Week 12 contribution of PDK documentation_content. See release notes for details. Fixes Bug 2054, Bug 1583, Bug 381, Bug 390, Bug 463, Bug 1897, Bug 344, Bug 1319, Bug 394, Bug 1520, Bug 1522, Bug 1892"
<?xml version="1.0" encoding="utf-8"?>
<!-- Copyright (c) 2007-2010 Nokia Corporation and/or its subsidiary(-ies) All rights reserved. -->
<!-- This component and the accompanying materials are made available under the terms of the License
"Eclipse Public License v1.0" which accompanies this distribution,
and is available at the URL "http://www.eclipse.org/legal/epl-v10.html". -->
<!-- Initial Contributors:
Nokia Corporation - initial contribution.
Contributors:
-->
<!DOCTYPE concept
PUBLIC "-//OASIS//DTD DITA Concept//EN" "concept.dtd">
<concept id="GUID-DF4A992B-E03B-57F5-9D5B-1C112FC16544" xml:lang="en"><title>Example
for Creating a Default Certificate Store</title><prolog><metadata><keywords/></metadata></prolog><conbody>
<p>This section provides details on how the <codeph>certtool</codeph> can
be used to create a default certstore to be used in a new device. For instance,
a device creator would want to create a default certstore to be shipped with
every device. The default certstore will most likely contain some default
root certificates. </p>
<p>User certificates might be added as well, for instance a device creator
might add a user certificate to allow a particular device to authenticate
itself during a SSL/TLS connection. In this manner the server will be sure
it is interacting with a certain device model. </p>
<p><b>The internal representation of a certificate store </b> </p>
<p>The contents of a certificate store are preserved in two files, CAcerts.dat
and certclients.dat. An actual device would store the default files in ROM,
from there the files will be copied to RAM when the certstore is first used.
The original ROM files are copied to RAM only if the files are not there already. </p>
<p>The paths where the files are stored in ROM are: </p>
<ul>
<li id="GUID-A8FD8FBB-D3E1-51CB-8851-0F3E93875BA6"><p> <filepath>z:\System\Data\CACerts.dat</filepath> </p> </li>
<li id="GUID-840018D2-0200-5276-9696-C6BDA6AD75B0"><p> <filepath>z:\System\Data\certclients.dat</filepath> </p> </li>
</ul>
<p>The paths where the files are stored in RAM are: </p>
<ul>
<li id="GUID-6C0E43B6-5C5F-5DC8-9030-09376F3E86AF"><p> <filepath>c:\System\Data\CACerts.dat</filepath> </p> </li>
<li id="GUID-999CFC77-565B-579A-A64E-2AD9B10B013A"><p> <filepath>c:\System\Data\certclients.dat </filepath> </p> </li>
</ul>
<p>The full paths for the emulator in ROM are: </p>
<ul>
<li id="GUID-26756A2A-1148-531D-AFCD-A7C101C6C191"><p> <filepath>\epoc32\release\(platform)\(build)\z\
System\Data\CACerts.dat</filepath> </p> </li>
<li id="GUID-25213156-B9D1-5A9F-BD4E-26B026D02C6A"><p> <filepath>\epoc32\release\(platform)\(
build)\z\ System\Data\certclients.dat </filepath> </p> </li>
</ul>
<p>The full paths for the emulator in RAM are: </p>
<ul>
<li id="GUID-3A4B028D-A8B4-5B1A-8867-B08A3A48CBB7"><p> <filepath>\epoc32\(platform)\c\
System\Data\CACerts.dat</filepath> </p> </li>
<li id="GUID-021DCED1-D59D-5CDC-AD6B-ED3BD4D0EBF4"><p> <filepath>\epoc32\(platform)\c\
System\Data\certclients.dat </filepath> </p> </li>
</ul>
<p>where (platform) stands for wins, winscw, armi, etc. and (build) for either
udeb or urel. </p>
<p>If the files are not present in RAM, when the certstore is first used the
files are copied from ROM. If the files are not present at all, new empty
ones will be created, this event should not occur in production devices. </p>
<p><b>Generating a default certificate store </b> </p>
<p>You can generate a default certificate store (the two files, CACerts.dat
and certclients.dat) using <codeph>certtool</codeph> and the emulator. You
can then take the resulting CACerts.dat and certclients.dat files and insert
them in the final rom. </p>
<p>To have a certificate store containing two certificates <filepath>Class1PrimaryCA.cer</filepath> and <filepath>serverca.cer</filepath>,
the first step is to copy them to the emulator c drive. Copy them to a location,
say <filepath>\epoc32\(platform)\c</filepath>. </p>
<p>Use <codeph>certtool</codeph> to import the two certificates. Start the
eshell: <filepath>\epoc32\release\(platform)\(build)\eshell.exe</filepath>. </p>
<p>From the shell, import the certificates: </p>
<p><userinput>certtool –label “Class 1” –import c:\Class1PrimaryCA.cer</userinput> </p>
<p><userinput>certtool –label “Server CA” –import c:\serverca.cer</userinput> </p>
<p>The next step is to set the applicability of the certificates. If the “Class
1” certificate is to be trusted for software installation, SSL/TLS and OCSP,
while the “Server CA” must be trusted for software installation only, you
can then use <codeph>certtool</codeph> in the following manner: </p>
<p><userinput>certtool -setapps –apps SWInstall SSL/TLS SWInstallOCSP “Class
1”</userinput> </p>
<p><userinput>certtool -setapps –apps SWInstall “Server CA”</userinput> </p>
</conbody><related-links>
<link href="GUID-4462E8C8-CF27-5F3B-ACE3-4213DA6C377C.dita"><linktext>certtool
Reference</linktext></link>
</related-links></concept>