The Symbian certstore allows two types of certificates to be imported: root certificates and user certificates.
Please note that certificates must be in DER format to be imported. Also, the absolute path to the certificate file must be given regardless of the current directory in the shell. For example, if you are in the directory c:\temp which contains mycert.der, to import the certificate you must issue the command:
certtool –import c:\temp\mycert.der
A certificate always has a label associated with it. A label can be specified during the import operation with the –label option, if this option is not present, the full path to the certificate file is taken as label. Labels must be unique within a specific certstore implementation. If a label is not unique, an error occurs. For instance, if the certstore contains a certificate with label abc:
certtool –list abc
Symbian CertStore Manipulation Tool Copyright (c) 2004-2009 Nokia Corporation and/or its subsidiary(-ies). All rights reserved. Label: abc Format: WTLS Owner Type: Root (CA) Issuer Name: Limited Liability Subject Name: Limited Liability Valid From: 15:13:18 Tue 29th Feb 2000 Valid Until: 15:43:18 Sat 29th Feb 2020 Trusted for Applications:
If you try to import a certificate with the same label, an error occurs.
c:\>certtool –label abc –import c:\certstore\ent-wtls2.cer Symbian CertStore Manipulation Tool Copyright (c) 2004-2009 Nokia Corporation and/or its subsidiary(-ies). All rights reserved. The given label is invalid, or already present in the certstore. Label: abc Format: WTLS Owner Type: Root (CA) Issuer Name: Limited Liability Subject Name: Limited Liability Valid From: 15:13:18 Tue 29th Feb 2000 Valid Until: 15:43:18 Sat 29th Feb 2020 Trusted for Applications:
However, this happens because of the attempt made to insert the certificate in a certstore implementation where the same label already exists. Certstore implementation is not specified for use in a command. It is possible to insert the certificate with label abc in the certstore implementation with index 1 (Index 0 is used by default).
certtool –label abc –store 1 –import c:\certstore\ent-wtls2.cer
Symbian CertStore Manipulation Tool Copyright (c) 2004-2009 Nokia Corporation and/or its subsidiary(-ies). All rights reserved. Certificate imported successfully. Label: abc Format: WTLS Owner Type: Root (CA) Issuer Name: Limited Liability Subject Name: Limited Liability Valid From: 15:13:18 Tue 29th Feb 2000 Valid Until: 15:43:18 Sat 29th Feb 2020 Trusted for Applications:
Importing root certificates
Root certificates typically belong to a certificate authority (CA) and a number of them are present on a final product. Root certificates are used to verify the authenticity of signed content. Root certificates are self-signed, and often termed top-level certificates.
All the examples in the previous sections referred to root certificates.
A certificate is imported as a CA root certificate if and only if the corresponding private key cannot be found in the keystore.
Importing user certificates
User certificates belong to the phone owner. Using user certificate, the phone owners can authenticate themselves. For example, during SSL/TLS, the owner can perform client authentication. To import a user certificate both the certificate and its corresponding private key must be stored in the Symbian keystore.
If the private key corresponding to a given certificate is already present in the Symbian keystore, the certificate will be automatically imported as a user certificate.
Assume that the private DSA key corresponding to the certificate stored in dsa_cert1.der is present in the Symbian keystore. The following command imports the certificate as a user certificate:
certtool –label abc –import c:\certstore\data\dsa_cert1.der
Symbian CertStore Manipulation Tool Copyright (c) 2004-2009 Nokia Corporation and/or its subsidiary(-ies). All rights reserved. Certificate imported successfully. Label: abc Format: X509 Owner Type: User Issuer Name: 10.32.193.163 Subject Name: Internet Widgits Pty Ltd Valid From: 16:06:43 Tue 02nd Jun 2009 Valid Until: 16:03:43 Sat 01st Aug 2009 Trusted for Applications:
If the private key is not already present in the keystore, the same command imports the certificate as a CA certificate.
Keytool can be used to include private keys in the Symbian keystore. Alternatively, if you only want to include a user certificate, point to a DER-encoded PKCS8 file containing the key using the -private option. After importing the key, certtool will make the owner of the key as "WriteDeviceData", so that keytool will able to manipulate the key, performing actions such as remove or setuser.
Assume the DSA private key corresponding to the certificate stored in dsa_cert1.der is not present in the keystore and that the required DSA private key is stored in pkcs8 DER-encoded format in the file pkcs8dsa1.001.
certtool –label abc –private c:\certstore\data\pkcs8dsa1.001 –import c:\certstore\data\dsa_cert1.der
Symbian CertStore Manipulation Tool Copyright (c) 2004-2009 Nokia Corporation and/or its subsidiary(-ies). All rights reserved. Certificate imported successfully. Label: abc Format: X509 Owner Type: User Issuer Name: 10.32.193.163 Subject Name: Internet Widgits Pty Ltd Valid From: 16:06:43 Tue 02nd Jun 2009 Valid Until: 16:03:43 Wed 01st Jul 2009 Trusted for Applications:
Note: Either secdlg or tsecdlg need to be in \epoc32\release\winscw\udeb. However, if both of them are present in the specified location, it will cause a panic.
In addition, the corresponding DSA key is inserted in the keystore with the same label as the certificate.
keytool –d –list abc
Symbian KeyStore Manipulation Tool Copyright (c) 2004-2009 Nokia Corporation and/or its subsidiary(-ies). All rights reserved. Algorithm: DSA Size: 512 bits Usage: PKCS15 Sign Code: 0x4 User: No Users registered. Access flags: Extractable ID: c0 fa d9 … Label: abc Native: Yes Start date: not set End data: not set
Copyright ©2010 Nokia Corporation and/or its subsidiary(-ies).
All rights
reserved. Unless otherwise stated, these materials are provided under the terms of the Eclipse Public License
v1.0.