1 <?xml version="1.0" encoding="utf-8"?>

     2 <!-- Copyright (c) 2007-2010 Nokia Corporation and/or its subsidiary(-ies) All rights reserved. -->

     3 <!-- This component and the accompanying materials are made available under the terms of the License 

     4 "Eclipse Public License v1.0" which accompanies this distribution, 

     5 and is available at the URL "http://www.eclipse.org/legal/epl-v10.html". -->

     6 <!-- Initial Contributors:

     7     Nokia Corporation - initial contribution.

     8 Contributors: 

     9 -->

    10 <!DOCTYPE concept

    11   PUBLIC "-//OASIS//DTD DITA Concept//EN" "concept.dtd">

    12 <concept id="GUID-DF4A992B-E03B-57F5-9D5B-1C112FC16544" xml:lang="en"><title>Example

    13 for Creating a Default Certificate Store</title><prolog><metadata><keywords/></metadata></prolog><conbody>

    14 <p>This section provides details on how the <codeph>certtool</codeph> can

    15 be used to create a default certstore to be used in a new device. For instance,

    16 a device creator would want to create a default certstore to be shipped with

    17 every device. The default certstore will most likely contain some default

    18 root certificates. </p>

    19 <p>User certificates might be added as well, for instance a device creator

    20 might add a user certificate to allow a particular device to authenticate

    21 itself during a SSL/TLS connection. In this manner the server will be sure

    22 it is interacting with a certain device model. </p>

    23 <p><b>The internal representation of a certificate store </b> </p>

    24 <p>The contents of a certificate store are preserved in two files, CAcerts.dat

    25 and certclients.dat. An actual device would store the default files in ROM,

    26 from there the files will be copied to RAM when the certstore is first used.

    27 The original ROM files are copied to RAM only if the files are not there already. </p>

    28 <p>The paths where the files are stored in ROM are: </p>

    29 <ul>

    30 <li id="GUID-A8FD8FBB-D3E1-51CB-8851-0F3E93875BA6"><p> <filepath>z:\System\Data\CACerts.dat</filepath>  </p> </li>

    31 <li id="GUID-840018D2-0200-5276-9696-C6BDA6AD75B0"><p> <filepath>z:\System\Data\certclients.dat</filepath>  </p> </li>

    32 </ul>

    33 <p>The paths where the files are stored in RAM are: </p>

    34 <ul>

    35 <li id="GUID-6C0E43B6-5C5F-5DC8-9030-09376F3E86AF"><p> <filepath>c:\System\Data\CACerts.dat</filepath>  </p> </li>

    36 <li id="GUID-999CFC77-565B-579A-A64E-2AD9B10B013A"><p> <filepath>c:\System\Data\certclients.dat </filepath>  </p> </li>

    37 </ul>

    38 <p>The full paths for the emulator in ROM are: </p>

    39 <ul>

    40 <li id="GUID-26756A2A-1148-531D-AFCD-A7C101C6C191"><p> <filepath>\epoc32\release\(platform)\(build)\z\

    41              System\Data\CACerts.dat</filepath>  </p> </li>

    42 <li id="GUID-25213156-B9D1-5A9F-BD4E-26B026D02C6A"><p> <filepath>\epoc32\release\(platform)\(

    43 build)\z\              System\Data\certclients.dat </filepath>  </p> </li>

    44 </ul>

    45 <p>The full paths for the emulator in RAM are: </p>

    46 <ul>

    47 <li id="GUID-3A4B028D-A8B4-5B1A-8867-B08A3A48CBB7"><p> <filepath>\epoc32\(platform)\c\

    48 System\Data\CACerts.dat</filepath>  </p> </li>

    49 <li id="GUID-021DCED1-D59D-5CDC-AD6B-ED3BD4D0EBF4"><p> <filepath>\epoc32\(platform)\c\

    50 System\Data\certclients.dat </filepath>  </p> </li>

    51 </ul>

    52 <p>where (platform) stands for wins, winscw, armi, etc. and (build) for either

    53 udeb or urel. </p>

    54 <p>If the files are not present in RAM, when the certstore is first used the

    55 files are copied from ROM. If the files are not present at all, new empty

    56 ones will be created, this event should not occur in production devices. </p>

    57 <p><b>Generating a default certificate store </b> </p>

    58 <p>You can generate a default certificate store (the two files, CACerts.dat

    59 and certclients.dat) using <codeph>certtool</codeph> and the emulator. You

    60 can then take the resulting CACerts.dat and certclients.dat files and insert

    61 them in the final rom. </p>

    62 <p>To have a certificate store containing two certificates <filepath>Class1PrimaryCA.cer</filepath> and <filepath>serverca.cer</filepath>,

    63 the first step is to copy them to the emulator c drive. Copy them to a location,

    64 say <filepath>\epoc32\(platform)\c</filepath>. </p>

    65 <p>Use <codeph>certtool</codeph> to import the two certificates. Start the

    66 eshell: <filepath>\epoc32\release\(platform)\(build)\eshell.exe</filepath>. </p>

    67 <p>From the shell, import the certificates: </p>

    68 <p><userinput>certtool –label “Class 1” –import c:\Class1PrimaryCA.cer</userinput> </p>

    69 <p><userinput>certtool –label “Server CA” –import c:\serverca.cer</userinput> </p>

    70 <p>The next step is to set the applicability of the certificates. If the “Class

    71 1” certificate is to be trusted for software installation, SSL/TLS and OCSP,

    72 while the “Server CA” must be trusted for software installation only, you

    73 can then use <codeph>certtool</codeph> in the following manner: </p>

    74 <p><userinput>certtool -setapps –apps SWInstall SSL/TLS SWInstallOCSP “Class

    75 1”</userinput> </p>

    76 <p><userinput>certtool -setapps –apps SWInstall “Server CA”</userinput> </p>

    77 </conbody><related-links>

    78 <link href="GUID-4462E8C8-CF27-5F3B-ACE3-4213DA6C377C.dita"><linktext>certtool

    79 Reference</linktext></link>

    80 </related-links></concept>