Installing SSL certificates on Nokia S60 devices

Just something that might come in useful to some.

I found on my Nokia N80 that it throws up a lot of untrusted cert warnings when browsing some sites, and also when using Devicescape (neat app to log onto wireless hotspots and access points). It turns out I’m missing a root cert for GoDaddy, one of the lesser but popular (i.e. cheaper) signing authorities which a lot of sites use, including Devicescape (which is actually one of Nokia’s recommended Download! apps).

Nokia haven’t issued any sort of cert update pack, so it’s up to you to install the missing root certs. Rightly or wrongly, they make this difficult. It makes sense in ways to ensure you don’t go and install bad authority certs. However it also rules out a chunk of the net because they haven’t updated the root certs, and yet even Microsoft include GoDaddy certs.

Anyway, first port of call to install them is to get them from GoDaddy. They host their root certs at https://certs.godaddy.com/Repository.go.

Problem is, the N80 doesn’t recognise them properly. You need the DER format certs, so the gd-class2-root.cer certificate seems the most likely choice. Browse to this on the N80 however and you just get a text page containing the content. Try copying the cert to the phone and load it in the file manager app and it doesn’t recognise it.

Googling, there seem to be a number of options. A Nokia blog suggests the issue may be the MIME type when serving up the cert file.

The solution being to stick the DER format cert on a web server and have it issue the mime type application/x-x509-ca-cert. Having a suitable web server, I tried this and sure enough when browsing to the cert the N80 tries to install it as a cert, only to then say it’s corrupted.

A bit more surfing turned up a post here regarding the GoDaddy cert in particular, suggesting converting it to the right format like so…

openssl x509 -in gd-class2-root.cer -out cert.cer -outform DER

Sure enough, doing this (you need the openssl package to issue this command obviously), and browsing to the cert on the phone, the cert installed fine. Also you can probably transfer the file to the phone via cable/bluetooth/etc.

Another option is a service for uploading certs to a server which converts them to a suitable format for loading onto S60 devices: http://www.redelijkheid.com/symcaimport/. Although it didn’t work with the GoDaddy cert for me, but then maybe it needs the extra openssl conversion.

Anyway, now I have a GoDaddy root cert so a lot more of the net is trusted. Obviously though the security trust is down to how much I trust the root cert I downloaded and okayed it with the phone when installing it.

Now what we need is for Nokia to issue a root cert update pack (without having to buy a new phone).