Creating Self-signed Symbian OS Certificates

Petteri Kangaslampi, pekangas@s2.org

Introduction

This short note describes the steps required to create a self-signed certificate for signing Symbian OS packages, converting it to a format suitable for use on a 9210 Communicator, installing it on the device, and signing the packages. Most of this information comes from the 9210 SDK, but some issues (such as certificate conversion) are not described there.

Note! This information is valid for Series 80 phones only. For information on self-signing applications for S60 3rd edition, see the SDK or Forum Nokia.

Shortly, the steps are the following:

  1. Creating the certificate
  2. Converting the certificate
  3. Installing the certificate
  4. Signing the installation package

The rest of this note describes each of the steps in more detail. The discussion assumes that the 9210 SDK has been installed, and paths set up properly.

Creating the Certificate

The certificate and its corresponding private key can be created with the following command:

makekeys -cert -dname "CN=Your Name EM=email@address CO=XX" filename.key filename.cer

The items with emphasis should be replaced with your own values. The dname (distinguished name) parameter string can also contain other values, see the makekeys help for more information. makekeys will prompt you to enter a passphrase for the key, using one is highly recommended.

Important note: QuickEdit mode must be disabled from the shell window, otherwise random data gathering won't work.

Converting the Certificate

For some reason, makekeys creates certificate files that the 9210 certificate manager software cannot read. To work around this, the certificate must be converted to a suitable file format. This can be done either using the built-in certificate management tools in Windows or with OpenSSL.

Conversion with Windows

To convert the certificate to a supported format, use the following steps:

  1. Open the newly generated certificate file by double-clicking it in Explorer
  2. Click "Install Certificate" and follow the instructions, using default settings
  3. Open "Internet Options" from Control Panel, select the "Content" tab, and click on "Certificates...".
  4. Locate the new certificate in the "Trusted Root Certification Authorities" tab. If you used non-default options when installing the certificate, it may be visible in one of the other tabs.
  5. Select the new certificate and click "Export...". Follow the Certificate Export Wizard's instructions, and select "DER encoded binary X.509 (CER)" as the export format. Enter a new file name.

The resulting certificate from these steps can be installed on a 9210 communicator. Note that you should retain the original file too, since it can be useful with other SDK tools.

Conversion with OpenSSL

Conversion with OpenSSL requires just a single command:

openssl x509 -outform DER -in inputfile.cer -out outputfile.cer

Installing the Certificate

Because the certificate is self-signed, the device will not trust it by default. To install the certificate on the device and set it trusted for software installation, follow these steps:

  1. Transfer the file to the device normally, and save it to a known location.
  2. Open the Certificate manager from the communicator's Control panel.
  3. Select "Add" and choose the file. This installs the certificate.
  4. Select the newly installed certificate from the list, select "View details", select "Trust settings" and enable "Software installation".

After this process the Communicator will accept installation packages signed using the new certificate.

Signing the Installation Packages

Finally, to make use of the new certificate, installation packages must be signed using the corresponding private key. This process is documented in the SDK, but, briefly, the steps are the following:

  1. Copy the original key and certificate files created by makekeys to a known location. In this example, the files are assumed to be at c:\home\user\keys\filename.key and c:\home\user\keys\filename.cer.

  2. Add the following line to the installation package file (project.pkg):

    *"c:\home\user\keys\filename.key","c:\home\user\keys\filename.cer"
  3. Create the installation package normally. If you set a passphrase for the key, makesis will prompt you for it.

The new installation package can now be installed normally and without security warnings.