Importing Certificates

The Symbian certstore allows two types of certificates to be imported: root certificates and user certificates.

Please note that certificates must be in DER format to be imported. Also, the absolute path to the certificate file must be given regardless of the current directory in the shell. For example, if you are in the directory c:\temp which contains mycert.der, to import the certificate you must issue the command:

certtool –import c:\temp\mycert.der

A certificate always has a label associated with it. A label can be specified during the import operation with the –label option, if this option is not present, the full path to the certificate file is taken as label. Labels must be unique within a specific certstore implementation. If a label is not unique, an error occurs. For instance, if the certstore contains a certificate with label abc:

certtool –list abc

Symbian CertStore Manipulation Tool
Copyright (c) 2004-2009 Nokia Corporation and/or its subsidiary(-ies).  All rights reserved.
Label: abc            Format: WTLS     Owner Type: Root (CA)
Issuer Name: Limited Liability        Subject Name: Limited Liability
Valid From: 15:13:18 Tue 29th Feb 2000 Valid Until: 15:43:18 Sat 29th Feb 2020
Trusted for Applications: 

If you try to import a certificate with the same label, an error occurs.

c:\>certtool –label abc –import c:\certstore\ent-wtls2.cer
Symbian CertStore Manipulation Tool
Copyright (c) 2004-2009 Nokia Corporation and/or its subsidiary(-ies).  All rights reserved.
The given label is invalid, or already present in the certstore.
Label: abc            Format: WTLS     Owner Type: Root (CA)
Issuer Name: Limited Liability        Subject Name: Limited Liability
Valid From: 15:13:18 Tue 29th Feb 2000 Valid Until: 15:43:18 Sat 29th Feb 2020
Trusted for Applications: 

However, this happens because of the attempt made to insert the certificate in a certstore implementation where the same label already exists. Certstore implementation is not specified for use in a command. It is possible to insert the certificate with label abc in the certstore implementation with index 1 (Index 0 is used by default).

certtool –label abc –store 1 –import c:\certstore\ent-wtls2.cer

Symbian CertStore Manipulation Tool
Copyright (c) 2004-2009 Nokia Corporation and/or its subsidiary(-ies).  All rights reserved.
Certificate imported successfully.
Label: abc            Format: WTLS     Owner Type: Root (CA)
Issuer Name: Limited Liability        Subject Name: Limited Liability
Valid From: 15:13:18 Tue 29th Feb 2000 Valid Until: 15:43:18 Sat 29th Feb 2020
Trusted for Applications: 

Importing root certificates

Root certificates typically belong to a certificate authority (CA) and a number of them are present on a final product. Root certificates are used to verify the authenticity of signed content. Root certificates are self-signed, and often termed top-level certificates.

All the examples in the previous sections referred to root certificates.

A certificate is imported as a CA root certificate if and only if the corresponding private key cannot be found in the keystore.

Importing user certificates

User certificates belong to the phone owner. Using user certificate, the phone owners can authenticate themselves. For example, during SSL/TLS, the owner can perform client authentication. To import a user certificate both the certificate and its corresponding private key must be stored in the Symbian keystore.

If the private key corresponding to a given certificate is already present in the Symbian keystore, the certificate will be automatically imported as a user certificate.

Assume that the private DSA key corresponding to the certificate stored in dsa_cert1.der is present in the Symbian keystore. The following command imports the certificate as a user certificate:

certtool –label abc –import c:\certstore\data\dsa_cert1.der

Symbian CertStore Manipulation Tool
Copyright (c) 2004-2009 Nokia Corporation and/or its subsidiary(-ies).  All rights reserved.
Certificate imported successfully.
Label: abc            Format: X509     Owner Type: User
Issuer Name: 10.32.193.163        Subject Name: Internet Widgits Pty Ltd
Valid From: 16:06:43 Tue 02nd Jun 2009 Valid Until: 16:03:43 Sat 01st Aug 2009
Trusted for Applications: 

If the private key is not already present in the keystore, the same command imports the certificate as a CA certificate.

Keytool can be used to include private keys in the Symbian keystore. Alternatively, if you only want to include a user certificate, point to a DER-encoded PKCS8 file containing the key using the -private option. After importing the key, certtool will make the owner of the key as "WriteDeviceData", so that keytool will able to manipulate the key, performing actions such as remove or setuser.

Assume the DSA private key corresponding to the certificate stored in dsa_cert1.der is not present in the keystore and that the required DSA private key is stored in pkcs8 DER-encoded format in the file pkcs8dsa1.001.

certtool –label abc –private c:\certstore\data\pkcs8dsa1.001 –import c:\certstore\data\dsa_cert1.der

Symbian CertStore Manipulation Tool
Copyright (c) 2004-2009 Nokia Corporation and/or its subsidiary(-ies).  All rights reserved.
Certificate imported successfully.
Label: abc            Format: X509     Owner Type: User
Issuer Name: 10.32.193.163        Subject Name: Internet Widgits Pty Ltd
Valid From: 16:06:43 Tue 02nd Jun 2009 Valid Until: 16:03:43 Wed 01st Jul 2009
Trusted for Applications: 

Note: Either secdlg or tsecdlg need to be in \epoc32\release\winscw\udeb. However, if both of them are present in the specified location, it will cause a panic.

In addition, the corresponding DSA key is inserted in the keystore with the same label as the certificate.

keytool –d –list abc

Symbian KeyStore Manipulation Tool
Copyright (c) 2004-2009 Nokia Corporation and/or its subsidiary(-ies).  All rights reserved.
    Algorithm: DSA    Size: 512 bits
    Usage: PKCS15 Sign     Code: 0x4
    User: No Users registered.
    Access flags: Extractable
    ID: c0 fa d9 …
    Label: abc
    Native: Yes
    Start date: not set    End data: not set