Friday, October 06, 2006

Security Certificates on a Nokia 6630

Maybe on other Series 60 phones, too. This post may seem a bit long, but believe me, it takes all of about 5 minutes to do it.

Symbian Series 60 phones have a strange way of reacting to certificates offered by websites which are not one of those pre-installed in the phone. The phone pops a message saying "This site has sent an untrusted certificate. Continue anyway?". The user has to manually click Options & select Continue. They can view the details at the most, but that's it. This happens every single time a secure exchange is being made. Believe me, very, very annoying.

So, I was trying for a really long time to install new certificates to my Nokia 6630. It turned out to be extremely simple, but not intuitive at all. This post and some experimentation was what led me to it. The user's manual says nothing about this & the default certificate management application doesn't have an option to install a new certificate.

Here's how to do it:

You'll need: one Nokia 6630 phone, the DKU-2 (USB) cable or bluetooth connectivity & one Windows PC.

Steps:
  1. Get hold of the certificate you want to install.
    • For example, this is the certificate used by GMail for its POP access.
    • Various commonly used Root CA (Certification Authority - such as Verisign, GeoTrust) certificates are available for download on the CA websites.
    • All common browsers provide functionality to install a new certificate being sent by a website you're accessing. Browsers like Internet Explorer (IE) let you export these installed certificates, too. So, if you're looking at a self-signed certificate, just install it in IE & export it.
  2. Make sure that the certificate is in the DER encoded binary X.509 format (.cer file). If you're not sure, in Windows you could import it through IE and export in this format.
    • If the certificate is in the Base-64 encoded X.509, the phone just treats it as a normal note & you can't do anything with it. The format is important.
  3. Transfer the certificate to a folder on the phone using the USB cable or Bluetooth software.
  4. Open this folder from Organizer -> File Manager. Click to open the certificate file.
  5. The phone tells you that this is an untrusted certificate & then shows you the certificate. Click on Save.
  6. It asks you for what purposes do you want to use the certificate for. These are called Trust Settings. Select Internet and click OK.
    • You may want to use it for something else, such as signed software installation. In that case, select the appropriate trust setting.
  7. Confirm once that the trust settings are set properly through Tools -> Settings -> Security -> Certificate Management.
Allright!! You're set to go. Whenever you visit a website which uses the certificate you just installed, you get no more annoying popups. Just a clean, click-free website.

Update 06/01/2009


Just to answer a question posed by Ivan in comments, if you only have a base-64 encoded X.509 certificate, here's how you convert it (using Windows, I'm afraid):

  1. Go to Windows Control Panel and open Internet Options (you can also open this from Internet Explorer's Tools -> Options menu).
  2. Go to the Content tab and click on Certificates.
  3. The Certificates window has a button named Import... Click on this and import your base-64 encoded certificate.
  4. The certificate will now be visible in one of the tabs - most probably the one you had open when you imported it.
  5. Now select your certificate and click on Export...
  6. Once inside this Wizard, just go through it selecting DER encoded binary format, when asked.
  7. Locate the exported certificate file and you're done.

12 comments:

Lamba said...

Sir,I have similar problem with profimail and Nokia-6681.Exported the certificate to phone C drive, but file manager,opera and FExplorer do not recognise the fotmat.Unkown file format.Please advise how and where to install/place the file(certificate)

Viraj said...

Sorry for not posting a comment for a few days. Diwali in India. :)

Please make sure that the certificate you are saving to the phone is in the DER encoded X.509 format. Try out the certificate for GMail POP access (link) mentioned in the article. Transfer it to the phone's MMC. File Manager should ideally open it & show options 'Save' & 'Delete' when it opens. This is what works on a 6630.

Tadeu Ferreira Oliveira said...

It is getting the same error for my Nokia 6230: "Unknown file format" using the .cer downloaded from your site.
I tried to use it on base64 format too but same happen.
Any suggestions?

Mathew said...

Excellent. Copied .pem file from my linux box to windows; renamed to .crt so windows would import it, exported it to binary .cer; emailed to 6680; opened, saved, and voila!

Thanks.

Viraj said...

Hey, thanks, Mathew. As I said, it's a breeze once you know the certificate encoding.

Rick said...

Thank you, been looking for an answer for this problem for a while. It worked on my Nokia 6682 using ProfiMail and Yahoo email

Ivan said...

Hi, could you please give stp-by-step description of import/exportprocedure? I have my crtificate in Base-64 encoded X.509 format (I guess, since I see it on the phone as plain text). How exactly toconvert it to the binary format? Thanks

Viraj said...

Hey Ivan, I've answered your query in an update to the post. Take a look. Cheers!

Ivan said...

Thanks. I did it as described and got the binary file. But when I tried to open it on my N95 I had Unknown file format error. (BTW, the GMail cerificate which you gave as a sample works). What could be wrong there?

Carlzhuang said...

Would you advise where I can get hold of " Thawte Premium Server CA" ? I need that to get campus WPA2 PEAP wireless to work, but accidentally deleted it from my S60 phone. Actually, I deleted all certificates that were deletable, as I thought they were remains of last user's setup ....

Thanks a lot!

Viraj said...

I didn't really get your question, Carl. Are you talking about a root certificate like the GMail one I describe in the post? If that's the kind of certificate you're looking for, the Thawte site, www.thawte.com, might prove helpful.

If not, can you elaborate some more?

tt said...

Hi
In my university you can only access internet with der certificate , but I can't transfer the certificate from the memory card . how can I do that??