FCL/sf/os/security: cryptoservices/certificateandkeymgmt/documentation/building-certstore.txt@ccc1dbc4665c (annotated)

8 35751d3474b7 Revision: 200935 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: 0 diff changeset	1	Title: Building Certificate Store
35751d3474b7 Revision: 200935 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: 0 diff changeset	2	Owner: Gleb Dolgich
35751d3474b7 Revision: 200935 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: 0 diff changeset	3	Contributors: Xavier Leclercq, Gleb Dolgich
35751d3474b7 Revision: 200935 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: 0 diff changeset	4	Copyright (C) 2003 Symbian Limited. All rights reserved.
35751d3474b7 Revision: 200935 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: 0 diff changeset	5	================================================================================
35751d3474b7 Revision: 200935 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: 0 diff changeset	6
35751d3474b7 Revision: 200935 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: 0 diff changeset	7	Purpose
35751d3474b7 Revision: 200935 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: 0 diff changeset	8	-------
35751d3474b7 Revision: 200935 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: 0 diff changeset	9
35751d3474b7 Revision: 200935 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: 0 diff changeset	10	This document describes how to build CACerts.dat (certificate store) and
35751d3474b7 Revision: 200935 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: 0 diff changeset	11	certclients.dat (certificate client applications) files. These files are stored
35751d3474b7 Revision: 200935 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: 0 diff changeset	12	on a device in c:\system\data\ directory. They are necessary for Software
35751d3474b7 Revision: 200935 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: 0 diff changeset	13	Install and SSL/TLS.
35751d3474b7 Revision: 200935 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: 0 diff changeset	14
35751d3474b7 Revision: 200935 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: 0 diff changeset	15	Certificates and trusters
35751d3474b7 Revision: 200935 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: 0 diff changeset	16	-------------------------
35751d3474b7 Revision: 200935 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: 0 diff changeset	17
35751d3474b7 Revision: 200935 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: 0 diff changeset	18	Every certificate stored in CACerts.dat has a set of UIDs associated with it,
35751d3474b7 Revision: 200935 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: 0 diff changeset	19	each UID marking the certificate as good for a particular purpose (application).
35751d3474b7 Revision: 200935 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: 0 diff changeset	20	Currently the following applications/UIDs are defined:
35751d3474b7 Revision: 200935 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: 0 diff changeset	21
35751d3474b7 Revision: 200935 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: 0 diff changeset	22	- SW Install (268452523, or 0x100042AB)--certificate is suitable for software
35751d3474b7 Revision: 200935 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: 0 diff changeset	23	install (SIS files);
35751d3474b7 Revision: 200935 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: 0 diff changeset	24	- SW Install OCSP Signing (268478646, or 0x1000A8B6)--certificate is suitable
35751d3474b7 Revision: 200935 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: 0 diff changeset	25	for OCSP checking (SIS files);
35751d3474b7 Revision: 200935 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: 0 diff changeset	26	- MIDlet Installation (270506792, or 0x101F9B28)--certificate is good for Java
35751d3474b7 Revision: 200935 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: 0 diff changeset	27	MIDlet installation, which includes OCSP checking;
35751d3474b7 Revision: 200935 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: 0 diff changeset	28	- Server Authentication (268441661, or 0x1000183D)--certificate is suitable for
35751d3474b7 Revision: 200935 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: 0 diff changeset	29	SSL/TLS server authentication.
35751d3474b7 Revision: 200935 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: 0 diff changeset	30
35751d3474b7 Revision: 200935 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: 0 diff changeset	31	These UIDs are stored in certclients.dat file. Once certclients.dat is in
35751d3474b7 Revision: 200935 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: 0 diff changeset	32	c:\system\data on the device, the Certificates Control Panel applet allows
35751d3474b7 Revision: 200935 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: 0 diff changeset	33	manual assignment of applications to each certificate.
35751d3474b7 Revision: 200935 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: 0 diff changeset	34
35751d3474b7 Revision: 200935 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: 0 diff changeset	35	Files needed
35751d3474b7 Revision: 200935 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: 0 diff changeset	36	------------
35751d3474b7 Revision: 200935 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: 0 diff changeset	37
35751d3474b7 Revision: 200935 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: 0 diff changeset	38	The following files are needed to build a certificate store:
35751d3474b7 Revision: 200935 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: 0 diff changeset	39
35751d3474b7 Revision: 200935 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: 0 diff changeset	40	- T_CERTSTORE.EXE test harness, which is located in security/certman/tcertstore;
35751d3474b7 Revision: 200935 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: 0 diff changeset	41	build it from security/certman/group;
35751d3474b7 Revision: 200935 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: 0 diff changeset	42	- bldcertstore.txt: test script located in security/certman/tcertstore/scripts;
35751d3474b7 Revision: 200935 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: 0 diff changeset	43	you can modify it depending on which certificates/applications you want
35751d3474b7 Revision: 200935 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: 0 diff changeset	44	included in the store. This script is exported into device's
35751d3474b7 Revision: 200935 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: 0 diff changeset	45	c:\tcertstore\scripts.
35751d3474b7 Revision: 200935 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: 0 diff changeset	46
35751d3474b7 Revision: 200935 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: 0 diff changeset	47	The following certificates are used for running tests:
35751d3474b7 Revision: 200935 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: 0 diff changeset	48
35751d3474b7 Revision: 200935 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: 0 diff changeset	49	- Symbiana.der "Identity ACS Root"--Symbian application signing certificate that
35751d3474b7 Revision: 200935 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: 0 diff changeset	50	is provided for reference only and is not used by tests
35751d3474b7 Revision: 200935 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: 0 diff changeset	51	- Symbianb.der "Testing ACS Root"--Symbian application signing test certificate
35751d3474b7 Revision: 200935 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: 0 diff changeset	52	that is provided for reference only and is not used by tests
35751d3474b7 Revision: 200935 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: 0 diff changeset	53	- cacert.crt "TestCA"--SSL server CA certificate (self-signed)
35751d3474b7 Revision: 200935 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: 0 diff changeset	54	- thawtetest.crt "Thawte Root"--SW Install certificate
35751d3474b7 Revision: 200935 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: 0 diff changeset	55	- TOCSP-Root5-RSA.cer--SW Install and MIDlet Installation
35751d3474b7 Revision: 200935 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: 0 diff changeset	56	- TOCSP-Signing5-RSA.cer--OCSP Signing
35751d3474b7 Revision: 200935 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: 0 diff changeset	57
35751d3474b7 Revision: 200935 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: 0 diff changeset	58	These certificates are copied into c:\tappinst\certs\ directory on the device.
35751d3474b7 Revision: 200935 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: 0 diff changeset	59
35751d3474b7 Revision: 200935 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: 0 diff changeset	60	Building the store
35751d3474b7 Revision: 200935 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: 0 diff changeset	61	------------------
35751d3474b7 Revision: 200935 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: 0 diff changeset	62
35751d3474b7 Revision: 200935 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: 0 diff changeset	63	To build a certificate store, perform the following steps:
35751d3474b7 Revision: 200935 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: 0 diff changeset	64
35751d3474b7 Revision: 200935 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: 0 diff changeset	65	1. Build the T_CERTSTORE test harness and export test files for appinst and
35751d3474b7 Revision: 200935 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: 0 diff changeset	66	certman.
35751d3474b7 Revision: 200935 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: 0 diff changeset	67
35751d3474b7 Revision: 200935 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: 0 diff changeset	68	2. Go to the appropriate build directory (udeb or urel) and run the following
35751d3474b7 Revision: 200935 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: 0 diff changeset	69	command:
35751d3474b7 Revision: 200935 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: 0 diff changeset	70
35751d3474b7 Revision: 200935 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: 0 diff changeset	71	t_certstore c:\tcertstore\scripts\bldcertstore.txt c:\bldcertstore.log
35751d3474b7 Revision: 200935 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: 0 diff changeset	72
35751d3474b7 Revision: 200935 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: 0 diff changeset	73	This will build c:\system\data\cacerts.dat and c:\system\data\certclients.dat
35751d3474b7 Revision: 200935 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: 0 diff changeset	74	with test certificates. If you need to add your own certificates, modify the
35751d3474b7 Revision: 200935 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: 0 diff changeset	75	bldcertstore.txt script accordingly. The ‘console’ option is necessary to ensure
35751d3474b7 Revision: 200935 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: 0 diff changeset	76	the tool can operate independently of the UI environment.

author	William Roberts <williamr@symbian.org>
	Fri, 02 Apr 2010 10:15:22 +0100
branch	RCL_3
changeset 51	ccc1dbc4665c
parent 8	35751d3474b7
permissions	-rw-r--r--