Search the Site

My Social
Meta
Powered by Squarespace
« Cannot Authorize Phone | Main | Import Root CA in the Nokia E61 »
Sunday
Jun032007

Installation Root CA on Nokia E61 Made Easier

From this day on, you can install certificates from non-trusted CA's on your Symbian-based phone (like the Nokia E61) using this page euh.. this page.

UPDATE: it seems that most other phone brands and types work as well (the S40 based devices are left out... sorry).

All you need to do is make sure that the certificate is in the DER format. The webpage doesn't verify if the certificate is in the correct format. This is up to the uploader.

I created this page, because I work a lot with digital certificates, so I don't want to be bothered with the workaround described in the earlier post. The current version is quick-and-dirty (no error messages). I'll try to make it more user friendly in the next couple of days (like having the option of sending the URL to an e-mail address). Just make sure that you obey the guidelines shown on the page, and all should go well.

Feel free to add a comment on how to improve this.

UPDATE: This works on (almost) every Symbian based (Nokia) phone. It has been tested with a couple of phones from the Nokia E and N series.

UPDATE 2: There is something else you need to consider when trying to add a certificate to your phone. Ideally, an SSL certificate is issued by a Certificate Authority. You can verify this by comparing the 'issued by' and issued to' filed in the certificate. If those are the same you've got a selfsigned SSL (or CA certificate). Those should work when you upload them. If these are different you need to get the CA that issued the SSL certificate.

If the issued by and issued to field are different it means that this is NOT a ROOT CA certificate or self-signed certificate.

References (2)

References allow you to track sources for this article, as well as articles that were written in response to this article.

Reader Comments (105)

Like many people I have spent ages tring to get my E61 to work with my Exchange Server. I originally managed it about 6 months ago but had to reconfigure the server, since when I get nagged about the untrusted cert error. I have tried turning off SSL on the phone but this only works for a few hours before it fails to sync.

I have tried your method but it although the cert seems to install it doesn't resolve the error.

Any more help as to what certificate I should be submitting very greatfully accepted...

Currently my server is configure with the Wizard in Small Business Server 2003 as mail.MYDOMAIN.co.uk but when I submit a cert (exported from entering https://mail.MYDOMAIN.co.uk/Exchange and clicking on the padlock in IE) It shows up as a cert called MYSERVER.MYDOMAIN.co.uk which I assume is where things are going wrong...

June 24, 2007 | Unregistered Commenterderek

Hi Derek,


your assumption is right. The 'Common Name' in the certificate doesn't match the URL (the first part). This will always show a warning. The problem is that the Nokia browser isn't very clear on that.


The only proper way to correct this is to get a new certificate for the right URL. So you need a certificate for mail.MYDOMAIN.co.uk.

I don't know if you have a commercial certificate or a so-called self-signed certificate. My guess is that you have a self signed certificate at the moment, since it's called MYSERVER.etc. Create a new one and import it and all should be working again without annoying warnings.


Hope this helps.


B.t.w. it's possible to have more than 1 certificate on the server, so there's no need to remove the other one. You can still use that one for other purposes (if you have any). Just 'bind' the new one to the website which servers the OWA interface.

June 24, 2007 | Unregistered CommenterWillem

Thanks for the reply. It's more than I got from Nokia.....

I have tried to do what you say and after running the Internet and Email wizard in Small Business Server 2003 I have created a new certificate in the name of mail.MYDOMAIN.co.uk (using the domain I give in my email address). This seems to work for my email on a pc without error but when I login to https://mail.MYDOMAIN.co.uk/exchange on a pc I export a cert using the der option which gives me a .cer file. I then run it through your online tool and access it via a browser on my Nokia where it installs. However, the certificate problem still pops up everytime...

This is a real pain.... Do you have any idea's what I can be doing wrong?

June 26, 2007 | Unregistered Commenterderek

Hi Derek,

I think I found your problem. Your certificate is signed by a CA. You need to export the CA certificate and import that one on your phone. I checked the logs on my server and you've uploaded the certificate for the mail server. You should have used the issuing CA.

The best way of accomplishing this is to open the certificate on your server. Check the tab 'Certification Path'. This should show a chain of certificates.
Double-click the top one (that's the issuing CA). Open the details tab on the newly openend certificate window and click the 'copy to file' button to export it in the DER based format.
Upload that certificate, and import it on your phone.

The reason for receiving errors is that the Nokia validates the certificate. It sees that the certificate (with the correct DNS / Common Name in the subject field) is issued by a CA (your root CA), but it has no knowledge of this CA. That's what is causing the error/warning.
I guess that the small business server does some thing in the background when using certificates. Just to offload the burden on the certificate creation/maintenance process.

June 26, 2007 | Unregistered CommenterWillem

I must be doing something wrong here...

Here's what I do...

Open IE on server. Type in https://mail.MYDOMAIN.co.uk/exchange
Click on padlock to open cert
Click on Certification Path
I am then shown a cert saying mail.MYDOMAIN.co.uk in the top box and "this certificate is ok" in the bottom (status) box. This is the only cert shown and I can't open it by doubleclicking on it..

Your help is very much appreciated...

dc

June 26, 2007 | Unregistered Commenterderek

My last post seems to have gone walkabout..

This is what I have just tried..

I opened IE and entered https://mail.MYDOMAIN.co.uk/exchange
Clicked on the padlock and then the certification path tab.

This tab just has "mail.MYDOMAIN.co.uk" in the top (path) box and "this certificate is ok" in the lower status box.

I can't double click on this cert (or anything else).

I'm obviously doing something fundamentally wrong here. Any idea's what??

June 26, 2007 | Unregistered Commenterderek

Hello Derek,

When I examine the certificate, it shows 5 CN (Common Name) entries in the subject field. The last CN entry contains the proper name for the server. When I tried to import it into my Nokia, it shows the wrong Common Name. In fact it just displays the first Common Name. Since the displayed Common Name is different from the actual Fully Qualified Domain Name, it's quite logical that you receive an error that the certificate doesn't match the URL you're visiting.

I guess that the Nokia doesn't like the set of multiple Common Names in the subject field, and it just picks the first one it sees (the wrong one).

Normally a (Windows) certificate has a subject that contains the following entries:
CN=mail.domain.co.uk
DC=Domain
DC=co
DC=uk

or if you're using a 'normal' non MS certificate:
CN=mail.domain.co.uk
OU=organization unit
O=organisation

I don't know the certificate generation process of the MS SBS, but try if you can generate a certificate with only 1 CN (with the proper name). Alternatively, you may try to use OpenSSL to generate a selfsigned certificate. There are lot's of tutorials on that.

June 26, 2007 | Unregistered CommenterWillem

I've tried changing the common name to the fqdn but after I changed the server name in my Nokia settings to this fqdn it just won't snych. Are you sure this fqdn is right? It seems to end in .local which doesn't seem right to me..

dc

June 26, 2007 | Unregistered Commenterderek

I've had to go back to mail.domain.co.uk to get mail to work properly. I can either trust the cert manually each time (which is a pain) or turn off ssl on the phone which only works fitfully and obviously isn't an ideal situation..

Seems that I'm stumped...

dc

June 26, 2007 | Unregistered Commenterderek

Thanks for your email but it seems that my server must be messed up when it comes to certificates. I'll try and find a solution...

dc

June 27, 2007 | Unregistered Commenterderek

I have tried dealing with Godaddy.com but they refuse to accept emails from me for some bizarre reason or other. I think I will just use leave the SSL option turned off on the phone. As long as I turn it on first thing in the morning for the first sync and then turn it off again it seems to work fine for the rest of the day or as long as the phone is left on..

Not ideal but I'm fed up trying to sort this out.. Is there a way to turn off the ssl requirement on the server?

dc

June 28, 2007 | Unregistered Commenterderek

Hi Derek,
I have no idea on how to turn off the SSL requirement on the SBS. Guess you're left with google on that one.
B.t.w. strange that GoDaddy refuses your e-mail. You might be on a blacklist or something.

June 29, 2007 | Unregistered CommenterWillem

Success... I have finally managed to get the certificate trusted.

Here's how I got my Nokia to accept the certificate as trusted. It may not work for everybody but it worked for me and after the past week of messing about I am truly grateful for that...

Basically, I uninstalled then reinstalled Certificate Services through add/remove programs. I then followed the advice on this site (below), but only as far as requesting a cert through IIS Manager.

http://www.msexchange.org/tutorials/SSL_Enabling_OWA_2003.html

I followed the advice until this section (mainly because it wouldn't allow me to request a cert through IE on the server...)..

"Getting the Pending Request accepted by our Certificate Authority"

I then opened "certification authority" on the server (through administrative tools) and right clicked the cert authority which will have the same name as the cert you had just requested and selected properties. In my case, something like mail.mydomain.co.uk...

Under the General Tab I highlighted "certificate#0" in the CA Certificates box and clicked "view certificates".

This opens the cert and I then clicked the "details" tab and saved the cert to a location using the "copy to file" button.

Using the wizard I selected the first option "DER encoded binary x509(.cer) gave it a friendly name, saved it somewhere handy and closed the wizard.

I then copied the file onto a pc with the Nokia PC Suite installed and copied it to the documents folder (although any one will do). I guess you could bluetooth or email the cert as well..

I then browsed to it on the phone, clicked on it and it let me save it automatically into the certs folder. I restarted the phone, checked SSL was on and bingo the certificate was trusted and remains working today... You might have to delete an existing cert if you already have one installed as it won't let you overwrite it..

As I say, I can't say this will work for anybody else as I have probably fiddled around with the server so much it has gone west in some respects, but it works for me and that'll do for now...

dc

June 29, 2007 | Unregistered Commenterderek

There is a bit I left out when working through the exchange tutorial above...

When using the Certificate Services and entering a common name (mail.mydomain.com, say) change the box below (the distinguished name suffix) to...

DC=mydomain,DC=com

Then carry on as before...

This seems to give you 3 rather than 5 entries in the resulting certificate which seems to solve the problem...

dc

July 2, 2007 | Unregistered Commenterderek

Thanks a lot Willem. Your website helped me a lot. And finally I got to install the certificate on my Nokia E65. But still the are problems:

When i set the exchange server properties to my local exchange server (sample_exchange_server.domainname.local) & using my WLAN connection in my office ; emails are directly pushed to my mobile without any certifiacte problems. :grin:

The real problem arises is when I am out of office & I am using a gprs connection. In theese situation I set the exchange server to www.mycompanyname.com & connection to GPRS. I can get the emails pushed to my mobile, but every time I get this certificate authentication popup & I have to press continue now & then. This is really a pain & annoying.

The certificate issued by my OWA (www.mycompanyname.com/exchange) & my local exchange server (sample_exchange_server.domainname.local) are the same. In addition the certificate issued only has one root (no multiple roots).

It’s only me having this problem. My colleagues who have Windows Mobile PDA(Imate & O2) don’t have any crappy certificate issues ( this proves that our certificate is stable & has no problems). For your info mwe are using a SBS 2003 self signed certificate. We have implemented push email technology in over 5 companies using Imates (or a windows PDA device). Why Nokia has to be a pain.

I would be eagerly waiting for your feedback. Please help me out

Thanks a lot in advance

July 5, 2007 | Unregistered CommenterMuneer

Hi Muneer,


your comment ended up in the spam container, sorry about that.


let me see if I understand your challenge;

Your corporat OWA is accesible through your intranet using xyz.domain.local. The SAME OWA interface is also accesible through the internet by using whatever.domain.com.

Both interfaces use the same certificate. What is the common name in the certificate?

Is the certificate issued by the same certificate authority, or is it a selfsigned certificate?


So I could use a bit more info on this.


You may mail me directly by using willem @ [thiswebsite].com is you're reluctant to certain info with the rest of the world.


B.t.w. Microsoft devices tend to remember earlier settings made by the user, so if you accept the 'illegal' certificate once, it will problably accept it (silently) the next time.

July 11, 2007 | Unregistered CommenterWillem

Willem, I tried upload Equifax and Thawte certificaties at your http://www.redelijkheid.com/symcaimport/ - not work on my Series40 phone. Can you (or somebody) convert these certificaties from DER to WPKI hashed format? I will send it with email attachment...

July 13, 2007 | Unregistered CommenterDaniel

Hi Daniel,


pffff, no idea what the WPKI form exactly is, but I might give it a shot?


http://forum.nokia.com/main/resources/technologies/browsing/support/phone_security_faq.html has some suggestions. I'll try to incorporate them in my download page, so it supports S40 and S60 phones.

July 13, 2007 | Unregistered CommenterWillem

Willem,

I tried your changed import-site, but no work for me. Sorry. Obviously, result must be in WPKI format and server MIME type application/vnd.wap.hashed-certificate. Tnx for effort.

July 15, 2007 | Unregistered CommenterDaniel

Hi Daniel,


could you try it again? I made some modifications to the HTTP headers on the server. Don't think it will make much of a difference, but one can always hope.


B.t.w. there is a lack of information on the Internet about WPKI conversion.....

Anyone with more info about this?

July 15, 2007 | Unregistered CommenterWillem

Hi Willem.

I just want to thank you for your work. I used your site with my N73 Nokia phone. Everything is works now!

Thanks again!

Best,
Michał

August 24, 2007 | Unregistered CommenterMichal Bochenski

Would it be possible to get a copy of the perl/php or whatever code is driving the script on that page please? Would like to host a local copy for doing some of my certs if possible. I tried just setting the MIME-Type to application/x-509 or whatever was recommended by Nokia but couldn't figure it out in Exchange, I might play with Apache this afternoon but I thought it might be easier to just get the script ;)

PS: This page was very useful in getting my N95 to work, although it took me a while as there are lots of bits and pieces with lots of misinformation all over the net. I'm writing up a full howto on how to configure MS Certificate Services and the process to get this to work with the N95s now... Don't have anywhere to publish it yet though.

September 10, 2007 | Unregistered CommenterChris

Hi Chris,

I used Coldfusion for those pages and I configured IIS to return the proper MIME setting to the browser.
If you want the coldfusion source code, I'd be more than happy to provide it. My e-mail address can be found on the 'About the Owner' page. We can discuss the other part by e-mail if you like.

September 10, 2007 | Unregistered CommenterWillem

Guys,

maybe the dumbest question of the day...but is there a way to edit a certificate ?

Mine has extra CN= lines in the subject field and i have no idea how to remove this....

Ideas?

September 11, 2007 | Unregistered Commenterme

Derek @ June 29th, 2007 at 1:28 pm had a similar problem. He solved it by reinstalling the certificate services etc. Have you tried his http://www.redelijkheid.com/index.php/2007/06/03/installation-root-ca-on-nokia-e61-made-easier/#comment-608" rel="nofollow">solution?

September 11, 2007 | Unregistered CommenterWillem

Hi willem, thanks for the solutions. I ve been messing a couple weeks just to get the certificate installed on nokia devices. It realy help me out that ur page do the work for me, and it works like a charm, thanks so much...btw, can i implement the script on my server (with credit for you :wink::wink: for sure ) thanks in advance.

September 15, 2007 | Unregistered CommenterOthman suseno

Hi Othman,

I made the files available for everyone (I had several requests in the last week). You may download them http://www.redelijkheid.com/index.php/2007/09/15/symcaimport-available-for-download/" rel="nofollow">here.

September 15, 2007 | Unregistered CommenterWillem

Many thanks for this tool which has solved our problem with the Nokia E65. Really appreciated. From Linda in South Africa

October 22, 2007 | Unregistered CommenterLinda

Does anyone know whether it is possible to export a CA certificate from a Nokia E61? Thanks.

November 5, 2007 | Unregistered CommenterGreg

Hi Greg, as far as I know there's no export function available.
Commercial root CA's must be available for download at the CA's website (e.g. https://www.verisign.com/repository).

November 6, 2007 | Unregistered CommenterWillem

Can the tool also convert from X.509 DER to WPKI? I have a Nokia 6021 which only supports WPKI.

November 15, 2007 | Unregistered CommenterFilip

I'm afraid not. I still haven't figured out on how to convert the formats. Sorry

November 15, 2007 | Unregistered CommenterWillem

Nokia N95 8GB certificate import.
I used this page and apparently successfull.
I´m puzzled though. When I look at the certifikate before I upload it. it shows the url I use for webaccess and Outlook using RPC over https. Bur when I look at the certificate on the phone, it shows the local name of my server with domain name. !?
Still M4E does not work but says system error, try again later.
What to do the ?

December 5, 2007 | Unregistered CommenterClaus

Hello Claus,

the SSL certificates that are generated for Outlook stuff contains multiple Common Names 'CN' or additional 'Subject Alternative Names'. Apparently, the Nokia interface only shows one. My guess it's the first. Just open the certificate on a windows platform and take a look at the details.

no idea what you mean by 'M4E' though.

December 6, 2007 | Unregistered CommenterWillem

Hello Willem,

I found your website the most useful one (and I visited a lot to this issue), but when I use your service and try to download the changed Certificate from your urls, my Nokia E51 (s60 3rd) says "dateifehler" (Fileerror) and it the import into the certificate store fails. It doesn't matter if you use a der or cer ending. Nothing of those worked. Perhaps you will see it in the logs called cfs.cer or cfs.der. It is a self signed certificate, which works fine on Windows Mobile our admin says.

December 11, 2007 | Unregistered CommenterMatthias

Thanks for this great tool!

Made getting my phone and clients phones working with Exchange a breeze!

Cheers and Merry Xmas,

Greg Lipschitz
Summit IT Management
Melbourne, AU

December 15, 2007 | Unregistered CommenterGreg Lipschitz

Thank you very much for your perfect tool! Incredible how many people lose so much time with bad software and arrogant companies - and how easily it could be saved. Thank you again and good luck for 2008! Hilko

January 2, 2008 | Unregistered CommenterHilko

It is painful to pay for the midlet to sign? Why should we pay it? It is my phone, if I want to install some application that I developed, why should I pay Verisign money!!! And also I hate the operators that disabled the J2ME API. Why? Because some API be disbaled onpurpose by the operator, like AT&T. Fox eample, nokia phone model 6085, when release in other country you can access getSnapshot() while in US you can't. Why the AT&T or cingular disable the getSnapshot API. It is my phone and I as the owener of the mobile phone, should control the phone myself. Agree?

Willerm,
We definetely hope your tool can solve the S40 problem. I have Nokia 6085. From what I read on Internet, it requires WPKI format.

January 6, 2008 | Unregistered Commenterdrhu

Hi drhu,

it is possible to get a symbian developer kit to sign your own applets. Problem is that the app only works on your own phone (it's EMEI number dependent). I played around with it with some apps and it works fine. So the VeriSign or other commercial CA certs are only required if you go commercial with your app.
In the meanwhile I'll fool around with the WPKI format. There are some commercial tools around which can do the conversion, but since I'm dutch..... I refuse to pay, and will find a way around it :)

January 6, 2008 | Unregistered CommenterWillem

Hi Willem, Would you please more specific how to enabled my nokia 6085 phone have the access getSanpshot()?

January 6, 2008 | Unregistered Commenterdrhu

Download for S40

You may use the following link to download your uploaded certificate (ca.cer) on your phone:

http://www.redelijkheid.com/symcaimport/ca/h3k88ec8.cer

Mail the URL

NOTE: Please verify the certificate details (e.g. the fingerprint) to make sure you install the correct certificate.
Installing the wrong CA might render you vulnerable to man-in-the-middle attacks.

Process another certificate or back to the blog

++++++++++++
when I download the above link on my phone, it says "The requested page can not be displayed"

January 6, 2008 | Unregistered Commenterdrhu

I uploading my cert file, and tried to access. When I try to save, I am told the "New certificate might me unsecure. Save anyway?", and then told "Certificate already existst".

however, when ever I try and snyc, I am told "Untrusted Certifiate received from server. Please contact you system admin"

Am I missing a step here?

January 10, 2008 | Unregistered CommenterDanny

I got it working: I had to get the intermediate certificate installed on my phone.

January 10, 2008 | Unregistered CommenterDanny

Hi dhru,
It doesn't surprise me that the S40 phones aren't working. The technique I used was purely theoretical. However, there's some light on the horizon. I asked a friend to write a WPKI converter which I can implement in the download tool.
Downside is that there's not much info on the subject, so it might take a while.

January 10, 2008 | Unregistered CommenterWillem

Just wanted to trop u a line.. Been working on cert issues via activesync on my N95 but now after 3-4 months of no SSL connection I finally got it :)

Thanks a bunch

February 11, 2008 | Unregistered CommenterJon

Hello!

I want to say BIG thanks to derek (and of course to Willem).

derek, I followed your instructions and I finally have my certificate trusted from my Nokia E51/E90. I am using SBS2003 too.

I was simply bored trying to manage this to work and I was using Road Sync (which can work without certificate) instead built-in Nokia's Mail for Exchange.

THANKS, THANKS!!! :D

February 18, 2008 | Unregistered CommenterIgnacio

Hi,

Have a similar problem with import certificates. Except when i download the file from the web my phone keep saying "File Corrupt".

I have tried using your web solution and also uploading files to my own web space and setting the MIME types. Both ways i get the same result.

Anyone have any idea why its say corrupt?

Thanks
Brian

March 4, 2008 | Unregistered CommenterBrian

After scanning through support FAQ, nokia's site I eventually foudn your free service, worked like a charm on the Nokia N82! Thanks, my paypal account needs certification otherwise I would have donated, will donate as soo as mine is up and running. Nokia owe you BIG!

March 5, 2008 | Unregistered CommenterWarren

Here is my dilemma...

I am running my own server with a self signed ssl certificate for the exchange server. Any way to import the ssl certificate (either through my IIS or this web site) gives me the error "FILE CORRUPTED" . I know the file is fine since I imported it into a WM6 device OTA via IE and IIS without any problems. What am I doing wrong?

April 5, 2008 | Unregistered Commenteronur

Make sure that the certificate format is in http://www.google.nl/search?hl=nl&newwindow=1&safe=off&q=export+certificate+in+der+format&btnG=Zoeken&meta=" target="_blank" rel="nofollow">DER format (binary) and not in the readable BASE64 format.

April 6, 2008 | Unregistered CommenterWillem

PostPost a New Comment

Enter your information below to add a new comment.

My response is on my own website »
Author Email (optional):
Author URL (optional):
Post:
 
Some HTML allowed: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <code> <em> <i> <strike> <strong>