As Paul says. T The fact that you don't know what .cer and .key etc. files are indicates you are trying to install a certificate when you don't know why. You have a problem, you think installing a certificate will solve that problem. 99.9% it won't and its the wrong solution. Say what your problem is not what you think the solution is.
For example, you cannot deploy a certificate and expect the installer to veriufy that the sis file is signed. The installer only uses code signing certificates in ROM.
As was posted in the Installing certificates link:
You need to put the .pfx file onto the device and use that. When you run it, it will prompt for a password which is the password you will have used when you created the .pfx file.
This will add the certificate to the local certificate store.
AFAIK you can only create a pfx file when you have both the private and public key. You will then be required to create a passphrase for the exported pfx file.
So for example going to amazon.com and installing the certificate will just install the certificate in your local store, it won't allow you to create a pfx file as you do not have the private key. Of course you could create an untrusted certificate where you will have both keys, but that is a bit pointless.
What you are aree talking about is in IE you can go to say https://amazon.com, this will prompt you that the certificate is invalid as the domain is wrong.
You can then choose "View certificate" and install certificate, but its pretty useless for creating a pfx file. From the start menu select run and enter "certmgr.msc" which will run the certificate management program and you can view you certificates there
Try this new document for more help on configuring your web server to create the file.
Without seeing the cer file, it is impossible to know, but I would bet that the creator did not declare it as a CA type certificate.
You cannot install a pfx file that is not a CA type certificate. Go back to the person and ask them to regenerate it.
The other option is as the document stated, find a web server under your control and get it to deliver the file as x509 certificate which is doing some conversion under the covers (Never tried this)
Sorry, I am not going to anwer any more questions until you actually explain what you are trying to do as certificates are a) complex b) difficult and c) You need to really need to know what all the really stuff means (Crypto background)
I suggest you run the latest (not beta) of xca + follow the doc, which id s moing and create a certificate that way to learn how to install a self generated cert on the phone.
The certificate Im dealing with is issued by VeriSign Class 3 Code Signing 2004 CA
Yesterday I read through the paper IEEE P1363 "Standard Spesifications for Public Key Cryptography". (I have also read a substansial part of the book about AES written by RijnDeal.) ((Next thing to read about is the X.509 standard/format.))
I realize that Signature Schemes (P1393) is the thing when talking about certificates (and signing).
Why do I want to install this certificate on my device? Several people ask me how to install certificates on symbian 3ed so I need to know alot about this. Its only a certificate to start with.
Thanks for the advices. Ill get the latest xca with doc and see what it brings.
p.s. I do understand, and can explain why GF (p) and GF(2^m) are fields
Talking to myself am I? (Selfsigning? Question is really: Do I trust myself?)
I read section 3.1 of the paper "Installing Certificates to S60 3ed Devices" Quote:"A private key and a certificate file are to packaged into a PKCS 12 package (...)"
Which private key is this about? The private key accosiated with the certificate? If so, it makes no sense. I should never give away my private key.
A certificate contains some information (Name, Company, Email etc), a public key, and a sign. The sign is either by a 3ed trusted party, or the certificate is selfsigned. So I use my private key in a certain way on some piece of information. Now any holder of my certificate can be shure that I am the creator of the information by applying the public key contained in the certificate in a certain way. Right?
You can be absolutely shure I wrote this, becuse Im selfsigned on behalf om my own trust in myself.
I wonder if you misundertand what you want to accomplish.
The code signing certificate is used to sign the sis file to submit to the test house, this house then removes this (after veryfying it via the signiture) and signs it with the symbian root certificate and this can be used to install the application on any phone. Certificates are never deployed to the phone, they are already in ROM
You cannot put a code signing certificate on the phone. You cannot add code signing certificates to the phone as the installer ONLY looks in the ROM, it does not look at non ROM certificates.
Remember you are INSTALLING the certificate on the phone to provide verification for people who ask to prove who you are, otherwise anyone could copy your certificate onto any phone and say they were you.
Typically PKCS12 is used to provide digital signatures.
However you can use some certificates to prove to the server you are who you are when the SSL session handshake occurs. Here you present your certificate "verified" by a passphrase to the web server and it presents its certificate to you to show who it is. This is done when the SSL session requires client validation (in which case the server must also have the client public certificate) so that a peice of data can be encrypted with the client's public key to validate the client is who they are.
Forum posts: 462
http://s60.blogg.se/211106103129_certificate_installation_in_s60.html
A little googling might also get you more information regarding the same.
Hope it helps..
Good Luck and cheers
Neil
Forum posts: 25
I try to send the .cer file to my phone, but filemanager doesent recognize the file. Maybe it is because the key is not inclueded in the .cer file.
I have three files: .cer .key .pfx
anybody that know how theese three files relate?
Forum posts: 140
Look on the forum nokia site for a doc on how to install a SSL certificate which is the only useful certifcate you can use.
Paul Todd
Forum posts: 364
The fact that you don't know what .cer and .key etc. files are indicates you are trying to install a certificate when you don't know why. You have a problem, you think installing a certificate will solve that problem. 99.9% it won't and its the wrong solution.
Say what your problem is not what you think the solution is.
Forum posts: 25
To be more presice: how do you take your .cer and your .key and put these together in a certificate in DER-format?
For a reference, read section 3.1 (page 10) in the .pdf contained in this .zip
http://forum.nokia.com/info/sw.nokia.com/id/1acf61ea-7c28-4e45-946e-48525a86e179/S60_Platform_End-to-End_DM_Example_v1_1_en.zip.html
Forum posts: 140
See http://www.forum.nokia.com/info/sw.nokia.com/id/8e3cda0c-8802-41d4-ad3a-661fe989985a/Installing_Certificates_to_S60_3rd_Edition_Devices_v1_0_en.pdf.html
For example, you cannot deploy a certificate and expect the installer to veriufy that the sis file is signed. The installer only uses code signing certificates in ROM.
Paul Todd
Forum posts: 25
Your refered article is good reading.
Magnus
Forum posts: 140
You need to put the .pfx file onto the device and use that. When you run it, it will prompt for a password which is the password you will have used when you created the .pfx file.
This will add the certificate to the local certificate store.
Paul Todd
Forum posts: 25
I have read that every browers supports exporting .cer and.key to pkcs 12, but certainly my internet explorer dont.
WTF, OMFG
Forum posts: 140
AFAIK you can only create a pfx file when you have both the private and public key. You will then be required to create a passphrase for the exported pfx file.
So for example going to amazon.com and installing the certificate will just install the certificate in your local store, it won't allow you to create a pfx file as you do not have the private key. Of course you could create an untrusted certificate where you will have both keys, but that is a bit pointless.
What you are aree talking about is in IE you can go to say https://amazon.com, this will prompt you that the certificate is invalid as the domain is wrong.
You can then choose "View certificate" and install certificate, but its pretty useless for creating a pfx file. From the start menu select run and enter "certmgr.msc" which will run the certificate management program and you can view you certificates there
Try this new document for more help on configuring your web server to create the file.
http://forum.nokia.com/info/sw.nokia.com/id/4c2373a8-2b94-4b6a-8e70-95cc9ac9841c/Creating_Certificates_for_a_Web_Server_Using_XCA_v1_0_en.pdf.html
See http://www.source-code.biz/snippets/vbasic/3.htm on how to create a local pfx file
Paul Todd
Forum posts: 25
Someone have also created a .pfx file from them. (The .pfx-file that my device doesent recognize)
.key is the private key. Where is my public key?
Forum posts: 140
You cannot install a pfx file that is not a CA type certificate. Go back to the person and ask them to regenerate it.
The other option is as the document stated, find a web server under your control and get it to deliver the file as x509 certificate which is doing some conversion under the covers (Never tried this)
Sorry, I am not going to anwer any more questions until you actually explain what you are trying to do as certificates are a) complex b) difficult and c) You need to really need to know what all the really stuff means (Crypto background)
I suggest you run the latest (not beta) of xca + follow the doc, which id s moing and create a certificate that way to learn how to install a self generated cert on the phone.
Paul Todd
Forum posts: 25
The certificate Im dealing with is issued by VeriSign Class 3 Code Signing 2004 CA
Yesterday I read through the paper IEEE P1363 "Standard Spesifications for Public Key Cryptography".
(I have also read a substansial part of the book about AES written by RijnDeal.)
((Next thing to read about is the X.509 standard/format.))
I realize that Signature Schemes (P1393) is the thing when talking about certificates (and signing).
Why do I want to install this certificate on my device? Several people ask me how to install certificates on symbian 3ed so I need to know alot about this. Its only a certificate to start with.
Thanks for the advices. Ill get the latest xca with doc and see what it brings.
p.s. I do understand, and can explain why GF (p) and GF(2^m) are fields
Forum posts: 25
(Selfsigning? Question is really: Do I trust myself?)
I read section 3.1 of the paper "Installing Certificates to S60 3ed Devices"
Quote:"A private key and a certificate file are to packaged into a PKCS 12 package (...)"
Which private key is this about? The private key accosiated with the certificate?
If so, it makes no sense. I should never give away my private key.
A certificate contains some information (Name, Company, Email etc), a public key, and a sign.
The sign is either by a 3ed trusted party, or the certificate is selfsigned.
So I use my private key in a certain way on some piece of information. Now any holder of
my certificate can be shure that I am the creator of the information by applying the public key contained
in the certificate in a certain way. Right?
You can be absolutely shure I wrote this, becuse Im selfsigned on behalf om my own trust in myself.
Forum posts: 140
The code signing certificate is used to sign the sis file to submit to the test house, this house then removes this (after veryfying it via the signiture) and signs it with the symbian root certificate and this can be used to install the application on any phone. Certificates are never deployed to the phone, they are already in ROM
You cannot put a code signing certificate on the phone. You cannot add code signing certificates to the phone as the installer ONLY looks in the ROM, it does not look at non ROM certificates.
Remember you are INSTALLING the certificate on the phone to provide verification for people who ask to prove who you are, otherwise anyone could copy your certificate onto any phone and say they were you.
Typically PKCS12 is used to provide digital signatures.
However you can use some certificates to prove to the server you are who you are when the SSL session handshake occurs. Here you present your certificate "verified" by a passphrase to the web server and it presents its certificate to you to show who it is. This is done when the SSL session requires client validation (in which case the server must also have the client public certificate) so that a peice of data can be encrypted with the client's public key to validate the client is who they are.
Paul Todd