This site has sent an untrusted
certificate
warning on S60
If you have a mail server that uses SSL with a self-signed certificate
that you access from an S60 device, you are familiar with the annoying
This site has sent an untrusted certificate. Continue anyway?
warning that pops up every time you connect. It is possible to
eliminate this warning by creating your own certificate authority and
using it to sign your mail server's certificates.
This procedure was developed on OpenSuSE Linux 10.3 with OpenSSL 0.9.8e,
using Postfix 2.4.5 for SMTP and Dovecot 1.0.7 for IMAP, with both
Postfix and Dovecot using SSL. The S60 certificate was tested on a
Nokia N95, N80, and N75.
- Create the certificate authority (CA):
- Create a directory for the CA.
- Download the Makefile
and openssl.cnf
from sial.org's OpenSSL
pages to your CA directory.
- Edit openssl.cnf and set up commonName, stateOrProvinceName,
localityName, 0.organizationName, and emailAddress for your
site. Check the comments in the
Makefile for tweaks that may be necessary for your version of OpenSSL.
- run:
make init
This creates the CA certificate and
various other files and directories.
- Convert the CA certificate for S60. The certificate
created in the previous step is in PEM format; S60 only
recognizes DER format. Convert to DER format with this command:
openssl x509 -in ca-cert.pem -inform PEM -out ca-cert.crt -outform DER
- Transfer the certificate to your phone.
- Send the ca-cert.crt file with Bluetooth or IR. S60 Messaging
will recognize the file as a certificate and offer to
install it. Or,
- Copy ca-cert.crt to your phone's memory card and open it
with File Manager, Y-Browser, or X-plore. Or,
- Place ca-cert.crt on a web server. The web server must
provide the MIME type of
application/x-x509-ca-cert when the
file is downloaded. The S60 browser will recognize this MIME
type and offer to install the certificate. Opera Mobile 8.65
doesn't appear to recognize this MIME type.
You may get a certificate not valid yet
warning while
installing the certificate,
but this doesn't seem to cause any problems. It
seems to be related to the way the time zone in the
certificate is interpreted by the phone.
- Create a certificate for your mail server:
- Generate a private host key:
openssl genrsa -out host.key 1024
- Generate a certificate signing request (CSR):
openssl req -new -nodes -days 1825 -key host.key -out host.name.com.csr
Replace host.name.com
with your server's
fully-qualified domain name. When prompted for the x509 Common Name
attribute information, enter the fully-qualified domain name
of the server the certificate will be used on. This step
will use /etc/ssl/openssl.cnf for the configuration file, so
you may want to edit its defaults.
- Sign the CSR with your certificate authority:
make sign
make sign picks up all the .csr files in the directory
and generates .cert files for them. You now have your server
certificate in host.name.com.cert.
- Install the server certificate: host.name.com.cert goes
in /etc/ssl/certs, renamed to the same name as the daemon
process that will be using
it. E.g., for Dovecot, it becomes dovecot.pem. For Postfix,
it becomes smtpd.pem. The same certificate can be used for
more than one daemon. The private host key file host.key may be
installed in /etc/ssl/private using the same naming
convention as above, or it may be combined with
host.name.com.cert into a single file and placed in
/etc/ssl/certs. Postfix seems to want this latter scheme,
while Dovecot wants the former.
cat host.key host.name.com.cert > /etc/ssl/certs/smtpd.pem
cp host.key /etc/ssl/private/dovecot.pem
cp host.name.com.cert /etc/ssl/certs/dovecot.pem
Copyright © 2007 John Temples (s60 at xargs dot com)