MCL/sf/os/security: cryptomgmtlibs/securitydocs/building-certstore.txt@eb9b28acd381 (annotated)

8 35751d3474b7 Revision: 200935 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: 0 diff changeset	1	Title: Building Certificate Store
35751d3474b7 Revision: 200935 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: 0 diff changeset	2	Owner: Gleb Dolgich
35751d3474b7 Revision: 200935 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: 0 diff changeset	3	Contributors: Xavier Leclercq, Gleb Dolgich
35751d3474b7 Revision: 200935 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: 0 diff changeset	4	Copyright (C) 2003 Symbian Limited. All rights reserved.
35751d3474b7 Revision: 200935 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: 0 diff changeset	5	================================================================================
35751d3474b7 Revision: 200935 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: 0 diff changeset	6
35751d3474b7 Revision: 200935 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: 0 diff changeset	7	Purpose
35751d3474b7 Revision: 200935 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: 0 diff changeset	8	-------
35751d3474b7 Revision: 200935 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: 0 diff changeset	9
35751d3474b7 Revision: 200935 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: 0 diff changeset	10	This document describes how to build CACerts.dat (certificate store) and
35751d3474b7 Revision: 200935 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: 0 diff changeset	11	certclients.dat (certificate client applications) files. These files are stored
35751d3474b7 Revision: 200935 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: 0 diff changeset	12	on a device in c:\system\data\ directory. They are necessary for Software
35751d3474b7 Revision: 200935 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: 0 diff changeset	13	Install and SSL/TLS.
35751d3474b7 Revision: 200935 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: 0 diff changeset	14
35751d3474b7 Revision: 200935 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: 0 diff changeset	15	Certificates and trusters
35751d3474b7 Revision: 200935 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: 0 diff changeset	16	-------------------------
35751d3474b7 Revision: 200935 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: 0 diff changeset	17
35751d3474b7 Revision: 200935 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: 0 diff changeset	18	Every certificate stored in CACerts.dat has a set of UIDs associated with it,
35751d3474b7 Revision: 200935 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: 0 diff changeset	19	each UID marking the certificate as good for a particular purpose (application).
35751d3474b7 Revision: 200935 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: 0 diff changeset	20	Currently the following applications/UIDs are defined:
35751d3474b7 Revision: 200935 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: 0 diff changeset	21
35751d3474b7 Revision: 200935 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: 0 diff changeset	22	- SW Install (268452523, or 0x100042AB)--certificate is suitable for software
35751d3474b7 Revision: 200935 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: 0 diff changeset	23	install (SIS files);
35751d3474b7 Revision: 200935 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: 0 diff changeset	24	- SW Install OCSP Signing (268478646, or 0x1000A8B6)--certificate is suitable
35751d3474b7 Revision: 200935 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: 0 diff changeset	25	for OCSP checking (SIS files);
35751d3474b7 Revision: 200935 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: 0 diff changeset	26	- MIDlet Installation (270506792, or 0x101F9B28)--certificate is good for Java
35751d3474b7 Revision: 200935 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: 0 diff changeset	27	MIDlet installation, which includes OCSP checking;
35751d3474b7 Revision: 200935 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: 0 diff changeset	28	- Server Authentication (268441661, or 0x1000183D)--certificate is suitable for
35751d3474b7 Revision: 200935 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: 0 diff changeset	29	SSL/TLS server authentication.
35751d3474b7 Revision: 200935 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: 0 diff changeset	30
35751d3474b7 Revision: 200935 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: 0 diff changeset	31	These UIDs are stored in certclients.dat file. Once certclients.dat is in
35751d3474b7 Revision: 200935 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: 0 diff changeset	32	c:\system\data on the device, the Certificates Control Panel applet allows
35751d3474b7 Revision: 200935 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: 0 diff changeset	33	manual assignment of applications to each certificate.
35751d3474b7 Revision: 200935 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: 0 diff changeset	34
35751d3474b7 Revision: 200935 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: 0 diff changeset	35	Files needed
35751d3474b7 Revision: 200935 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: 0 diff changeset	36	------------
35751d3474b7 Revision: 200935 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: 0 diff changeset	37
35751d3474b7 Revision: 200935 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: 0 diff changeset	38	The following files are needed to build a certificate store:
35751d3474b7 Revision: 200935 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: 0 diff changeset	39
35751d3474b7 Revision: 200935 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: 0 diff changeset	40	- T_CERTSTORE.EXE test harness, which is located in security/certman/tcertstore;
35751d3474b7 Revision: 200935 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: 0 diff changeset	41	build it from security/certman/group;
35751d3474b7 Revision: 200935 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: 0 diff changeset	42	- bldcertstore.txt: test script located in security/certman/tcertstore/scripts;
35751d3474b7 Revision: 200935 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: 0 diff changeset	43	you can modify it depending on which certificates/applications you want
35751d3474b7 Revision: 200935 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: 0 diff changeset	44	included in the store. This script is exported into device's
35751d3474b7 Revision: 200935 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: 0 diff changeset	45	c:\tcertstore\scripts.
35751d3474b7 Revision: 200935 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: 0 diff changeset	46
35751d3474b7 Revision: 200935 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: 0 diff changeset	47	The following certificates are used for running tests:
35751d3474b7 Revision: 200935 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: 0 diff changeset	48
35751d3474b7 Revision: 200935 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: 0 diff changeset	49	- cacert.crt "TestCA"--SSL server CA certificate (self-signed)
35751d3474b7 Revision: 200935 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: 0 diff changeset	50	- thawtetest.crt "Thawte Root"--SW Install certificate
35751d3474b7 Revision: 200935 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: 0 diff changeset	51	- TOCSP-Root5-RSA.cer--SW Install and MIDlet Installation
35751d3474b7 Revision: 200935 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: 0 diff changeset	52	- TOCSP-Signing5-RSA.cer--OCSP Signing
35751d3474b7 Revision: 200935 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: 0 diff changeset	53
35751d3474b7 Revision: 200935 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: 0 diff changeset	54	These certificates are copied into c:\tappinst\certs\ directory on the device.
35751d3474b7 Revision: 200935 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: 0 diff changeset	55
35751d3474b7 Revision: 200935 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: 0 diff changeset	56	Building the store
35751d3474b7 Revision: 200935 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: 0 diff changeset	57	------------------
35751d3474b7 Revision: 200935 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: 0 diff changeset	58
35751d3474b7 Revision: 200935 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: 0 diff changeset	59	To build a certificate store, perform the following steps:
35751d3474b7 Revision: 200935 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: 0 diff changeset	60
35751d3474b7 Revision: 200935 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: 0 diff changeset	61	1. Build the T_CERTSTORE test harness and export test files for appinst and
35751d3474b7 Revision: 200935 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: 0 diff changeset	62	certman.
35751d3474b7 Revision: 200935 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: 0 diff changeset	63
35751d3474b7 Revision: 200935 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: 0 diff changeset	64	2. Go to the appropriate build directory (udeb or urel) and run the following
35751d3474b7 Revision: 200935 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: 0 diff changeset	65	command:
35751d3474b7 Revision: 200935 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: 0 diff changeset	66
35751d3474b7 Revision: 200935 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: 0 diff changeset	67	t_certstore c:\tcertman\scripts\bldcertstore.txt c:\bldcertstore.log
35751d3474b7 Revision: 200935 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: 0 diff changeset	68
35751d3474b7 Revision: 200935 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: 0 diff changeset	69	This will build c:\system\data\cacerts.dat and c:\system\data\certclients.dat
35751d3474b7 Revision: 200935 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: 0 diff changeset	70	with test certificates. If you need to add your own certificates, modify the
35751d3474b7 Revision: 200935 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: 0 diff changeset	71	bldcertstore.txt script accordingly.

author	Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com>
	Fri, 12 Mar 2010 15:51:07 +0200
branch	RCL_3
changeset 42	eb9b28acd381
parent 8	35751d3474b7
permissions	-rw-r--r--