Using your self signed certs on Orange phones

Installing SSL Certificates in Windows Mobile 5.0 devices

Orange has developed a solution to allow members of Orange Partner to install their own SSL certificate onto Microsoft handsets without unlocking the phone.

Why?

We recently released new versions of software for some of our Microsoft handsets C600, M3000 and M5000 that enable "push" email from Microsoft Exchange servers. This email service uses SSL certification which means that the server and the handset must have matching certificates or key pairs so they know they are allowed to communicate with each other. The handset has a public key and the server has a private key.

SSL certification can be achieved one of two ways. You can either:

Buy an SSL certificate from a recognised supplier (e.g. VeriSign, Thawte, Equifax) and install it onto the Microsoft Exchange email server (recommended solution). Install your own certificate (self created) onto the server and handsets.

However, installing your own certificate on the handset is not an option without either having a privileged application installed, or having your device unlocked.

the solution?

We will create a privileged application that will install the certificate on the handset for you.

Just create a file called _setup.xml and send it to Orange Partner. The XML should have the following format.

<wap-provisioningdoc> <characteristic type="CertificateStore"> <characteristic type="ROOT" > <characteristic type="THUMBPRINT"> <parm name="EncodedCertificate" value=" CERTIFICATE VALUE"/> </characteristic> </characteristic> </characteristic> </wap-provisioningdoc>

Orange Partner will then use this file to create a CAB file that will install the certificate.

The value of THUMBPRINT can be found by opening up the certificate. If the certificate is installed on the PC then it can be found by going to Internet Options, Content, Certificates and selecting the Trusted Root Certification Authorities tab.

Click on view then go to the details tab. Find the thumbprint of the certificate, highlight it and copy it.

Paste it into the XML to replace THUMPRINT and remove the spaces between the hex pairs.

To find the CERTIFICATE VALUE export the Certificate in Base-64 format.

Now open up the exported certificate using notepad

Copy the certificate details and paste into the XML to replace CERTIFICATE VALUE. In the example above it would be the details from MIICk.. to wlklv.

A completed _setup.xml would look something like this.

<wap-provisioningdoc> <characteristic type="CertificateStore"> <characteristic type="ROOT" > <characteristic type="7e78de1f16d47b440cad4a101c8265cc290a1945"> <parm name="EncodedCertificate" value="MIICkDCCAfmgAwIBAgIBATAN

BgkqhkiG9w0BAQQFADBaMQswCQYDVQQGEwJVUzEcUdXfp9E3j9HngXNBUmCbnaEXJnitx7HoJpQytd4zjTov2/KaelpzmKNc6fuKcxtc58O/gGzNqfTWK8D3+ZmqY6KxRwIP1ORROhI8bIpaVIRw28HFkM9yRcuoWcDNM50/MBoGA1UEChMTRXF1aWZheCBTZWN1cmUgSW5jLjEtMCsGA1UEAxMkRXF1aWZheCBTo5brhTMhHD4ePmBudpxnhcXIw2ECAwEAAaNmMGQwEQYJYIZIAYb4QgEBBAQDAgAHMA8GA1UdEwEB/wQFMAMBAf8wHwYDVR0jBBgwFoAUvqigdHJQa0S3ySPY+6j/s1draGwwHQYDVR0OBBYEFL6ooHRyUGtEt8kj2Puo/7NXa2hsMA0GCSqGSIb3DQEBBAUA ZWN1cmUgR2xvYmFsIGVC

dXNpbmVzcyBDQS0xMB4X

DTk5MDYyMTA0MDAwMFo

XDTIwMDYyMTA0MDAwMF

owWjELMAkGA1UEBhMCV

VMxHDAaBgNVBAoTE0Vxd

WlmYXggU2VjdXJlIEluYy4x

LTArBgNVBAMTJEVxdWlm

YXggU2VjdXJlIEdsb2JhbC

BlQnVzaW5lc3MgQ0EtMT

CBnzANBgkqhkiG9w0BAQE

FAAOBjQAwgYkCgYEAuuc

XkAJlsTRVPEnCA4GBAD

DiAVGqx+pf2rnQZQ8w1j7

aDRRJbpGTJxQx78T3LU

X47Me/okENI7SS+RkAZ7

0Br83gcfxaz2TE4JaY0KN

A4gGK7ycH8WUBikQtBm

V1UsCGECAhX2xrD2yuC

Ryv8qIYNMR1pHMc8Y3c

7635s3a0kr/clRAevsvIO1q

EYBlWlKlV"/> </characteristic> </characteristic> </characteristic> </wap-provisioningdoc>

The completed file, _setup.xml, should be emailed to developers@orange.com. The email should have the subject SSL Certificate Install and include the attached file and your Orange Partner username.

Thanks to this Microsoft Blog entry for details on how to create this XML code.http://blogs.msdn.com/windowsmobile/archive/2006/01/28/making_a_root_cert_cab_file.aspx