1 Title: Building Certificate Store |
2 Owner: Gleb Dolgich |
3 Contributors: Xavier Leclercq, Gleb Dolgich |
4 Copyright (C) 2003 Symbian Limited. All rights reserved. |
5 ================================================================================ |
6 |
7 Purpose |
8 ------- |
9 |
10 This document describes how to build CACerts.dat (certificate store) and |
11 certclients.dat (certificate client applications) files. These files are stored |
12 on a device in c:\system\data\ directory. They are necessary for Software |
13 Install and SSL/TLS. |
14 |
15 Certificates and trusters |
16 ------------------------- |
17 |
18 Every certificate stored in CACerts.dat has a set of UIDs associated with it, |
19 each UID marking the certificate as good for a particular purpose (application). |
20 Currently the following applications/UIDs are defined: |
21 |
22 - SW Install (268452523, or 0x100042AB)--certificate is suitable for software |
23 install (SIS files); |
24 - SW Install OCSP Signing (268478646, or 0x1000A8B6)--certificate is suitable |
25 for OCSP checking (SIS files); |
26 - MIDlet Installation (270506792, or 0x101F9B28)--certificate is good for Java |
27 MIDlet installation, which includes OCSP checking; |
28 - Server Authentication (268441661, or 0x1000183D)--certificate is suitable for |
29 SSL/TLS server authentication. |
30 |
31 These UIDs are stored in certclients.dat file. Once certclients.dat is in |
32 c:\system\data on the device, the Certificates Control Panel applet allows |
33 manual assignment of applications to each certificate. |
34 |
35 Files needed |
36 ------------ |
37 |
38 The following files are needed to build a certificate store: |
39 |
40 - T_CERTSTORE.EXE test harness, which is located in security/certman/tcertstore; |
41 build it from security/certman/group; |
42 - bldcertstore.txt: test script located in security/certman/tcertstore/scripts; |
43 you can modify it depending on which certificates/applications you want |
44 included in the store. This script is exported into device's |
45 c:\tcertstore\scripts. |
46 |
47 The following certificates are used for running tests: |
48 |
49 - Symbiana.der "Identity ACS Root"--Symbian application signing certificate that |
50 is provided for reference only and is not used by tests |
51 - Symbianb.der "Testing ACS Root"--Symbian application signing test certificate |
52 that is provided for reference only and is not used by tests |
53 - cacert.crt "TestCA"--SSL server CA certificate (self-signed) |
54 - thawtetest.crt "Thawte Root"--SW Install certificate |
55 - TOCSP-Root5-RSA.cer--SW Install and MIDlet Installation |
56 - TOCSP-Signing5-RSA.cer--OCSP Signing |
57 |
58 These certificates are copied into c:\tappinst\certs\ directory on the device. |
59 |
60 Building the store |
61 ------------------ |
62 |
63 To build a certificate store, perform the following steps: |
64 |
65 1. Build the T_CERTSTORE test harness and export test files for appinst and |
66 certman. |
67 |
68 2. Go to the appropriate build directory (udeb or urel) and run the following |
69 command: |
70 |
71 t_certstore c:\tcertstore\scripts\bldcertstore.txt c:\bldcertstore.log |
72 |
73 This will build c:\system\data\cacerts.dat and c:\system\data\certclients.dat |
74 with test certificates. If you need to add your own certificates, modify the |
75 bldcertstore.txt script accordingly. The ‘console’ option is necessary to ensure |
76 the tool can operate independently of the UI environment. |