This site has sent an untrusted certificate warning on S60

If you have a mail server that uses SSL with a self-signed certificate that you access from an S60 device, you are familiar with the annoying This site has sent an untrusted certificate. Continue anyway? warning that pops up every time you connect. It is possible to eliminate this warning by creating your own certificate authority and using it to sign your mail server's certificates.

This procedure was developed on OpenSuSE Linux 10.3 with OpenSSL 0.9.8e, using Postfix 2.4.5 for SMTP and Dovecot 1.0.7 for IMAP, with both Postfix and Dovecot using SSL. The S60 certificate was tested on a Nokia N95, N80, and N75.

  1. Create the certificate authority (CA):
    1. Create a directory for the CA.
    2. Download the Makefile and openssl.cnf to your CA directory. These are from the now-defunct sial.org. These files may be available from novosial.org.
    3. Edit openssl.cnf and set up commonName, stateOrProvinceName, localityName, 0.organizationName, and emailAddress for your site. Check the comments in the Makefile for tweaks that may be necessary for your version of OpenSSL.
    4. run:
      make init
      This creates the CA certificate and various other files and directories.

  2. Convert the CA certificate for S60. The certificate created in the previous step is in PEM format; S60 only recognizes DER format. Convert to DER format with this command:
    openssl x509 -in ca-cert.pem -inform PEM -out ca-cert.crt -outform DER
  3. Transfer the certificate to your phone. You may get a certificate not valid yet warning while installing the certificate, but this doesn't seem to cause any problems. It seems to be related to the way the time zone in the certificate is interpreted by the phone.

  4. Create a certificate for your mail server:
    1. Generate a private host key:
      openssl genrsa -out host.key 1024
    2. Generate a certificate signing request (CSR):
      openssl req -new -nodes -days 1825 -key host.key -out host.name.com.csr
      Replace host.name.com with your server's fully-qualified domain name. When prompted for the x509 Common Name attribute information, enter the fully-qualified domain name of the server the certificate will be used on. This step will use /etc/ssl/openssl.cnf for the configuration file, so you may want to edit its defaults.
    3. Sign the CSR with your certificate authority:
      make sign
      make sign picks up all the .csr files in the directory and generates .cert files for them. You now have your server certificate in host.name.com.cert.
    4. Install the server certificate: host.name.com.cert goes in /etc/ssl/certs, renamed to the same name as the daemon process that will be using it. E.g., for Dovecot, it becomes dovecot.pem. For Postfix, it becomes smtpd.pem. The same certificate can be used for more than one daemon. The private host key file host.key may be installed in /etc/ssl/private using the same naming convention as above, or it may be combined with host.name.com.cert into a single file and placed in /etc/ssl/certs. Postfix seems to want this latter scheme, while Dovecot wants the former.
      cat host.key host.name.com.cert > /etc/ssl/certs/smtpd.pem
      cp host.key /etc/ssl/private/dovecot.pem
      cp host.name.com.cert /etc/ssl/certs/dovecot.pem

Copyright © 2007 John Temples (s60 at xargs dot com)