Importing certificates on Symbian
Last update:
Oct 26, 2007
1.1 Introduction
The page that you are now reading describes how you can
import root
certificates and personal certificates on a Symbian S60 device.
Personal certificates are often distributed in the form of a PKCS#12
file. PKCS#12 files contain
a
personal certificate and its corresponding private key, a root
certificate and optionally a number of intermediate CA certificates.
PKCS#12 files are stubbornly called "PFX" files by Microsoft. PFX was
actually a predecessor to PKCS#12, as this PKCS#12
FAQ explains.
1.2 Author
The author of this document is Jacco de Leeuw (contact me).
Corrections, additions, extra information etc. are much appreciated.
2. Contents
3 Importing certificates on Symbian
3.1 Overview
Symbian S60 devices ship with a certificate manager. Older devices
such as those running S40 probably do not have a certificate manager.
There are two
certificate stores (tabs) in the S60 certificate manager: "Authority"
and
"Personal". The personal certificate
store is initially empty, but the authority certificate store is populated
with
a
number of root certificates of well-known CAs (Baltimore
Cybertrust, Entrust, Equifax, Globalsign, GTE Cybertrust, Geotrust,
Nokia, Thawte,
Verisign and Valicert).
Personal certificates listed in the
certificate manager can be used with a number of applications,
including:
As far as I know, Symbian does not support secure e-mail standards such
as S/MIME or PGP out of the box. You need third-party software for
that. If you know any, contact me and I will list them here.
Many other Symbian applications (prefer to) implement their own
support
for certificates. I understand the following software do this:
Back to Contents
4 Importing a root
certificate
If you import a personal certificate the associated root certificate
is normally already included in the same file. In that case you don't
have to import the root
certificate seperately (skip to: "Importing a personal
certificate").
There are several
applications that require a root certificate but not a personal
certificate. For example, you use an Exchange Server with a server
certificate
that was issued by your own CA and you want to connect to this server
with Nokia's
Mail for Exchange application.
Here is the procedure for importing a root certificate on a Symbian
based device:
- The root certificate should be in binary DER
format. If it isn't, convert it to DER on a desktop PC. For
example, import the certificate on a Windows PC and then re-export
it to DER. Or, on Linux, use OpenSSL to convert it: openssl x509
-in cert.pem -out cert.cer -outform DER
- Transfer the root certificate file to your Symbian device. You
can use any method to do the transfer: the Nokia PC Suite, a
flash
memory
card, Bluetooth, WiFi, infrared etc. Note: downloading the root
certificate file with
the Nokia webbrowser from a webserver requires some extra
attention when configuring the webserver. It may not work with
every configuration (it currently does not work with the CAcert website, for
example).
- Open the root certificate file. In this screenshot, the
root certificate file was sent with Bluetooth from the PC to the
Symbian device. The file is opened by opening the message in the Inbox.
- The device asks if you want to save the root certificate.
Check the details and select "Save".
- You get the message: "New certificate may
be unsecure. Save anyway?". Select "Save".
- Enter a name
for this root certificate. In most cases you can simply use the default
name. Select "OK".
- At "Certificate
uses:", a list of application categories is displayed that can use
this root certificate. Select the trust settings: "Internet" and
"Online cert. checking". (According to the Nokia documentation,
these are for "E-mail and graphics" and "Online
certificate status protocol", respectively. Other trust settings
are "App. installation" for installing Java applications, and "Symbian
installation" for installing Symbian applications).
- You should see the message: "Certificate saved".
- Go to the main menu of your device and select "Tools" ->
"Settings" -> "Security".
- Select "Certif.
management".
- You should now see the new certificate listed
in the certificate manager.
- If you select "Options",
you can view the certificate details, change the trust settings or
delete the certificate.
Back to Contents
5. Obtaining a personal certificate
in
a PKCS#12 certificate file
If the application that you want to use requires a personal
certificate then you need to obtain a personal certificate and the
corresponding
private key. These are unique for every user. Usually you also need
one or more CA (root or intermediate) certificates. These
certificates are shared by all users. In many cases the certificates
are issued by your organisation's CA and not by one of the "well-known"
CAs such as
Verisign or Thawte: using your own CA is less expensive and third-party
CAs cannot be implicitly trusted for in-house applications such as VPNs.
In most cases the user credentials (private key plus certificates) are
distributed in a PKCS#12 file. This file is handed to you by your
system administrator. The PKCS#12 file is encrypted with a password,
which is also supplied to you. Alternatively, if you already have a
certificate
with private key on your desktop (Windows) PC, you can export it from
that PC to a
PKCS#12 file. You will be asked to enter a password to protect the
PKCS#12 file. If you have multiple PCs or PDAs, you
actually do not have to request different certificates. You can import
the same
certificate to all these devices, if you want. In fact, if you obtained
your
certificate from a well-known CA such as Verisign, exporting to PKCS#12
is probably the only way to get this certificate installed on Pocket
PC because these CAs only support desktop PCs for requesting
certificates. Instructions for exporting your personal certificate
from your browser (Internet Explorer, Mozilla or Netscape) to a PKCS#12
file can be found on this
page (note: if you export from IE you should select the option
"Include all certificates in the certification path
if possible". This will add all intermediate certificates in the
PKCS#12 file. This is required because Windows Mobile does not have the
ability to automatically retrieve intermediate certificates from a
server).
If you are a system administrator you need a CA to generate the keys
and certificates for your users. You
can for instance use OpenSSL (with or without front-ends such as OpenCA, TinyCA or IDX-PKI) or you
could use Windows 2000/2003 Certificate Services.
Back to Contents
6. Importing a
personal certificate
A personal certificate
has an associated private key which also has to be installed (see "Public Key
cryptography" for the basics on this). There are basically two
methods of installing a personal certificate: certificate enrolment
and certificate import.
Enrolling for a personal certificate can be done at websites of
vendors such as Verisign and CAcert. You can also enrol at your own CA
if you have one. Unfortunately, Symbian does not appear to support
enrolling for a certificate. But what you can do is enrol at a desktop
PC and export the personal certificate you get to
a PKCS#12 file.
Here is the procedure for importing a personal certificate on a
Symbian based device:
- The personal certificate should be in PKCS#12
format (also known
as PFX). Read this if you want to
obtain a PKCS#12 file. You may need to include all intermediate
certificates in the PKCS#12
file because I'm not sure if Symbian can pull intermediate CA
certificates on demand from the server.
- Transfer the personal certificate file to your Symbian device.
You can use any method to do the transfer: the Nokia PC Suite, a
flash
memory
card, Bluetooth, WiFi, infrared etc. In this screenshot
the PKCS#12 file was sent with Bluetooth from the PC to the
Symbian device. The file is opened by opening the message in the Inbox.
- Enter the
password that was used to encrypt the PKCS#12 file.
- The device reports
the number of items in the file. Select "Save".
- If this is the first time that you have imported a PKCS#12 file:
- You get a message "Unable to use private
keys. Key store password must be set first."
- Enter a key
store password. This password protects the private key of your
personal certificate on the device. The password must be a minimum of 6
characters, otherwise the option "OK" will not be displayed.
- Enter your key store password again for verification.
- Symbian will first ask if you want to save the personal
certificate included with the PKCS#12 file. Your name in the
certificate should be displayed. Select "Save".
- Enter a name
for this personal certificate. In most cases you can simply use the
default name. Select "OK".
- You should see the message "Certificate saved".
- The device asks if you want to save the root certificate.
Check the details and select "Save".
- You get the message: "New certificate may
be unsecure. Save anyway?". Select "Save".
- Enter a name
for this root certificate. In most cases you can simply use the default
name. Select "OK".
- At "Certificate
uses:",
a list of application categories is displayed that can use this root
certificate. Select the trust settings: "Internet" and "Online cert.
checking". (According to the Nokia documentation, these are for
"E-mail and graphics" and "Online
certificate status protocol",
respectively. Other trust settings are "App. installation" for
installing Java applications, and "Symbian installation" for installing
Symbian applications).
- You should see the message: "Certificate saved".
- And finally a status
report: "Saved 1 private key, 1 personal certificate, 1 authority
certificate".
- Go to the main menu of your device and select "Tools" ->
"Settings" -> "Security".
- Select "Certif.
management".
- You should now see the new certificate listed
in the certificate manager.
- If you select "Options",
you can view the
certificate details or
delete the certificate.
Back to Contents
7, Protecting the
private key of your personal certificate
Once you have imported a personal certificate to your Symbian device,
its associated private key is protected with a "phone key store"
password. Every time the private key is used (for example, for
authenticating to a website) you are prompted for this password. The
password can be changed in Tools -> Settings -> Security ->
Security Module.
If you have not yet imported a personal certificate it will report "(no security modules)".
Once you have imported a personal certificate you should see a "Phone key store". If
you open it, you see the "Module PIN" key
store. Open that one, and you see the options "Phone key store code",
"Module PIN request" and "Status". You can change the phone key store
password (or "code") by selecting the first option. For some reason I
could not select the other two options. My Nokia device kept asking for
the phone key store password when I used my personal certificate. This
is a bit of a nuisance. I would preferred that it cached the password
for some time, similar to what Mozilla Firefox and Thunderbird do.
Back to Contents
8. Web enrolment
Windows clients support web enrolment, an alternative to importing
a certificate from a file. I do not know if Symbian support web
enrolment. I suspect it does not.
Check out my other
webpage
for information on web enrolment in general.
Back to Contents
9. Web client authentication
As you probably know, webbrowsers can secure their connections with the
SSL
protocol. Most SSL websites use a server certificate to authenticate
the
server and
usernames and passwords for clients that wish to authenticate. The
advantage is that this is easy to use.
However, some websites (for instance, Internet banking sites) may
require personal certificates instead because these are more secure
than usernames and passwords.
The native webbrowser included with Symbian is Nokia's Web Browser
for S60.
This browser is based on Apple's WebKit, which is on its
turn is based on KDE's KHTML.
If you would like to test client side certificate authentication with
your Symbian device, you can obtain a free personal certificate from CAcert.org, install it on your
Symbian device and use it to connect to the CAcert "Cert Login" website.
Here is the procedure for web client authentication with a personal
certificate:
- Start the Web Browser.
- Go to the web page that requires authentication with a personal
certification. This screenshot for example shows the "Certificate
login" page of CAcert.
- The device asks
for your key store password.
- In fact, it may ask several times for that password. :-( I don't
know how to change this.
- You should now be logged in.
Symbian supports server certificates which contain a
wildcard (e.g. *.example.com). The CAcert website uses a
wildcard certificate, for example. I do not know if Symbian can retrieve
intermediate certificates if the (web)server
does not send the chain of intermediate certificates on its own
initiative.
Back to Contents
10. EAP-TLS
Some Symbian devices ship with
built-in WiFi wireless network support. Examples are the Nokia
E60/E61/E70/N95 and others. Wireless networks often need to be secured
so that only authenticated users are allowed to use them. Home networks
often use authentication based on a preshared key (similar to a
password) but enterprise networks usually employ a more elaborate
authentication framework based on the Extensible Authentication
Protocol (EAP).
There is a large number of EAP authentication methods. Symbian supports
several of these EAP methods out
of the box: EAP-SIM, EAP-AKA, EAP-PEAP (Microsoft), EAP-TLS, EAP-TTLS
(Funk) and EAP-LEAP
(Cisco). However, I have read that their implementation is a bit
lacking.
EAP-TLS requires the use of personal certificates. For the other
protocols you do not
need
to import a personal certificate. Instead, you typically buy a server
certificate from
one of the "trusted" root
certification authorities that are present in Symbian devices. Or, you
would install your own CA
certificate on your Symbian device. In the latter case you would save
some money, but it may
turn out to be a bit of a hassle if you have a large number of Symbian
clients.
EAP-TLS is more secure than PEAP et al. because
it uses certificates for both user and server authentication. Plus,
EAP-TLS is supported by many vendors and ratified by the IETF in RFC 2716,
whereas the
other proposed EAP standards are currently still in draft phase.
Therefore EAP-TLS is often used by enterprises with strong security
requirements. The
drawback of EAPl-TLS is
that personal certificates are more difficult to distribute and manage
than passwords or
PSKs.
Here is the procedure for configuring EAP-TLS authentication with a
personal certificate:
- Go to Tools -> Settings -> Connection.
- Select "Access
points".
- Select "Options", "New access point"
and "Use default settings".
- Enter a connection name for the new
connection. (In the example screenshots it is "Test conn").
- At "Data bearer", select "Wireless LAN".
- Enter the wireless LAN's SSID (i.e. name) at "WLAN netw. name"
(or use
the option "Search for netw.").
- At "WLAN
security mode" select either "WPA/WPA2" or "802.1x". Ask
your system administrator if you don't which one is used on your
wireless network.
- Select "WLAN
security sett."
- At "WPA/WPA2"
select "EAP" (this
option is also displayed even if you choose "802.1x" in the previous
step).
- Select "EAP plug-in settings".
- Select "EAP-TLS".
- Click "Options" and select "Enable" to enable
EAP-TLS. (I'm not
sure if you need to disable EAP-SIM and EAP-AKA).
- Click "Options" again and select "Configure".
- At "User
certificate", select your personal certificate.
- At "CA
certificate", select your CA's certificate.
- At "User name in
use" and "Realm in use", select either "From
certificate" or "User-configured". "From certificate" is probably the
easiest option. Try that one first. If that does not work, try your
username and realm if you happen to know these.
- Click "Back". Click "Back" again.
- If you chose "WPA/WPA2" for the "WLAN security mode", there is an
extra option "WPA2 only mode". This can be set to "On" if you are sure
that your wireless network supports strong
WPA2 encryption.
- Click "Back".
- Change "Network status" and "Homepage" if you
need these.
- Click "Back". The connection that you just created for your
wireless LAN will be displayed.
- Click "Back", "Back" and "Exit".
- When you start a network application (such as the web browser) it
will look for access
points. If you are in range of the wireless
network that you just created, you should able to select it and connect
to it.
Personal certificates that are used in EAP-TLS should probably contain
the
"Client Authentication" Extended Key Usage purpose (EKU), which has the
value "1.3.6.1.5.5.7.3.2". This is the case for Windows clients and it
might also be the case for Symbian clients as well.
Back to Contents
11. Certificates and Exchange
Nokia has released an Exchange client for E-series phones and a
number of N-series phones. Apparently they have licensed the ActiveSync
protocol from Microsoft. "Mail
for Exchange" can be downloaded here.
Connections between this client and Exchange can be
secured with SSL. In fact, the use of SSL is
highly recommended when clients connect over a hostile
network such as
the Internet. As with any other SSL server, this requires a server
certificate to be installed on the IIS / Exchange server. The server
presents this server certificate to authenticate itself to clients. You
may need to install
the root certificate of your CA on the Symbian device, if it
is not already there. Then the clients authenticate to
the server.
On SSL webservers, there are two
options for client
authentication:
basic authentication (usernames/passwords) and certificate based
authentication (personal certificates). Personal certificates
provides stronger authentication than usernames
and passwords. But usernames and passwords
are probably easier to use. Nokia's "Mail for Exchange" client supports
authentication with usernames/passwords but it does seem to support
personal certificates.
If you don't want to install a root
certificate, there is an option "Secure connection" that you could set
to "no". This will disable SSL encryption on the Nokia Mail for
Exchange client.
But it is only recommended to do this when you are testing over a
secure network, e.g. on
your
own LAN! Windows Mobile has another option
which does use SSL encryption but without verification of the server
certificate.
The Nokia client does not support this option, which is probably for
the best because it only seems to confuse people into thinking that it
is secure.
Back to Contents
12. Acknowledgements and disclaimers
This
page shows screenshots of a device resembling a Nokia device but this
does
not
necessarily mean an endorsement of, or by, Nokia, Symbian or any other
company. I disclaim
everything anyway
:-). Nokia and Symbian are trademarks or registered trademarks of Nokia Corporation and
Symbian Ltd, respectively. The
author of this webpage is not associated with Nokia or any
other company mentioned on the page. All
trademarks are owned by their respective companies.
Back to Contents
13. Revision history
Oct 21, 2007: Moved info to seperate page.
Oct 1, 2007: Added more on Symbian.
Oct 26, 2006: Added info on Symbian devices.
Jacco de Leeuw