« Reality Donor Show Was a HOAX
Installation Root CA on Nokia E61 Made Easier »

Import Root CA in the Nokia E61

Last week, I recieved my new Nokia E61i. As soon as I tried to connect to my own IMAP server (over SSL/TLS) is started nagging about the (selfsigned) SSL certificate.

The E61 has a certificate store, so I should be able to add other Root CA’s to this store, but this is where the trouble began.

The manual has a chapter on certificates, but it lacks a working explanation on “how to import third party root CA’s”. On my old iPaq, it was simply upload a DER encoded certificate, click on it, and it would install. Well this doesn’t work on the E61 (and many other Symbian-based) phones. Just ‘google’, and you’ll find lot’s of people with similar problems…

The working solution I found uses a website from which you download the certificate with the phone, but there is a catch; you need to add a MIME-type to the website containing the certificate (hence the admin rights).

This is what you need to do (on a Microsoft IIS):

  • Make sure you have the certificate in DER format available. If you’re not sure on this, just open the certificate and op en the second tab. Choose ‘Copy to file..‘ and select the DER option.
  • Make sure the extension of the certificate is ‘.der
  • Upload the certificate to your webserver.
  • Open the IIS Manager and open the properties on the folder (or website) where you uploaded the certificate.
  • Open the ‘HTTP Headers‘ tab, and click on ‘MIME Types
  • Add a custom MIME type.
    The Extenstion is ‘.der‘ (without the quotes, but with the point), and the MIME Type is ‘application/x-x509-ca-cert‘ (also without the quotes)
  • Close all the open windows.
  • Go to the URL where you can download the certificate with the built-in browser of your phone (e.g. http://www.redelijkheid.com/temp/certificate.der) .
  • Your phone will recognize the file as being a certificate (the MIME type makes sure of this), and will ask you if you want to import it. While importing, the import wizard will ask for trust settings of the certificate. I just enabled both.
  • After this you should be able use certificates issued by the newly imported CA without any warning.

B.t.w., this also works for self-signed certificates.

Since not everyone has a private webserver, I will try to created a webpage on which you can upload your certificate. It returns a URL which you can use with your phone browser to download, and install the certificate on your phone.

  • Digg
  • del.icio.us
  • Google
  • E-mail this story to a friend!

This entry was posted on June 3rd, 2007 @ 2:02 pm by Willem and is filed under Gadgets, Nokia E61, Security, Symbian, Tips'n Tricks. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

5 Responses to “Import Root CA in the Nokia E61”

  1. Abhishek Says:
    March 18th, 2008 at 1:42 pm

    Thanks for the tip, it worked perfectly.

    -Abhi.

  2. Wusu I.O. Says:
    April 23rd, 2008 at 1:21 pm

    There is a simpler method, just change the extension of your der format certificate from .cer to .der and copy into your nokia then install. Smooth.
    Cheers

  3. Willem Says:
    April 23rd, 2008 at 2:22 pm

    @Wusu I.O.:
    It is possible that Nokia has made some software/firmware updates which solves the problem.
    The procedure you’re describing should work (in theory), but it doesn’t on lot’s of phones. What kind of phone (and software version) are you running.

  4. Rotorglow Says:
    August 31st, 2008 at 12:27 am

    Thanks for these tips, and the certificate download tool. The problem I’m facing (on a Nokia N95) is that when I try to open the cert after I’ve saved it to the phone, it tells me the certificate is corrupted. When I visit the link, and *before* I save the cert, everything is fine (issuer, fingerprint, etc). The problem seems to arise only after it’s been saved (and I therefore continue to be warned about my mail server’s untrusted certificate.

    Any ideas?

  5. Willem Says:
    August 31st, 2008 at 11:03 am

    @Rotorglow:
    A couple of possibilities;
    1) the certificate is in the BASE64 format instead of the binary DER format.
    2) The phone can’t make / determine the complete certificate chain.
    3) the subject of the certificate contains multiple CN’s (common names). This happens with e.g. Small Business server. It puts all possible names of the server in the subject, and somehow the Nokia finds this troublesome (I think it picks the first one).
    CN=server
    CN=server.domain.local
    CN=mail.domain.com

    Best way is to recreate the certificate with the proper public CN (this might give you some issues if you’re connecting to the server from the inside by using e.g. server.domain.local).

Leave a Reply