1 Title: Building Certificate Store |
|
2 Owner: Gleb Dolgich |
|
3 Contributors: Xavier Leclercq, Gleb Dolgich |
|
4 Copyright (C) 2003 Symbian Limited. All rights reserved. |
|
5 ================================================================================ |
|
6 |
|
7 Purpose |
|
8 ------- |
|
9 |
|
10 This document describes how to build CACerts.dat (certificate store) and |
|
11 certclients.dat (certificate client applications) files. These files are stored |
|
12 on a device in c:\system\data\ directory. They are necessary for Software |
|
13 Install and SSL/TLS. |
|
14 |
|
15 Certificates and trusters |
|
16 ------------------------- |
|
17 |
|
18 Every certificate stored in CACerts.dat has a set of UIDs associated with it, |
|
19 each UID marking the certificate as good for a particular purpose (application). |
|
20 Currently the following applications/UIDs are defined: |
|
21 |
|
22 - SW Install (268452523, or 0x100042AB)--certificate is suitable for software |
|
23 install (SIS files); |
|
24 - SW Install OCSP Signing (268478646, or 0x1000A8B6)--certificate is suitable |
|
25 for OCSP checking (SIS files); |
|
26 - MIDlet Installation (270506792, or 0x101F9B28)--certificate is good for Java |
|
27 MIDlet installation, which includes OCSP checking; |
|
28 - Server Authentication (268441661, or 0x1000183D)--certificate is suitable for |
|
29 SSL/TLS server authentication. |
|
30 |
|
31 These UIDs are stored in certclients.dat file. Once certclients.dat is in |
|
32 c:\system\data on the device, the Certificates Control Panel applet allows |
|
33 manual assignment of applications to each certificate. |
|
34 |
|
35 Files needed |
|
36 ------------ |
|
37 |
|
38 The following files are needed to build a certificate store: |
|
39 |
|
40 - T_CERTSTORE.EXE test harness, which is located in security/certman/tcertstore; |
|
41 build it from security/certman/group; |
|
42 - bldcertstore.txt: test script located in security/certman/tcertstore/scripts; |
|
43 you can modify it depending on which certificates/applications you want |
|
44 included in the store. This script is exported into device's |
|
45 c:\tcertstore\scripts. |
|
46 |
|
47 The following certificates are used for running tests: |
|
48 |
|
49 - Symbiana.der "Identity ACS Root"--Symbian application signing certificate that |
|
50 is provided for reference only and is not used by tests |
|
51 - Symbianb.der "Testing ACS Root"--Symbian application signing test certificate |
|
52 that is provided for reference only and is not used by tests |
|
53 - cacert.crt "TestCA"--SSL server CA certificate (self-signed) |
|
54 - thawtetest.crt "Thawte Root"--SW Install certificate |
|
55 - TOCSP-Root5-RSA.cer--SW Install and MIDlet Installation |
|
56 - TOCSP-Signing5-RSA.cer--OCSP Signing |
|
57 |
|
58 These certificates are copied into c:\tappinst\certs\ directory on the device. |
|
59 |
|
60 Building the store |
|
61 ------------------ |
|
62 |
|
63 To build a certificate store, perform the following steps: |
|
64 |
|
65 1. Build the T_CERTSTORE test harness and export test files for appinst and |
|
66 certman. |
|
67 |
|
68 2. Go to the appropriate build directory (udeb or urel) and run the following |
|
69 command: |
|
70 |
|
71 t_certstore c:\tcertstore\scripts\bldcertstore.txt c:\bldcertstore.log |
|
72 |
|
73 This will build c:\system\data\cacerts.dat and c:\system\data\certclients.dat |
|
74 with test certificates. If you need to add your own certificates, modify the |
|
75 bldcertstore.txt script accordingly. The ‘console’ option is necessary to ensure |
|
76 the tool can operate independently of the UI environment. |
|