i have the nokia n73 and i have installed the first certificate with no problems but now i want to install an onther one and the phone says that the certificate is damaged. does anyone know why that is?

It's either in the wrong format (base64 instead of DER), or you're missing a root or an intermediate certificate.
More and more certificate chains consists of more CA's. A root CA, and an issueing intermediate CA. Just verify the 'issuer / issued by' field in the certificate to verifiy the actual chain. And import the certificate of the CA you're missing.

oke thx but i have one more question. i have made a certificate with the s60 3rd edition fp2 sdk using the makekeys command and all the certificates i have made so and sumbit it to this site and after the download is done on my phone nothing happens, no option to save the certificate. other certificates i can save with no problems. what can be the problem?

Juz wanna say thanxs.

used your site to get certs on 8 nokia phones, how else do they do it?

;-)

dear sir,

I have nokia e65, I had installed mail for exchange on my mobile. i had configured my mobile as follows :
server : webmail.apl.com
secure connection : Yes
access pint : weireless
use default port : Yes

The problem is, when Iam trying to connect, i am receiving "Secure connection required, set the secure connection to Yes in profile", although its already set to Yes.

After searching on the net, i find that i must install web cert. from webmail server ( pls note that the web server is powered by the mother company in US, and I dont have exchange here). I went to my OWA site, and transfered the web certificate in der format. but when transfered it to my phone and try to install it, i got this error
" Save Certif.: featuer not supported". In the securty panel on the phone, i went to entrust CA, and set the settings of it to Off.
But still unable to connect to exchange server.
Any Guide pls

thx ... mua

When you open the certificate with notepad, is it 'readable'. If so, you need to convert it to the binary format (lot's of hints on that via google).
I checked your OWA website and adding the Entrust (root) CA should be the only CA you need to add.

I don't have any experience with the exchange connector on the Nokia, so I can't reproduce this. Sorry on that.

Willem,

for my reference, it should be exported in 64 based format! if so then its text file, one more thing i had noticed, when exporting the certificate, it doesnt conatins the keys, it IE behave.

thx n rgrds...mua

Perfect! Has been done at a glance.
Saved a lot of time, thank you so much!

THANK YOU! THANK YOU! THANK YOU! THANK YOU! THANK YOU! THANK YOU! =D I was going NUTS with this!

I'm trying to install a Thawte code signing certificate on my nokia 6131 nfc (s40 3rd ed.).

I got a Thawte code signing certificate from www.thawte.com/roots (I also tried with exporting thawte and verisign certificates from IE). I check valid usages and code signing is there.

I succeed by using the site http://www.redelijkheid.com/symcaimport/index.cfm, surprisingly just if I use the "S60 device" option.

I downloaded the .der cert on my PC. I check valid usages and code signing is there.

However, once the certificate is installed on my phone (I downloaded from the website), I check the allowed uses: Application signing is unchecked!!! and I cannot check it! I also tried to install an application (opera mini 4.1) signed with thawte without success.

I guess just the 6131 nfc certificate manager does not allow for other code signing certificates than the nokia ones. Does anybody know another method to install code signing certs in s40?

Hello.
I'm trying to do anything with certificate and Active sync on E61 and last MFE, but without results.
May be something wrong with my Certificate? https://mail.rmg-media.ru

E61i ask me about untrusted certificate again and again. I think and the last idea, that something wrong with certificate. Please, anybode help me.

@ Kermit007
Your certificate doesn't have the proper common name. The current common name is:
CN = RMG-CA

The error you receive is that the URL displays a different name than the one contained in the subject field of the certificate.
This should be mail.rmp-media.ru
You may want to generate a new certificate with the proper CN value.
(everything on your own risk (of course))

Good for you for hosting this service. A lot of people probably have no idea how to install & run openssl or configure mime types. I'm sure you've saved hundreds of frustration hours already. Good job man.

Thnx for this, works great.
Tested it on a E51 and it works.

tried all the process on a nokia N95 8GB. when I download the certificate from my web browser in the telephone it says that the file is damaged. I can download the cweritificate on the pc but dont have a clue how to install it from the pc to the phone. Ca you tell me if there is a solution or if the certificate does not work with nokia N95 8GB?? thanks

I was able to convert my certificates to DER by doing the command
openssl x509 -in ca.crt -out ca-der.crt -outform DER
and the N95 8GB liked them much better. The .crt suffix has to be on
the file or it'll see '.der' or something else and decide to bring it up in the Notes viewer.

I ran openssl x509 under Linux but I know there are Windows and Mac OS X ports of it as well. Tedious to have to do it on the command line, but still... :)

Just a question where does the modified certificate get stored on an N95.

Taj

@Sergio:
most likely that the subject in the certificate contains more than 1 Common Name (CN). Try generating a certificate with one CN and try again.

@Brendan: I'm looking into the possibility of combining OpenSSl in the SymCAimport pages. Just to give some more diagnostically feedback and/or to convert base64/PEM certificates to the binary form.

@Taj: No idea. Probably in a (propriatary) certificate store or something.
You can view (edit trust settings and delete) the installed certificates in the interface by going to: Menu -> Tools -> Settings -> General -> Security -> Certif. Managment.
Hope this answers your question

Thanks a lot. Deleted the certificate and tried again and works a treat.

Hi there, Great idea. Will this work for a Nokia 5310 device that is based on Symbian OS S60?
Best wishes,
NEOCRON.COM

It should work on any S60 based phone

Tanks for the info. I'll shuffle off any pick up the 5310

Great tool : it also works with a Nokia N73 and a self signed certificate !
Thankx

I just get an error when trying to install the certificate on my e71. It's for use on my works wireless network. The admins have said they will try and assist me but have no experience with symbian s60 devices. My work laptop has a trusted root certificate installled to connect to the network using WPA TKIP - PEAP, Validating the server certificate and then uses MSCHAP-v2 authentication.

I have a copy of the wap.cer which i believe is in the right format however whenever i try and install it i am unable to open the file : file not supported this happens both as a .cer and a .der

Any support would be appricated.

If you can open the certificate in Windows (by double-clicking it), it's a relatively valid certificate. If that fails, the certificate is corrupt or has an unsupported format.
If it opens in Windows, you should check if you can open the file in Notepad. If it opens, and starts with --- BEGIN CERTIFICATE--- it's in the wrong format (PEM/BASE64). You should convert it to DER (binary) format before uploading it.
Tips on converting it to DER format can be found http://www.google.com/search?q=export+certificate+in+der+format" target="_blank" rel="nofollow">here.

Hello Willem

Hopefully you can help me. I am runing two 2008 domaincontollers one of them are a certificate server. i have created a new certificate an exported in to exchange 2007 and that is working ok. Owa is also working well. I exported out my https://mydomaincontroller/certsrv/certcarc.asp marked it as an der certificate and save it to my desktop. I used your wonderfull tool to install the certificate to my nokia e65. That part is working as a dream. But my cellphone will not trust the certificate. What can be wrong? Can you look in your logs?

Best Regards

Bernhard

Hi Willem, has the import CA tool been tested with the E71? As it downloads the certificate and a 'Save Certificate' prompt appears, it is quickly replaced by a 'File Corrupted' message. Not sure if I have missed a step.

@Sajjad:
The error 'File Corrupted' has most likely to do with the certificate itself. The enties in the subject field might be acting up. I've seen this before (like 3 or 4 CN entries in the subject field).

Any chance you can give me the URL of the certificate you uploaded (or mail me the certificate)?

Thanks for your response. I can see there are 3 lines in the subject field. The file is http://symcaimport.redelijkheid.com/ca/cf8eavp2.der

@Sajjad:
Your signature is sha512RSA. That's the only real difference I can find with other CA's. It's possible that the phone doesn't support that hashing algorithm.
Are you able to recreate your CA (or create a temp CA) and use SHA1 as a signature algorithm, and try to import that one?

Thanks Willem. I'm told that re-creating the CA will break the exchange server it supports so it's not something I can test.

Hi Guys,

I hope someone can help me. We're in the middle of an Exchange 2007 implemetation. Everything works like a charm except ActivSync on my Nokia E65 (iPhone, Windows Mobile devices, Nokie E51 are working).
The problem is the following:
We have a Certificate Authority and a Subordinate CA. The certificate for Exchange was issued by our SubCA. When I try to Sync my mailbox on a Nokia E65, I recive the following warning:
"This site has sent an untrusted certificate. Continue anyway?" (If I select Continue then it syncs).
Exchange ActiveSync is published with ISA 2006.
The Listener certificate on the ISA server and the Exchange certificate is the same. I've already installed the RootCA, the SubCA and the issued certificate (what Exchange and ISA uses) on the phone. Still the same.
What could be wrong? The published URL on the ISA is webmail.mycompany.com, the internal URL where the requests are redirected by the ISA server is casnlb.intra.mycompany.com. Could that be a problem, that the external and the internal URL isn't the same so the phone can't trust the certificate? If that's the case, what can I do?

Thanks in advance,
Laci

@Laci:
it seems that the steps you followed are correct. In theory, you only need to add the Root CA. The subCA (or intermediate CA) should not be necessary, but it can't hurt.
It's probably a naming issue. In the certificate you use, there's a subject field with a (or more) CN values. The CN (common name) value needs to be the same as the hostname in the URL you use to access the website.
In your case: If you connect from the Internet through the ISA server, the certificate on the ISA server should contain a CN=webmail.company.com in the subject field.
I suspect that the actual CN is casnlb.intra.mycompany.com.

There are several ways of resolving this;
1) issue a new certificate for the ISA server listener with the correct common name, or
2) you can use the subjectAltName field in a certificate to specify alternative names for the certificate (the CN could remain casnlb.etc, while the subjectAltName is webmail.mycompany.com)
Either way, you need to re-issue a certificate with the correct information (if my assumptions are correct).

Hi Willem,

I don't think this is a naming issue. The certificate is a SAN cert with a lot of subject alternative names. The CN of the issued certificate is webmail.mycompany.com. (This CN is the same as the URL we use to access the website externally)
The following entries are also inculded in the SAN certificate:
casnlb (WNLB NETBIOS name)
casnlb.intra.mycompany.com
imap.mycompany.com,etc.

Sorry! I've forgotten to mention in my previous post that we use Unified Communication (SAN) certificates.

Waiting for you answer!

Thanks in advance,
Regards,
Laci

Well following on from my previous post just over a month ago i have got no futher. The admins at my site presented me with 2 certificates to try. One was the CA authority certificate the other was distributed on all wireless devices to authenticate on the network.

I can install the CA cert on my phone by simply copying it to my phone and opening it up howevere i am still unable to authenticate with this. The other certficate i believe is the one i require for authentication however when i try and install that to my phone i get error "unable to open file : type not supported.

Very frustrating, i regret not getting a windows mobile based device as my iPAQ has no issues connecting at all.

@JohnnyB: can you mail me the specific CA certificates?
(willem at redelijkheid dot com)

hi...

Im using your tool and i have an e71. My Problem is, that the file is obviously corruct. Datei fehlerhaft in German. I dunno what wrong... I exported the cer file in my vista computer as DER... renamed it and all this... it didnt work. Im using the nokia browser. what can i do...

Hi...

I checked my certificate as I wrote you. CN=name.com are exactly the same in (colloquially translated) "created from" AND in "created for". So it says that the certificate is made by me for myself. Is that what the Nokia Mobile has Problems with?

cheers

@ Willem: did you recieve the mail + cert i sent. Have you any ideas where i may be going wrong ?

Hello Johnny,

the only (strange) thing I found is the serial number of your certificate. If I compare your cert with mine yours shows the following:

openssl x509 -noout -text -inform DER -in kiwi.cer

Certificate:
Data:
Version: 3 (0x2)
Serial Number:
(Negative)15:ba:0c:b0:0f:c0:e6:74:b1:62:be:b6:3d:96:b5:37
Signature Algorithm: sha1WithRSA
[snip]

Mine:
openssl x509 -noout -text -inform DER -in redel.cer

Certificate:
Data:
Version: 3 (0x2)
Serial Number:
46:ca:12:8c:7a:8a:fd:bf:46:97:7f:8c:2a:34:5f:0a
Signature Algorithm: sha1WithRSAEncryption
[snip]

This is the only strange thing I found. What did you use to generate the certificate? Is it possible to create a new certificate and try that one?

yeah - i get the same result running that command in openssl. As i said previously the certificate appears to work fine on both my laptop and iPAQ PDA it would just have been great to ditch my PDA for my cell. As for generating a new one i doubt for a minute i have rights to access such utilities or even know how to do it.

Thanks for trying anyway, i think i must just admit defeat on this one.

http://www.google.com/search?hl=en&safe=off&q=negative+serial+certificate&btnG=Search" rel="nofollow">Google has some results on negative serial numbers in certificates.
It seems that a negative serial might cause problems.

Hi,
I used 'mmc' with the certificates snap-in to export my certificate in DER format.
The certificate has just one CN as advised above.
I uploaded via your tool and then pointed my Nokia N95 to the correct URL.
However, I receive the error stating file corrupt.
I tested the same URL on Internet Explorer and the certificate adds ok.
Any suggestions?
I am trying to obtain the correct certificate to use M4E on my Symbian N95 (currently have to click ok on the untrusted certificate screen).

@Alex Burn
Can you mail me the URL you got back from the SymCAImport webpage?
I want to check the CN (among other things).

Thanks Willem, it works for me in this way.

One have Exchange 2007 with godaddy's UCC certificate installed. Everything was working except our mobiles mainly Nokia, always poping up with untrusted certificate as everyone suffer here.

i followed the way With the tool William has created(which is mail.ourdomain.com as common name and autodiscovery.ourdomain.com, ourexchangeservername, ourexchange.ourdomain.local). But it did not work. finally i did the same for intermediate certificates too. in my case i found there were two intermediate certificate in our server for godaddy. i did the same tool to create both of the certificate and it is working fine now.

this test i did on N73 mobile. I have other models like E65 and some other i will test all these and imform the same to the this community soon.

Thanks, Thanks for your valuable tool

Hi Willem, i have the same problem as Sajjad. I have a Nokia E71? As it downloads the certificate and a ‘Save Certificate’ prompt appears, it is quickly replaced by a ‘File Corrupted’ message.

Can you take a look at my certifikate-link?
http://symcaimport.redelijkheid.com/ca/x6q2wpfd.der

Thanks a lot!

Hi Willem,

When I try to upload the file on http://www.redelijkheid.com/symcaimport/ on the phone browser a message appears that says "File Restricted" and it won't let me upload. I am on a Nokia E71x. I have tried to upload the certificate from it being sent over email, but it states file corrupted. I have tried to open it from the phone but it states it cannot open...

I called Nokia and I have to teach them what little I know about certs...

I have uploaded it on your site from my computer you can see the certificate here:
http://www.redelijkheid.com/symcaimport/ca/a8f52faf.der

IT guys at work say get a new phone, but I am stuck with this one... Should I call it a waste of $100 (and about 3 of my valuable days)?? Any help would be great.
Thanks!

@Michael
No idea what the problem is, but even the 'old' service is giving me 'file corrupt' errors at this moment on every certificate I try.
The old service hasn't changed (apart from the redirection)... weird.

If someone can install a certificate, please leave a comment.
In the mean time... I will do some investigative actions.

Update: seems that a reboot of the phone solved my problem. Just uploaded a DER encoded certificate and it installed perfectly.

I used this site in March 2008 and everything was OK. Now I have changed the CNAME and tried it on a new certificate and I am getting 'File Restricted' so won't let me upload. Only change is the firmware on the N95.. Tried rebooting but to no avail. What has changed, Mr Nokia??

@Bob T
Hi Bob, There is a restriction on the file extension at the moment. People tried to upload all sorts of shit. SO just make sure that you one of the following extensions:.cer, .der, .509, .crt, or .pem

Those should work.