Importing certificates on Symbian

Last update: Oct 26, 2007

1.1 Introduction

Personal certificate installed on a Nokia device

The page that you are now reading describes how you can import root certificates and personal certificates on a Symbian S60 device. Personal certificates are often distributed in the form of a PKCS#12 file. PKCS#12 files contain a personal certificate and its corresponding private key, a root certificate and optionally a number of intermediate CA certificates. PKCS#12 files are stubbornly called "PFX" files by Microsoft. PFX was actually a predecessor to PKCS#12, as this PKCS#12 FAQ explains.

1.2 Author

The author of this document is Jacco de Leeuw (contact me). Corrections, additions, extra information etc. are much appreciated.

2. Contents

Introduction
Contents
Importing certificates on Symbian
Importing a root certificate
Obtaining a personal certificate in a PKCS#12 certificate file
Importing a personal certificate
Protecting the private key of your personal certificate
Web enrolment
Web client authentication
EAP-TLS
Certificates and Exchange
Acknowledgements and disclaimer
Revision history

3 Importing certificates on Symbian

3.1 Overview

Symbian S60 devices ship with a certificate manager. Older devices such as those running S40 probably do not have a certificate manager. There are two certificate stores (tabs) in the S60 certificate manager: "Authority" and "Personal". The personal certificate store is initially empty, but the authority certificate store is populated with a number of root certificates of well-known CAs (Baltimore Cybertrust, Entrust, Equifax, Globalsign, GTE Cybertrust, Geotrust, Nokia, Thawte, Verisign and Valicert).

Personal certificates listed in the certificate manager can be used with a number of applications, including:

Web client authentication with Nokia's Web Browser for S60 (more info).
User authentication in 802.1x WiFi wireless networks (EAP-TLS only) (more info).
Nokia Mobile VPN Client (IPsec client).
(more?)

As far as I know, Symbian does not support secure e-mail standards such as S/MIME or PGP out of the box. You need third-party software for that. If you know any, contact me and I will list them here.

Many other Symbian applications (prefer to) implement their own support for certificates. I understand the following software do this:

Opera Mobile (webbrowser)
NetFront (webbrowser)

Back to Contents

4 Importing a root certificate

If you import a personal certificate the associated root certificate is normally already included in the same file. In that case you don't have to import the root certificate seperately (skip to: "Importing a personal certificate").

There are several applications that require a root certificate but not a personal certificate. For example, you use an Exchange Server with a server certificate that was issued by your own CA and you want to connect to this server with Nokia's Mail for Exchange application.

Here is the procedure for importing a root certificate on a Symbian based device:

The root certificate should be in binary DER format. If it isn't, convert it to DER on a desktop PC. For example, import the certificate on a Windows PC and then re-export it to DER. Or, on Linux, use OpenSSL to convert it: openssl x509 -in cert.pem -out cert.cer -outform DER
Transfer the root certificate file to your Symbian device. You can use any method to do the transfer: the Nokia PC Suite, a flash memory card, Bluetooth, WiFi, infrared etc. Note: downloading the root certificate file with the Nokia webbrowser from a webserver requires some extra attention when configuring the webserver. It may not work with every configuration (it currently does not work with the CAcert website, for example).
Open the root certificate file. In this screenshot, the root certificate file was sent with Bluetooth from the PC to the Symbian device. The file is opened by opening the message in the Inbox.
The device asks if you want to save the root certificate. Check the details and select "Save".
You get the message: "New certificate may be unsecure. Save anyway?". Select "Save".
Enter a name for this root certificate. In most cases you can simply use the default name. Select "OK".
At "Certificate uses:", a list of application categories is displayed that can use this root certificate. Select the trust settings: "Internet" and "Online cert. checking". (According to the Nokia documentation, these are for "E-mail and graphics" and "Online certificate status protocol", respectively. Other trust settings are "App. installation" for installing Java applications, and "Symbian installation" for installing Symbian applications).
You should see the message: "Certificate saved".
Go to the main menu of your device and select "Tools" -> "Settings" -> "Security".
Select "Certif. management".
You should now see the new certificate listed in the certificate manager.
If you select "Options", you can view the certificate details, change the trust settings or delete the certificate.

Back to Contents

5. Obtaining a personal certificate in a PKCS#12 certificate file

If the application that you want to use requires a personal certificate then you need to obtain a personal certificate and the corresponding private key. These are unique for every user. Usually you also need one or more CA (root or intermediate) certificates. These certificates are shared by all users. In many cases the certificates are issued by your organisation's CA and not by one of the "well-known" CAs such as Verisign or Thawte: using your own CA is less expensive and third-party CAs cannot be implicitly trusted for in-house applications such as VPNs.

In most cases the user credentials (private key plus certificates) are distributed in a PKCS#12 file. This file is handed to you by your system administrator. The PKCS#12 file is encrypted with a password, which is also supplied to you. Alternatively, if you already have a certificate with private key on your desktop (Windows) PC, you can export it from that PC to a PKCS#12 file. You will be asked to enter a password to protect the PKCS#12 file. If you have multiple PCs or PDAs, you actually do not have to request different certificates. You can import the same certificate to all these devices, if you want. In fact, if you obtained your certificate from a well-known CA such as Verisign, exporting to PKCS#12 is probably the only way to get this certificate installed on Pocket PC because these CAs only support desktop PCs for requesting certificates. Instructions for exporting your personal certificate from your browser (Internet Explorer, Mozilla or Netscape) to a PKCS#12 file can be found on this page (note: if you export from IE you should select the option "Include all certificates in the certification path if possible". This will add all intermediate certificates in the PKCS#12 file. This is required because Windows Mobile does not have the ability to automatically retrieve intermediate certificates from a server).

If you are a system administrator you need a CA to generate the keys and certificates for your users. You can for instance use OpenSSL (with or without front-ends such as OpenCA, TinyCA or IDX-PKI) or you could use Windows 2000/2003 Certificate Services.

Back to Contents

6. Importing a personal certificate

A personal certificate has an associated private key which also has to be installed (see "Public Key cryptography" for the basics on this). There are basically two methods of installing a personal certificate: certificate enrolment and certificate import.

Enrolling for a personal certificate can be done at websites of vendors such as Verisign and CAcert. You can also enrol at your own CA if you have one. Unfortunately, Symbian does not appear to support enrolling for a certificate. But what you can do is enrol at a desktop PC and export the personal certificate you get to a PKCS#12 file.

Here is the procedure for importing a personal certificate on a Symbian based device:

The personal certificate should be in PKCS#12 format (also known as PFX). Read this if you want to obtain a PKCS#12 file. You may need to include all intermediate certificates in the PKCS#12 file because I'm not sure if Symbian can pull intermediate CA certificates on demand from the server.
Transfer the personal certificate file to your Symbian device. You can use any method to do the transfer: the Nokia PC Suite, a flash memory card, Bluetooth, WiFi, infrared etc. In this screenshot the PKCS#12 file was sent with Bluetooth from the PC to the Symbian device. The file is opened by opening the message in the Inbox.
Enter the password that was used to encrypt the PKCS#12 file.
The device reports the number of items in the file. Select "Save".
If this is the first time that you have imported a PKCS#12 file:

You get a message "Unable to use private keys. Key store password must be set first."
Enter a key store password. This password protects the private key of your personal certificate on the device. The password must be a minimum of 6 characters, otherwise the option "OK" will not be displayed.
Enter your key store password again for verification.

Symbian will first ask if you want to save the personal certificate included with the PKCS#12 file. Your name in the certificate should be displayed. Select "Save".
Enter a name for this personal certificate. In most cases you can simply use the default name. Select "OK".
You should see the message "Certificate saved".
The device asks if you want to save the root certificate. Check the details and select "Save".
You get the message: "New certificate may be unsecure. Save anyway?". Select "Save".
Enter a name for this root certificate. In most cases you can simply use the default name. Select "OK".
At "Certificate uses:", a list of application categories is displayed that can use this root certificate. Select the trust settings: "Internet" and "Online cert. checking". (According to the Nokia documentation, these are for "E-mail and graphics" and "Online certificate status protocol", respectively. Other trust settings are "App. installation" for installing Java applications, and "Symbian installation" for installing Symbian applications).
You should see the message: "Certificate saved".
And finally a status report: "Saved 1 private key, 1 personal certificate, 1 authority certificate".
Go to the main menu of your device and select "Tools" -> "Settings" -> "Security".
Select "Certif. management".
You should now see the new certificate listed in the certificate manager.
If you select "Options", you can view the certificate details or delete the certificate.

Back to Contents

7, Protecting the private key of your personal certificate

Once you have imported a personal certificate to your Symbian device, its associated private key is protected with a "phone key store" password. Every time the private key is used (for example, for authenticating to a website) you are prompted for this password. The password can be changed in Tools -> Settings -> Security -> Security Module. If you have not yet imported a personal certificate it will report "(no security modules)". Once you have imported a personal certificate you should see a "Phone key store". If you open it, you see the "Module PIN" key store. Open that one, and you see the options "Phone key store code", "Module PIN request" and "Status". You can change the phone key store password (or "code") by selecting the first option. For some reason I could not select the other two options. My Nokia device kept asking for the phone key store password when I used my personal certificate. This is a bit of a nuisance. I would preferred that it cached the password for some time, similar to what Mozilla Firefox and Thunderbird do.

Back to Contents

8. Web enrolment

Windows clients support web enrolment, an alternative to importing a certificate from a file. I do not know if Symbian support web enrolment. I suspect it does not.

Check out my other webpage for information on web enrolment in general.

Back to Contents

9. Web client authentication

As you probably know, webbrowsers can secure their connections with the SSL protocol. Most SSL websites use a server certificate to authenticate the server and usernames and passwords for clients that wish to authenticate. The advantage is that this is easy to use. However, some websites (for instance, Internet banking sites) may require personal certificates instead because these are more secure than usernames and passwords.

The native webbrowser included with Symbian is Nokia's Web Browser for S60. This browser is based on Apple's WebKit, which is on its turn is based on KDE's KHTML.

If you would like to test client side certificate authentication with your Symbian device, you can obtain a free personal certificate from CAcert.org, install it on your Symbian device and use it to connect to the CAcert "Cert Login" website.

Here is the procedure for web client authentication with a personal certificate:

Start the Web Browser.
Go to the web page that requires authentication with a personal certification. This screenshot for example shows the "Certificate login" page of CAcert.
The device asks for your key store password.
In fact, it may ask several times for that password. :-( I don't know how to change this.
You should now be logged in.

Symbian supports server certificates which contain a wildcard (e.g. *.example.com). The CAcert website uses a wildcard certificate, for example. I do not know if Symbian can retrieve intermediate certificates if the (web)server does not send the chain of intermediate certificates on its own initiative.

Back to Contents

10. EAP-TLS

Some Symbian devices ship with built-in WiFi wireless network support. Examples are the Nokia E60/E61/E70/N95 and others. Wireless networks often need to be secured so that only authenticated users are allowed to use them. Home networks often use authentication based on a preshared key (similar to a password) but enterprise networks usually employ a more elaborate authentication framework based on the Extensible Authentication Protocol (EAP).

There is a large number of EAP authentication methods. Symbian supports several of these EAP methods out of the box: EAP-SIM, EAP-AKA, EAP-PEAP (Microsoft), EAP-TLS, EAP-TTLS (Funk) and EAP-LEAP (Cisco). However, I have read that their implementation is a bit lacking.

EAP-TLS requires the use of personal certificates. For the other protocols you do not need to import a personal certificate. Instead, you typically buy a server certificate from one of the "trusted" root certification authorities that are present in Symbian devices. Or, you would install your own CA certificate on your Symbian device. In the latter case you would save some money, but it may turn out to be a bit of a hassle if you have a large number of Symbian clients.

EAP-TLS is more secure than PEAP et al. because it uses certificates for both user and server authentication. Plus, EAP-TLS is supported by many vendors and ratified by the IETF in RFC 2716, whereas the other proposed EAP standards are currently still in draft phase. Therefore EAP-TLS is often used by enterprises with strong security requirements. The drawback of EAPl-TLS is that personal certificates are more difficult to distribute and manage than passwords or PSKs.

Here is the procedure for configuring EAP-TLS authentication with a personal certificate:

Go to Tools -> Settings -> Connection.
Select "Access points".
Select "Options", "New access point" and "Use default settings".
Enter a connection name for the new connection. (In the example screenshots it is "Test conn").
At "Data bearer", select "Wireless LAN".
Enter the wireless LAN's SSID (i.e. name) at "WLAN netw. name" (or use the option "Search for netw.").
At "WLAN security mode" select either "WPA/WPA2" or "802.1x". Ask your system administrator if you don't which one is used on your wireless network.
Select "WLAN security sett."
At "WPA/WPA2" select "EAP" (this option is also displayed even if you choose "802.1x" in the previous step).
Select "EAP plug-in settings".
Select "EAP-TLS".
Click "Options" and select "Enable" to enable EAP-TLS. (I'm not sure if you need to disable EAP-SIM and EAP-AKA).
Click "Options" again and select "Configure".
At "User certificate", select your personal certificate.
At "CA certificate", select your CA's certificate.
At "User name in use" and "Realm in use", select either "From certificate" or "User-configured". "From certificate" is probably the easiest option. Try that one first. If that does not work, try your username and realm if you happen to know these.
Click "Back". Click "Back" again.
If you chose "WPA/WPA2" for the "WLAN security mode", there is an extra option "WPA2 only mode". This can be set to "On" if you are sure that your wireless network supports strong WPA2 encryption.
Click "Back".
Change "Network status" and "Homepage" if you need these.
Click "Back". The connection that you just created for your wireless LAN will be displayed.
Click "Back", "Back" and "Exit".
When you start a network application (such as the web browser) it will look for access points. If you are in range of the wireless network that you just created, you should able to select it and connect to it.

Personal certificates that are used in EAP-TLS should probably contain the "Client Authentication" Extended Key Usage purpose (EKU), which has the value "1.3.6.1.5.5.7.3.2". This is the case for Windows clients and it might also be the case for Symbian clients as well.

Back to Contents

11. Certificates and Exchange

Nokia has released an Exchange client for E-series phones and a number of N-series phones. Apparently they have licensed the ActiveSync protocol from Microsoft. "Mail for Exchange" can be downloaded here.

Connections between this client and Exchange can be secured with SSL. In fact, the use of SSL is highly recommended when clients connect over a hostile network such as the Internet. As with any other SSL server, this requires a server certificate to be installed on the IIS / Exchange server. The server presents this server certificate to authenticate itself to clients. You may need to install the root certificate of your CA on the Symbian device, if it is not already there. Then the clients authenticate to the server.

On SSL webservers, there are two options for client authentication: basic authentication (usernames/passwords) and certificate based authentication (personal certificates). Personal certificates provides stronger authentication than usernames and passwords. But usernames and passwords are probably easier to use. Nokia's "Mail for Exchange" client supports authentication with usernames/passwords but it does seem to support personal certificates.

If you don't want to install a root certificate, there is an option "Secure connection" that you could set to "no". This will disable SSL encryption on the Nokia Mail for Exchange client. But it is only recommended to do this when you are testing over a secure network, e.g. on your own LAN! Windows Mobile has another option which does use SSL encryption but without verification of the server certificate. The Nokia client does not support this option, which is probably for the best because it only seems to confuse people into thinking that it is secure.

Back to Contents

12. Acknowledgements and disclaimers

This page shows screenshots of a device resembling a Nokia device but this does not necessarily mean an endorsement of, or by, Nokia, Symbian or any other company. I disclaim everything anyway :-). Nokia and Symbian are trademarks or registered trademarks of Nokia Corporation and Symbian Ltd, respectively. The author of this webpage is not associated with Nokia or any other company mentioned on the page. All trademarks are owned by their respective companies.

Back to Contents

13. Revision history

Oct 21, 2007: Moved info to seperate page.
Oct 1, 2007: Added more on Symbian.
Oct 26, 2006: Added info on Symbian devices.

Jacco de Leeuw