Installation Root CA on Nokia E61 Made Easier
From this day on, you can install certificates from non-trusted CA’s on your Symbian-based phone (like the Nokia E61) using this page.
All you need to do is make sure that the certificate is in the DER format. The webpage doesn’t verify if the certificate is in the correct format. This is up to the uploader.
I created this page, because I work a lot with certificates, so I don’t want to be bothered with the workaround described in the earlier post.
The current version is quick-and-dirty (no error messages). I’ll try to make it more user friendly in the next couple of days (like having the option of sending the URL to an e-mail address). Just make sure that you obey the guidelines shown on the page, and all should go well.
Feel free to add a comment on how to improve this.
UPDATE: This works on (almost) every Symbian based (Nokia) phone. It has been tested with a couple of phones from the Nokia E and N series.
June 24th, 2007 at 4:25 pm
Like many people I have spent ages tring to get my E61 to work with my Exchange Server. I originally managed it about 6 months ago but had to reconfigure the server, since when I get nagged about the untrusted cert error. I have tried turning off SSL on the phone but this only works for a few hours before it fails to sync.
I have tried your method but it although the cert seems to install it doesn’t resolve the error.
Any more help as to what certificate I should be submitting very greatfully accepted…
Currently my server is configure with the Wizard in Small Business Server 2003 as mail.MYDOMAIN.co.uk but when I submit a cert (exported from entering https://mail.MYDOMAIN.co.uk/Exchange and clicking on the padlock in IE) It shows up as a cert called MYSERVER.MYDOMAIN.co.uk which I assume is where things are going wrong…
June 24th, 2007 at 10:18 pm
Hi Derek,
your assumption is right. The ‘Common Name’ in the certificate doesn’t match the URL (the first part). This will always show a warning. The problem is that the Nokia browser isn’t very clear on that.
The only proper way to correct this is to get a new certificate for the right URL. So you need a certificate for mail.MYDOMAIN.co.uk.
I don’t know if you have a commercial certificate or a so-called self-signed certificate. My guess is that you have a self signed certificate at the moment, since it’s called MYSERVER.etc. Create a new one and import it and all should be working again without annoying warnings.
Hope this helps.
B.t.w. it’s possible to have more than 1 certificate on the server, so there’s no need to remove the other one. You can still use that one for other purposes (if you have any). Just ‘bind’ the new one to the website which servers the OWA interface.
June 26th, 2007 at 1:29 pm
Thanks for the reply. It’s more than I got from Nokia…..
I have tried to do what you say and after running the Internet and Email wizard in Small Business Server 2003 I have created a new certificate in the name of mail.MYDOMAIN.co.uk (using the domain I give in my email address). This seems to work for my email on a pc without error but when I login to https://mail.MYDOMAIN.co.uk/exchange on a pc I export a cert using the der option which gives me a .cer file. I then run it through your online tool and access it via a browser on my Nokia where it installs. However, the certificate problem still pops up everytime…
This is a real pain…. Do you have any idea’s what I can be doing wrong?
June 26th, 2007 at 1:44 pm
Hi Derek,
I think I found your problem. Your certificate is signed by a CA. You need to export the CA certificate and import that one on your phone. I checked the logs on my server and you’ve uploaded the certificate for the mail server. You should have used the issuing CA.
The best way of accomplishing this is to open the certificate on your server. Check the tab ‘Certification Path’. This should show a chain of certificates.
Double-click the top one (that’s the issuing CA). Open the details tab on the newly openend certificate window and click the ‘copy to file’ button to export it in the DER based format.
Upload that certificate, and import it on your phone.
The reason for receiving errors is that the Nokia validates the certificate. It sees that the certificate (with the correct DNS / Common Name in the subject field) is issued by a CA (your root CA), but it has no knowledge of this CA. That’s what is causing the error/warning.
I guess that the small business server does some thing in the background when using certificates. Just to offload the burden on the certificate creation/maintenance process.
June 26th, 2007 at 3:47 pm
I must be doing something wrong here…
Here’s what I do…
Open IE on server. Type in https://mail.MYDOMAIN.co.uk/exchange
Click on padlock to open cert
Click on Certification Path
I am then shown a cert saying mail.MYDOMAIN.co.uk in the top box and “this certificate is ok” in the bottom (status) box. This is the only cert shown and I can’t open it by doubleclicking on it..
Your help is very much appreciated…
dc
June 26th, 2007 at 5:06 pm
My last post seems to have gone walkabout..
This is what I have just tried..
I opened IE and entered https://mail.MYDOMAIN.co.uk/exchange
Clicked on the padlock and then the certification path tab.
This tab just has “mail.MYDOMAIN.co.uk” in the top (path) box and “this certificate is ok” in the lower status box.
I can’t double click on this cert (or anything else).
I’m obviously doing something fundamentally wrong here. Any idea’s what??
June 26th, 2007 at 6:27 pm
Hello Derek,
When I examine the certificate, it shows 5 CN (Common Name) entries in the subject field. The last CN entry contains the proper name for the server. When I tried to import it into my Nokia, it shows the wrong Common Name. In fact it just displays the first Common Name. Since the displayed Common Name is different from the actual Fully Qualified Domain Name, it’s quite logical that you receive an error that the certificate doesn’t match the URL you’re visiting.
I guess that the Nokia doesn’t like the set of multiple Common Names in the subject field, and it just picks the first one it sees (the wrong one).
Normally a (Windows) certificate has a subject that contains the following entries:
CN=mail.domain.co.uk
DC=Domain
DC=co
DC=uk
or if you’re using a ‘normal’ non MS certificate:
CN=mail.domain.co.uk
OU=organization unit
O=organisation
I don’t know the certificate generation process of the MS SBS, but try if you can generate a certificate with only 1 CN (with the proper name). Alternatively, you may try to use OpenSSL to generate a selfsigned certificate. There are lot’s of tutorials on that.
June 26th, 2007 at 7:52 pm
I’ve tried changing the common name to the fqdn but after I changed the server name in my Nokia settings to this fqdn it just won’t snych. Are you sure this fqdn is right? It seems to end in .local which doesn’t seem right to me..
dc
June 26th, 2007 at 8:29 pm
I’ve had to go back to mail.domain.co.uk to get mail to work properly. I can either trust the cert manually each time (which is a pain) or turn off ssl on the phone which only works fitfully and obviously isn’t an ideal situation..
Seems that I’m stumped…
dc
June 27th, 2007 at 1:14 am
Thanks for your email but it seems that my server must be messed up when it comes to certificates. I’ll try and find a solution…
dc
June 28th, 2007 at 12:28 pm
I have tried dealing with Godaddy.com but they refuse to accept emails from me for some bizarre reason or other. I think I will just use leave the SSL option turned off on the phone. As long as I turn it on first thing in the morning for the first sync and then turn it off again it seems to work fine for the rest of the day or as long as the phone is left on..
Not ideal but I’m fed up trying to sort this out.. Is there a way to turn off the ssl requirement on the server?
dc
June 29th, 2007 at 12:30 pm
Hi Derek,
I have no idea on how to turn off the SSL requirement on the SBS. Guess you’re left with google on that one.
B.t.w. strange that GoDaddy refuses your e-mail. You might be on a blacklist or something.
June 29th, 2007 at 1:28 pm
Success… I have finally managed to get the certificate trusted.
Here’s how I got my Nokia to accept the certificate as trusted. It may not work for everybody but it worked for me and after the past week of messing about I am truly grateful for that…
Basically, I uninstalled then reinstalled Certificate Services through add/remove programs. I then followed the advice on this site (below), but only as far as requesting a cert through IIS Manager.
http://www.msexchange.org/tutorials/SSL_Enabling_OWA_2003.html
I followed the advice until this section (mainly because it wouldn’t allow me to request a cert through IE on the server…)..
“Getting the Pending Request accepted by our Certificate Authority”
I then opened “certification authority” on the server (through administrative tools) and right clicked the cert authority which will have the same name as the cert you had just requested and selected properties. In my case, something like mail.mydomain.co.uk…
Under the General Tab I highlighted “certificate#0″ in the CA Certificates box and clicked “view certificates”.
This opens the cert and I then clicked the “details” tab and saved the cert to a location using the “copy to file” button.
Using the wizard I selected the first option “DER encoded binary x509(.cer) gave it a friendly name, saved it somewhere handy and closed the wizard.
I then copied the file onto a pc with the Nokia PC Suite installed and copied it to the documents folder (although any one will do). I guess you could bluetooth or email the cert as well..
I then browsed to it on the phone, clicked on it and it let me save it automatically into the certs folder. I restarted the phone, checked SSL was on and bingo the certificate was trusted and remains working today… You might have to delete an existing cert if you already have one installed as it won’t let you overwrite it..
As I say, I can’t say this will work for anybody else as I have probably fiddled around with the server so much it has gone west in some respects, but it works for me and that’ll do for now…
dc
July 2nd, 2007 at 6:18 pm
There is a bit I left out when working through the exchange tutorial above…
When using the Certificate Services and entering a common name (mail.mydomain.com, say) change the box below (the distinguished name suffix) to…
DC=mydomain,DC=com
Then carry on as before…
This seems to give you 3 rather than 5 entries in the resulting certificate which seems to solve the problem…
dc
July 5th, 2007 at 9:25 am
Thanks a lot Willem. Your website helped me a lot. And finally I got to install the certificate on my Nokia E65. But still the are problems:
When i set the exchange server properties to my local exchange server (sample_exchange_server.domainname.local) & using my WLAN connection in my office ; emails are directly pushed to my mobile without any certifiacte problems.
The real problem arises is when I am out of office & I am using a gprs connection. In theese situation I set the exchange server to http://www.mycompanyname.com & connection to GPRS. I can get the emails pushed to my mobile, but every time I get this certificate authentication popup & I have to press continue now & then. This is really a pain & annoying.
The certificate issued by my OWA (www.mycompanyname.com/exchange) & my local exchange server (sample_exchange_server.domainname.local) are the same. In addition the certificate issued only has one root (no multiple roots).
It’s only me having this problem. My colleagues who have Windows Mobile PDA(Imate & O2) don’t have any crappy certificate issues ( this proves that our certificate is stable & has no problems). For your info mwe are using a SBS 2003 self signed certificate. We have implemented push email technology in over 5 companies using Imates (or a windows PDA device). Why Nokia has to be a pain.
I would be eagerly waiting for your feedback. Please help me out
Thanks a lot in advance
July 11th, 2007 at 7:51 pm
Hi Muneer,
your comment ended up in the spam container, sorry about that.
let me see if I understand your challenge;
Your corporat OWA is accesible through your intranet using xyz.domain.local. The SAME OWA interface is also accesible through the internet by using whatever.domain.com.
Both interfaces use the same certificate. What is the common name in the certificate?
Is the certificate issued by the same certificate authority, or is it a selfsigned certificate?
So I could use a bit more info on this.
You may mail me directly by using willem @ [thiswebsite].com is you’re reluctant to certain info with the rest of the world.
B.t.w. Microsoft devices tend to remember earlier settings made by the user, so if you accept the ‘illegal’ certificate once, it will problably accept it (silently) the next time.
July 13th, 2007 at 10:43 pm
Willem, I tried upload Equifax and Thawte certificaties at your http://www.redelijkheid.com/symcaimport/ - not work on my Series40 phone. Can you (or somebody) convert these certificaties from DER to WPKI hashed format? I will send it with email attachment…
July 13th, 2007 at 11:46 pm
Hi Daniel,
pffff, no idea what the WPKI form exactly is, but I might give it a shot?
http://forum.nokia.com/main/resources/technologies/browsing/support/phone_security_faq.html has some suggestions. I’ll try to incorporate them in my download page, so it supports S40 and S60 phones.
July 15th, 2007 at 5:00 pm
Willem,
I tried your changed import-site, but no work for me. Sorry. Obviously, result must be in WPKI format and server MIME type application/vnd.wap.hashed-certificate. Tnx for effort.
July 15th, 2007 at 5:16 pm
Hi Daniel,
could you try it again? I made some modifications to the HTTP headers on the server. Don’t think it will make much of a difference, but one can always hope.
B.t.w. there is a lack of information on the Internet about WPKI conversion…..
Anyone with more info about this?
August 24th, 2007 at 10:54 pm
Hi Willem.
I just want to thank you for your work. I used your site with my N73 Nokia phone. Everything is works now!
Thanks again!
Best,
Michał
September 10th, 2007 at 4:26 pm
Would it be possible to get a copy of the perl/php or whatever code is driving the script on that page please? Would like to host a local copy for doing some of my certs if possible. I tried just setting the MIME-Type to application/x-509 or whatever was recommended by Nokia but couldn’t figure it out in Exchange, I might play with Apache this afternoon but I thought it might be easier to just get the script
PS: This page was very useful in getting my N95 to work, although it took me a while as there are lots of bits and pieces with lots of misinformation all over the net. I’m writing up a full howto on how to configure MS Certificate Services and the process to get this to work with the N95s now… Don’t have anywhere to publish it yet though.
September 10th, 2007 at 8:29 pm
Hi Chris,
I used Coldfusion for those pages and I configured IIS to return the proper MIME setting to the browser.
If you want the coldfusion source code, I’d be more than happy to provide it. My e-mail address can be found on the ‘About the Owner’ page. We can discuss the other part by e-mail if you like.
September 11th, 2007 at 10:57 am
Guys,
maybe the dumbest question of the day…but is there a way to edit a certificate ?
Mine has extra CN= lines in the subject field and i have no idea how to remove this….
Ideas?
September 11th, 2007 at 1:02 pm
Derek @ June 29th, 2007 at 1:28 pm had a similar problem. He solved it by reinstalling the certificate services etc. Have you tried his solution?
September 15th, 2007 at 12:30 am
Hi willem, thanks for the solutions. I ve been messing a couple weeks just to get the certificate installed on nokia devices. It realy help me out that ur page do the work for me, and it works like a charm, thanks so much…btw, can i implement the script on my server (with credit for you :wink::wink: for sure ) thanks in advance.
September 15th, 2007 at 9:27 am
Hi Othman,
I made the files available for everyone (I had several requests in the last week). You may download them here.
October 22nd, 2007 at 4:16 pm
Many thanks for this tool which has solved our problem with the Nokia E65. Really appreciated. From Linda in South Africa
November 5th, 2007 at 11:49 pm
Does anyone know whether it is possible to export a CA certificate from a Nokia E61? Thanks.
November 6th, 2007 at 9:10 am
Hi Greg, as far as I know there’s no export function available.
Commercial root CA’s must be available for download at the CA’s website (e.g. https://www.verisign.com/repository).
November 15th, 2007 at 8:36 am
Can the tool also convert from X.509 DER to WPKI? I have a Nokia 6021 which only supports WPKI.
November 15th, 2007 at 9:39 am
I’m afraid not. I still haven’t figured out on how to convert the formats. Sorry
December 5th, 2007 at 7:41 pm
Nokia N95 8GB certificate import.
I used this page and apparently successfull.
I´m puzzled though. When I look at the certifikate before I upload it. it shows the url I use for webaccess and Outlook using RPC over https. Bur when I look at the certificate on the phone, it shows the local name of my server with domain name. !?
Still M4E does not work but says system error, try again later.
What to do the ?
December 6th, 2007 at 2:16 pm
Hello Claus,
the SSL certificates that are generated for Outlook stuff contains multiple Common Names ‘CN’ or additional ‘Subject Alternative Names’. Apparently, the Nokia interface only shows one. My guess it’s the first. Just open the certificate on a windows platform and take a look at the details.
no idea what you mean by ‘M4E’ though.
December 11th, 2007 at 5:07 pm
Hello Willem,
I found your website the most useful one (and I visited a lot to this issue), but when I use your service and try to download the changed Certificate from your urls, my Nokia E51 (s60 3rd) says “dateifehler” (Fileerror) and it the import into the certificate store fails. It doesn’t matter if you use a der or cer ending. Nothing of those worked. Perhaps you will see it in the logs called cfs.cer or cfs.der. It is a self signed certificate, which works fine on Windows Mobile our admin says.
December 15th, 2007 at 12:00 pm
Thanks for this great tool!
Made getting my phone and clients phones working with Exchange a breeze!
Cheers and Merry Xmas,
Greg Lipschitz
Summit IT Management
Melbourne, AU
January 2nd, 2008 at 12:45 am
Thank you very much for your perfect tool! Incredible how many people lose so much time with bad software and arrogant companies - and how easily it could be saved. Thank you again and good luck for 2008! Hilko
January 6th, 2008 at 5:08 pm
It is painful to pay for the midlet to sign? Why should we pay it? It is my phone, if I want to install some application that I developed, why should I pay Verisign money!!! And also I hate the operators that disabled the J2ME API. Why? Because some API be disbaled onpurpose by the operator, like AT&T. Fox eample, nokia phone model 6085, when release in other country you can access getSnapshot() while in US you can’t. Why the AT&T or cingular disable the getSnapshot API. It is my phone and I as the owener of the mobile phone, should control the phone myself. Agree?
Willerm,
We definetely hope your tool can solve the S40 problem. I have Nokia 6085. From what I read on Internet, it requires WPKI format.
January 6th, 2008 at 5:22 pm
Hi drhu,
it is possible to get a symbian developer kit to sign your own applets. Problem is that the app only works on your own phone (it’s EMEI number dependent). I played around with it with some apps and it works fine. So the VeriSign or other commercial CA certs are only required if you go commercial with your app.
In the meanwhile I’ll fool around with the WPKI format. There are some commercial tools around which can do the conversion, but since I’m dutch….. I refuse to pay, and will find a way around it
January 6th, 2008 at 6:06 pm
Hi Willem, Would you please more specific how to enabled my nokia 6085 phone have the access getSanpshot()?
January 6th, 2008 at 6:26 pm
Download for S40
You may use the following link to download your uploaded certificate (ca.cer) on your phone:
http://www.redelijkheid.com/symcaimport/ca/h3k88ec8.cer
Mail the URL
NOTE: Please verify the certificate details (e.g. the fingerprint) to make sure you install the correct certificate.
Installing the wrong CA might render you vulnerable to man-in-the-middle attacks.
Process another certificate or back to the blog
++++++++++++
when I download the above link on my phone, it says “The requested page can not be displayed”
January 10th, 2008 at 10:50 am
I uploading my cert file, and tried to access. When I try to save, I am told the “New certificate might me unsecure. Save anyway?”, and then told “Certificate already existst”.
however, when ever I try and snyc, I am told “Untrusted Certifiate received from server. Please contact you system admin”
Am I missing a step here?
January 10th, 2008 at 11:21 am
I got it working: I had to get the intermediate certificate installed on my phone.
January 10th, 2008 at 6:43 pm
Hi dhru,
It doesn’t surprise me that the S40 phones aren’t working. The technique I used was purely theoretical. However, there’s some light on the horizon. I asked a friend to write a WPKI converter which I can implement in the download tool.
Downside is that there’s not much info on the subject, so it might take a while.
February 11th, 2008 at 12:55 pm
Just wanted to trop u a line.. Been working on cert issues via activesync on my N95 but now after 3-4 months of no SSL connection I finally got it
Thanks a bunch
February 18th, 2008 at 12:57 pm
Hello!
I want to say BIG thanks to derek (and of course to Willem).
derek, I followed your instructions and I finally have my certificate trusted from my Nokia E51/E90. I am using SBS2003 too.
I was simply bored trying to manage this to work and I was using Road Sync (which can work without certificate) instead built-in Nokia’s Mail for Exchange.
THANKS, THANKS!!!
March 4th, 2008 at 1:22 pm
Hi,
Have a similar problem with import certificates. Except when i download the file from the web my phone keep saying “File Corrupt”.
I have tried using your web solution and also uploading files to my own web space and setting the MIME types. Both ways i get the same result.
Anyone have any idea why its say corrupt?
Thanks
Brian
March 5th, 2008 at 7:47 am
After scanning through support FAQ, nokia’s site I eventually foudn your free service, worked like a charm on the Nokia N82! Thanks, my paypal account needs certification otherwise I would have donated, will donate as soo as mine is up and running. Nokia owe you BIG!
April 5th, 2008 at 10:35 pm
Here is my dilemma…
I am running my own server with a self signed ssl certificate for the exchange server. Any way to import the ssl certificate (either through my IIS or this web site) gives me the error “FILE CORRUPTED” . I know the file is fine since I imported it into a WM6 device OTA via IE and IIS without any problems. What am I doing wrong?
April 6th, 2008 at 8:59 pm
Make sure that the certificate format is in DER format (binary) and not in the readable BASE64 format.
April 12th, 2008 at 1:40 pm
i have the nokia n73 and i have installed the first certificate with no problems but now i want to install an onther one and the phone says that the certificate is damaged. does anyone know why that is?
April 13th, 2008 at 10:04 pm
It’s either in the wrong format (base64 instead of DER), or you’re missing a root or an intermediate certificate.
More and more certificate chains consists of more CA’s. A root CA, and an issueing intermediate CA. Just verify the ‘issuer / issued by‘ field in the certificate to verifiy the actual chain. And import the certificate of the CA you’re missing.
April 15th, 2008 at 9:16 pm
oke thx but i have one more question. i have made a certificate with the s60 3rd edition fp2 sdk using the makekeys command and all the certificates i have made so and sumbit it to this site and after the download is done on my phone nothing happens, no option to save the certificate. other certificates i can save with no problems. what can be the problem?
April 22nd, 2008 at 1:19 pm
Juz wanna say thanxs.
used your site to get certs on 8 nokia phones, how else do they do it?
April 24th, 2008 at 10:53 am
dear sir,
I have nokia e65, I had installed mail for exchange on my mobile. i had configured my mobile as follows :
server : webmail.apl.com
secure connection : Yes
access pint : weireless
use default port : Yes
The problem is, when Iam trying to connect, i am receiving “Secure connection required, set the secure connection to Yes in profile”, although its already set to Yes.
After searching on the net, i find that i must install web cert. from webmail server ( pls note that the web server is powered by the mother company in US, and I dont have exchange here). I went to my OWA site, and transfered the web certificate in der format. but when transfered it to my phone and try to install it, i got this error
” Save Certif.: featuer not supported”. In the securty panel on the phone, i went to entrust CA, and set the settings of it to Off.
But still unable to connect to exchange server.
Any Guide pls
thx … mua
April 24th, 2008 at 7:08 pm
When you open the certificate with notepad, is it ‘readable’. If so, you need to convert it to the binary format (lot’s of hints on that via google).
I checked your OWA website and adding the Entrust (root) CA should be the only CA you need to add.
I don’t have any experience with the exchange connector on the Nokia, so I can’t reproduce this. Sorry on that.
April 27th, 2008 at 10:20 am
Willem,
for my reference, it should be exported in 64 based format! if so then its text file, one more thing i had noticed, when exporting the certificate, it doesnt conatins the keys, it IE behave.
thx n rgrds…mua
May 17th, 2008 at 5:43 pm
Perfect! Has been done at a glance.
Saved a lot of time, thank you so much!
June 2nd, 2008 at 7:14 pm
THANK YOU! THANK YOU! THANK YOU! THANK YOU! THANK YOU! THANK YOU! =D I was going NUTS with this!
June 7th, 2008 at 2:22 am
I’m trying to install a Thawte code signing certificate on my nokia 6131 nfc (s40 3rd ed.).
I got a Thawte code signing certificate from http://www.thawte.com/roots (I also tried with exporting thawte and verisign certificates from IE). I check valid usages and code signing is there.
I succeed by using the site http://www.redelijkheid.com/symcaimport/index.cfm, surprisingly just if I use the “S60 device” option.
I downloaded the .der cert on my PC. I check valid usages and code signing is there.
However, once the certificate is installed on my phone (I downloaded from the website), I check the allowed uses: Application signing is unchecked!!! and I cannot check it! I also tried to install an application (opera mini 4.1) signed with thawte without success.
I guess just the 6131 nfc certificate manager does not allow for other code signing certificates than the nokia ones. Does anybody know another method to install code signing certs in s40?
June 18th, 2008 at 3:23 pm
Hello.
I’m trying to do anything with certificate and Active sync on E61 and last MFE, but without results.
May be something wrong with my Certificate? https://mail.rmg-media.ru
E61i ask me about untrusted certificate again and again. I think and the last idea, that something wrong with certificate. Please, anybode help me.
June 25th, 2008 at 8:56 am
@ Kermit007
Your certificate doesn’t have the proper common name. The current common name is:
CN = RMG-CA
The error you receive is that the URL displays a different name than the one contained in the subject field of the certificate.
This should be mail.rmp-media.ru
You may want to generate a new certificate with the proper CN value.
(everything on your own risk (of course))
August 25th, 2008 at 4:53 pm
Good for you for hosting this service. A lot of people probably have no idea how to install & run openssl or configure mime types. I’m sure you’ve saved hundreds of frustration hours already. Good job man.