Mar 2007 13:52:57 +0100