Creating Self-signed Symbian OS Certificates
IntroductionThis short note describes the steps required to create a self-signed certificate for signing Symbian OS packages.
Shortly, the steps are the following:
1. Creating the certificate
2. Converting the certificate
3. Installing the certificate
4. Signing the installation package
The rest of this note describes each of the steps in more detail. The discussion assumes that the 9210 SDK has been installed, and paths set up properly.
Creating the Certificate
The certificate and its corresponding private key can be created with the following command:
makekeys -cert -dname "CN=Your Name EM=email@address CO=XX" filename.key filename.cer
The items with emphasis should be replaced with your own values. The dname (distinguished name) parameter string can also contain other values, see the makekeys help for more information. makekeys will prompt you to enter a passphrase for the key, using one is highly recommended.
Important note: QuickEdit mode must be disabled from the shell window, otherwise random data gathering won't work.
Converting the Certificate
For some reason, makekeys creates certificate files that the 9210 certificate manager software cannot read. To work around this, the certificate must be converted to a suitable file format. This is possible using the built-in certificate management tools in Windows 2000 or XP. The following steps are needed:
1. Open the newly generated certificate file by double-clicking it in Explorer
2. Click "Install Certificate" and follow the instructions, using default settings
3. Open "Internet Options" from Control Panel, select the "Content" tab, and click on "Certificates...".
4. Locate the new certificate in the "Trusted Root Certification Authorities" tab. If you used non-default options when installing the certificate, it may be visible in one of the other tabs.
5. Select the new certificate and click "Export...". Follow the Certificate Export Wizard's instructions, and select "DER encoded binary X.509 (CER)" as the export format. Enter a new file name.
The resulting certificate from these steps can be installed on a 9210 communicator. Note that you should retain the original file too, since it can be useful with other SDK tools.
Installing the Certificate
Because the certificate is self-signed, the device will not trust it by default. To install the certificate on the device and set it trusted for software installation, follow these steps:
1. Transfer the file to the device normally, and save it to a known location.
2. Open the Certificate manager from the communicator's Control panel.
3. Select "Add" and choose the file. This installs the certificate.
4. Select the newly installed certificate from the list, select "View details", select "Trust settings" and enable "Software installation".
After this process the Communicator will accept installation packages signed using the new certificate.
Signing the Installation Packages
Finally, to make use of the new certificate, installation packages must be signed using the corresponding private key. This process is documented in the SDK, but, briefly, the steps are the following:
1. Copy the original key and certificate files created by makekeys to a known location. In this example, the files are assumed to be at c:\home\user\keys\filename.key and c:\home\user\keys\filename.cer.
2. Add the following line to the installation package file (project.pkg):
*"c:\home\user\keys\filename.key","c:\home\user\keys\filename.cer"
3. Create the installation package normally. If you set a passphrase for the key, makesis will prompt you for it.