This section provides details on how the certtool can be used to create a default certstore to be used in a new device. For instance, a device creator would want to create a default certstore to be shipped with every device. The default certstore will most likely contain some default root certificates.
User certificates might be added as well, for instance a device creator might add a user certificate to allow a particular device to authenticate itself during a SSL/TLS connection. In this manner the server will be sure it is interacting with a certain device model.
The internal representation of a certificate store
The contents of a certificate store are preserved in two files, CAcerts.dat and certclients.dat. An actual device would store the default files in ROM, from there the files will be copied to RAM when the certstore is first used. The original ROM files are copied to RAM only if the files are not there already.
The paths where the files are stored in ROM are:
The paths where the files are stored in RAM are:
The full paths for the emulator in ROM are:
\epoc32\release\(platform)\(build)\z\ System\Data\CACerts.dat
\epoc32\release\(platform)\( build)\z\ System\Data\certclients.dat
The full paths for the emulator in RAM are:
where (platform) stands for wins, winscw, armi, etc. and (build) for either udeb or urel.
If the files are not present in RAM, when the certstore is first used the files are copied from ROM. If the files are not present at all, new empty ones will be created, this event should not occur in production devices.
Generating a default certificate store
You can generate a default certificate store (the two files, CACerts.dat and certclients.dat) using certtool and the emulator. You can then take the resulting CACerts.dat and certclients.dat files and insert them in the final rom.
To have a certificate store containing two certificates Class1PrimaryCA.cer and serverca.cer, the first step is to copy them to the emulator c drive. Copy them to a location, say \epoc32\(platform)\c.
Use certtool to import the two certificates. Start the eshell: \epoc32\release\(platform)\(build)\eshell.exe.
From the shell, import the certificates:
certtool –label “Class 1” –import c:\Class1PrimaryCA.cer
certtool –label “Server CA” –import c:\serverca.cer
The next step is to set the applicability of the certificates. If the “Class 1” certificate is to be trusted for software installation, SSL/TLS and OCSP, while the “Server CA” must be trusted for software installation only, you can then use certtool in the following manner:
certtool -setapps –apps SWInstall SSL/TLS SWInstallOCSP “Class 1”
certtool -setapps –apps SWInstall “Server CA”
Copyright ©2010 Nokia Corporation and/or its subsidiary(-ies).
All rights
reserved. Unless otherwise stated, these materials are provided under the terms of the Eclipse Public License
v1.0.