Importing an SSL client certificate and key - maemo.org

Lars | # 1 | 2009-12-13, 23:00 | Report

The certificate manager application installed on the N900 currently only supports viewing of installed certificates, but doesn't allow you to add or remove any certificates.

It took me a while to figure out how to import an X.509/SSL client certificate which is actually quite easy (I didn't find anything about this in the user guide). So I'm writing this in case other people have the same issue.

If the client certificate/key is already installed in your PC's browser, export it into a PKCS#12 file (.p12 file extension). Pick an appropriate password when exporting as this will be the one used on your N900 as well.
Copy the file to your N900, e.g., store in the Documents folder.
Open the File Manager and click on PKCS#12 file. This should start the import dialog: enter your password, select if you are importing the certificate for Web sites, email, or WLAN, and confirm the installation.

The client certificate and key should then be available (the same works for server certificates as well). You may need to restart an active browser or email application for the new certificate/key to be available.

The Certificate Manager application should now display your imported certificates.

Vote for the following bug to get the missing features added to the Certificate Manager:
https://bugs.maemo.org/show_bug.cgi?id=6738

cheers...
Lars

The Following 3 Users Say Thank You to Lars For This Useful Post:
altomkins, smage, sxc

sxc | # 2 | 2009-12-14, 22:11 | Report

brilliant, thank you so Lars!

I followed your clear instructions and that solved my issue with secure IMAP email. For those who may wonder how these certificates look like, here's an abbriged version of what I used:

Code:

(my ISP provided that). I simply saved that in a file called myserver.p12 and loaded it with the filemanager as suggested above & I was away!

The Following User Says Thank You to sxc For This Useful Post:
altomkins

Lars | # 3 | 2009-12-15, 01:54 | Report

Unfortunately I still have trouble with IMAP over SSL and using a client certificate. It works fine with accessing my company's Web sites using my client certificate, but accessing my work email still fails.

After configuring the account it just takes a few seconds until I get the error message that either the host name or port is wrong. Which isn't the case.

The Following User Says Thank You to Lars For This Useful Post:
altomkins

sxc | # 4 | 2009-12-15, 22:05 | Report

Sorry to hear that Lars. Could it be that you have a firewall issue - do you have any other device you can try this with (eg: an iPhone)?

darthjysky | # 5 | 2009-12-19, 21:41 | Report

As a CAcert user I need to install CAcert's root and class3 sertificates to all devices I use. I tried to install sertificates to N900 like I had used to do with S60 phones, as it appears N900's browser goes mad when I pressed hyperlink to .cert or .der file.

From the above I realized that filemanager might be the thing as Cert manager just happily shows what you got and browser does nothing clever. It looks like filemanager supports both PEM and DER formats of certs and installs them without much of a strugle.

I think that settnigs Certificate manager is misleading, as it really does nothing of management, but it's very good that certificates can be installed through file manager

altomkins | # 6 | 2010-01-02, 17:25 | Report

I am trying to install the attached SSL certificate, but it won't install, just displays its details. What's wrong?

I exported the certificate, from the website, as a DER file using my Firefox browser then used scp to copy it to my N900.

I clicked on it in the N900's File Manger and selected the Certificate Manager application, then it just displays the certificate details, with no option to install it.

I tried exactly the same steps with another certificate and it all worked as expected and gave me an install button.

Is it something wrong with the DER file (attached) or my N900?

Attached Files

mailhost2.gz (1.1 KB, 321 views)

ruskie | # 7 | 2010-01-02, 17:32 | Report

Might need to be a PEM file.

The Following User Says Thank You to ruskie For This Useful Post:
altomkins

altomkins | # 8 | 2010-01-02, 18:35 | Report

Its a DER file.

DER file works with the other site I tried.

Just tried it as a PEM file with chain and the same thing happens.

It just displays the details, no install button. But the PEM file for the other site I tried before also works... weird.

PEM file attached, if anyone wants to have a go and see if its just my N900.

Attached Files

mailhost2.pem.gz (1.5 KB, 315 views)

Last edited by altomkins; 2010-01-02 at 18:41.

altomkins | # 9 | 2010-01-03, 20:38 | Report

From the excellent Mail For Exchange (MfE) Heartbeat and FAQ;

"Keep in mind - self-signed certificate shall have "CA" field. Otherwise, N900 certificate manager will not allow to install it."

I guess my certificate has no CA (or a CA from an untrusted authority) and so it won't install and thus doesn't appear in the Certificates Manager... nothing I can do about it.

-------------------------

After I moaned my company bought an SSL certificate and it all works wonderfully and was so easy to set up.

Last edited by altomkins; 2010-01-06 at 14:42.

w0rkRB | # 10 | 2010-04-01, 12:31 | Report

I use CACert.org for my internal servers as well and was getting a BAD Signature error when sending via secure SMTP.

To fix the problem I simply installed the CACert root certificate on my N900 by downloading the Class 1 PKI Key in DER format from CACert.org by selecting "Save as" in MicroB and then opening it with file manager which prompted me to install it and gave me the options for it's use i.e. server, WLAN, or email ( I selected all three ).

Tested it by sending an email which went no problems without prompting about the certificates "BAD Signature".

Hope this info helps.

Cheers,

w0rkRB