Import Root CA in the Nokia E61
Sunday, June 3, 2007 at 14:02 Last week, I recieved my new Nokia E61i. As soon as I tried to connect to my own IMAP server (over SSL/TLS) is started nagging about the (selfsigned) SSL certificate.
The E61 has a certificate store, so I should be able to add other Root CA's to this store, but this is where the trouble began.
The manual has a chapter on certificates, but it lacks a working explanation on "how to import third party root CA's". On my old iPaq, it was simply upload a DER encoded certificate, click on it, and it would install. Well this doesn't work on the E61 (and many other Symbian-based) phones. Just 'google', and you'll find lot's of people with similar problems...
The working solution I found uses a website from which you download the certificate with the phone, but there is a catch; you need to add a MIME-type to the website containing the certificate (hence the admin rights).
This is what you need to do (on a Microsoft IIS):
- Make sure you have the certificate in DER format available. If you're not sure on this, just open the certificate and op en the second tab. Choose 'Copy to file..' and select the DER option.
- Make sure the extension of the certificate is '.der'
- Upload the certificate to your webserver.
- Open the IIS Manager and open the properties on the folder (or website) where you uploaded the certificate.
- Open the 'HTTP Headers' tab, and click on 'MIME Types'
- Add a custom MIME type.
The Extenstion is '.der' (without the quotes, but with the point), and the MIME Type is 'application/x-x509-ca-cert' (also without the quotes) - Close all the open windows.
- Go to the URL where you can download the certificate with the built-in browser of your phone (e.g. /temp/certificate.der) .
- Your phone will recognize the file as being a certificate (the MIME type makes sure of this), and will ask you if you want to import it. While importing, the import wizard will ask for trust settings of the certificate. I just enabled both.
- After this you should be able use certificates issued by the newly imported CA without any warning.
B.t.w., this also works for self-signed certificates.
Since not everyone has a private webserver, I will try to created a webpage on which you can upload your certificate. It returns a URL which you can use with your phone browser to download, and install the certificate on your phone.
Nokia E61 in Gadgets, Security, Symbian, Tips'n Tricks
Reader Comments (19)
Thanks for the tip, it worked perfectly.
-Abhi.
There is a simpler method, just change the extension of your der format certificate from .cer to .der and copy into your nokia then install. Smooth.
Cheers
@Wusu I.O.:
It is possible that Nokia has made some software/firmware updates which solves the problem.
The procedure you're describing should work (in theory), but it doesn't on lot's of phones. What kind of phone (and software version) are you running.
Thanks for these tips, and the certificate download tool. The problem I'm facing (on a Nokia N95) is that when I try to open the cert after I've saved it to the phone, it tells me the certificate is corrupted. When I visit the link, and *before* I save the cert, everything is fine (issuer, fingerprint, etc). The problem seems to arise only after it's been saved (and I therefore continue to be warned about my mail server's untrusted certificate.
Any ideas?
@Rotorglow:
A couple of possibilities;
1) the certificate is in the BASE64 format instead of the binary DER format.
2) The phone can't make / determine the complete certificate chain.
3) the subject of the certificate contains multiple CN's (common names). This happens with e.g. Small Business server. It puts all possible names of the server in the subject, and somehow the Nokia finds this troublesome (I think it picks the first one).
CN=server
CN=server.domain.local
CN=mail.domain.com
Best way is to recreate the certificate with the proper public CN (this might give you some issues if you're connecting to the server from the inside by using e.g. server.domain.local).
Your a legend mate,
Your website provided works like a charm and allowed me to import our unsigned cert without issues.
(Using N95 8GB)
Cheers.
Just tried to import my certificate via http://symcaimport.redelijkheid.com but got a "file corrupt" error.
@Peter
Have you followed the links and read all the other problems people had?
Especially the previous post has lots of information.
Corrupt could mean the wrong format (BASE64 instead of Binary DER format).
I have a nokia e63. i have obtained a .cer file from the symbian certificate issueing site with my IMEI number but now when i try to sign any application it gives certificate error. I dont knw wheather u can help or not but thought i should ask. Thanks in advance
@huzefa
Hi huzefa, no experience on the field of application signing. So sorry on that one.
I'm having no luck with all the methods I've found till now, including this on an E63. Anybody has some advice ?
Hi Eddie, the only two things that generally problematic are;
- the format is wrong (base64 encoded certificate instead of a binary file, or
- the CA you're trying to import is a intermediate CA (or the SSL certificate itself) which has a CA above it.
E.g. Root CA -> Intermediate CA -> SSL Certificate.
If you're trying to import the SSL certificate (which works fine if it's a self-signed certificate) or the Intermediate you might still run into problems, because the phone can't construct the entire chain to the root.
Hope it helps
Willem: Thank you very much, indeed I tried to install another certificate and managed to do it while sending via bluetooth! So I ended up generating another cert for the server with openSSL and managed to install that on the phone, everything is up and running!
Thanks again!
Thanks for the nice tips. i had E61 nokia mobile phones. i tried it and succeeded also i would like to suggest mobile phone users to go through this article. that will help to manage your phone easily.
I have e E71 with the latest firmware.
We have a SBS2003 with a SelfSignedCertificate.
When i upload the binary DER to your tool and try to download it, the phone prompts FILE DAMAGED!
How can I install the SelfSigned Cert to my E71 because I cannot sync with MailForExchange now...al other phones (iPhones, iPad's) syncs fine!
Hi Leroy,
could you send me the download link of the certificate. I'll have a look.
You can use the contact form on the website or a direct e-mail.
Hi Leroy,
only thing I can think of that the subject and issuer field in the certificate lack some information. Could be that the Nokia needs a Organization / Organizational Unit field in the certificate.
Only way to add these are to regenerate the certificate which means that the certificate needs to be redistributed to the clients.
You should be able to test this (not really familiar with the server you use) by creating a new certificate and test the import with that. If it works, you can assign the new selfsigned cert to the services.
Another solution would be an official (cheap) SSL certificate. These things costs <$50 USD.
Worked great and many thanks for the provided tool, it saved my setup. As you said, I had to register not only the SSL certificate of my company, but also the root certificate of the authority that issued my company's certificate.
Thanks!
Thanks a lot. You are the best !!!... :) i am looking for this information so long.. it's really working .. !!!