Monday, December 21, 2009

Installing X.509 certificates on Nokia S60 3rd edition device

Sometimes you need to install your own X.509 certificate on the phone in order to authorize some web site, Exchange server, or installed software, or in general to use TLS (SSL) connection. According to the guide, provided on Nokia forums – it a piece of cake! However, sometimes problems may arise, and you start wondering about what can go wrong. The next thing you do is try to find the answer somewhere on the Internet. Well, you'll get a whole bunch of different posts about positive or negative experience, you'll find different solutions that are sometimes weird, sometimes don't work, and sometimes work but not on your phone. In general, most solutions are correct, you just need to pay attention to one nobody-ever-mentioned thing.

At first, a small amount of theory, so you'll know what I am talking about. X.509 certificate files have several extensions. Here is the description from Wikipedia for the most common:

  • .pem - Base64 encoded DER certificate, enclosed between "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----"
  • .cer, .crt, .der - usually in binary DER form, but Base64-encoded certificates are common too
  • .p12 - PKCS#12, may contain certificate(s) (public) and private keys (password protected)
  • .pfx - PFX, predecessor of PKCS#12 (but most of the time the actual data is PKCS#12, only the extension is kept)

If you are not into technical very much, you just need to know that .pem files are text files. So you can open them in any text editor (like GEdit or Notepad) and see bunch of letters and numbers after the first line, which says “-----BEGIN CERTIFICATE-----”. Those letters and numbers is actually a specially encoded binary certificate. Now, the files with extensions .cer, .crt, .der are usually (but not always!) binary files. That means that you cannot view their contents with usual text editor. But pay attention to what is being said at the end for this kind of files: “... but Base64-encoded certificates are common too”! That means, that you can have a certificate file with, for example, .cer extension, but it will be a text file actually encoded as .pem file! And, what's the difference, you ask, why should I care?

Well, here we came to the most interesting part. Nokia phones on S60 3rd edition platform cannot import .pem certificates! They cannot import certificates that are represented as text files. You need a binary DER encoded file. And what's really exciting – you can have a .cer, .crt, or even .der file, but it will be a text file that was renamed from .pem! Well, your computer web browser will cope with it just fine. You computer mailing program will cope with it just fine, too. But not your Nokia phone!

If you are still wondering on “how do I know what kind of certificate file I have?”, then try to do a simple thing. Open the file with any text editor and see: if it opens correctly and has the first line as “-----BEGIN CERTIFICATE-----”, then this is a text .pem file. If it doesn't open correctly or has something really crazy inside – then it is probably a binary .der file.

If you have a binary certificate file, then just transfer it to the phone and open with phone's File Manager. It will ask you to import the certificate. Just like the mentioned tutorial says. What if you have a text certificate file? Then you should convert it to binary representation. There is an open source and free program that can do it for you, called OpenSSL. A compiled version of OpenSSL for Windows can be found here. Ubuntu users just type in terminal: sudo apt-get install openssl.

So, you've got the program! Next thing you do is type in terminal the following command:

openssl x509 -outform der -in certificate.pem -out certificate.der

In place of 'certificate.pem' you should put your text certificate file (it can have extensions .pem, .cer, .crt, .der but it should be text file) and in place of 'certificate.der' you just put any name you want. After executing this command (pressing Enter in terminal after typing it there) you should get in your directory a file named 'certificate.der' (or whatever you've put there), which will be a binary DER encoded certificate file. After that you do the same thing that I wrote before – transfer file to the phone and open it with File Manager. And you're done!

Now, lets mention the .p12 files. As I said before that are the binary files containing public certificate and password-protected private key. According to the already beloved Nokia guide this kind of files should be supported for installing on the phone. Well, not necessarily. In fact, unfortunately my Nokia N73 phone with the latest firmware does not import .p12 certificate files. I don't know why. Nokia support does not know either. I didn't dig it deeper into the problem, because I actually didn't need to install the certificate with private key – I probably will not decrypt any content with my phone that was signed or encrypted with public certificate (that is why you actually need a private key). But if you still need to import just the certificate from the .p12 file, you need to extract it first. The following command can be used:

openssl pkcs12 -in keyStore.p12 -out certificate.pem -nodes -nokeys

In place of 'keyStore.p12' you put the name of your .p12 file and in place of 'certificate.pem' you put any name. After executing this command you will get a text certificate file. Please, pay attention – it will be a text certificate file. You will need to convert it to binary format with the command mentioned before.

Well, that's about it! Now you should have no problems with installing your own X.509 certificate files on the Nokia phone. I didn't test the other versions of Symbian OS for the support of text certificate files, because I do not have many Nokia phones, except my own N73 :) But I think that S60 4th and 5th editions do not support then either.

No comments: