Importing certificates on Symbian

eXTReMe Tracker

Last update: Oct 26, 2007

1.1 Introduction

Personal certificate installed on a Nokia deviceThe page that you are now reading describes how you can import root certificates and personal certificates on a Symbian S60 device. Personal certificates are often distributed in the form of a PKCS#12 file. PKCS#12 files contain a personal certificate and its corresponding private key, a root certificate and optionally a number of intermediate CA certificates. PKCS#12 files are stubbornly called "PFX" files by Microsoft. PFX was actually a predecessor to PKCS#12, as this PKCS#12 FAQ explains.

1.2 Author

The author of this document is Jacco de Leeuw (contact me). Corrections, additions, extra information etc. are much appreciated.

2. Contents

3 Importing certificates on Symbian

3.1 Overview

Symbian S60 devices ship with a certificate manager. Older devices such as those running S40 probably do not have a certificate manager. There are two certificate stores (tabs) in the S60 certificate manager: "Authority" and "Personal". The personal certificate store is initially empty, but the authority certificate store is populated with a number of root certificates of well-known CAs (Baltimore Cybertrust, Entrust, Equifax, Globalsign, GTE Cybertrust, Geotrust, Nokia, Thawte, Verisign and Valicert).

Personal certificates listed in the certificate manager can be used with a number of applications, including:

As far as I know, Symbian does not support secure e-mail standards such as S/MIME or PGP out of the box. You need third-party software for that. If you know any, contact me and I will list them here.

Many other Symbian applications (prefer to) implement their own support for certificates. I understand the following software do this:

Back to Contents

4 Importing a root certificate

If you import a personal certificate the associated root certificate is normally already included in the same file. In that case you don't have to import the root certificate seperately (skip to: "Importing a personal certificate").

There are several applications that require a root certificate but not a personal certificate. For example, you use an Exchange Server with a server certificate that was issued by your own CA and you want to connect to this server with Nokia's Mail for Exchange application.

Here is the procedure for importing a root certificate on a Symbian based device:

Back to Contents

5. Obtaining a personal certificate in a PKCS#12 certificate file

If the application that you want to use requires a personal certificate then you need to obtain a personal certificate and the corresponding private key. These are unique for every user. Usually you also need one or more CA (root or intermediate) certificates. These certificates are shared by all users. In many cases the certificates are issued by your organisation's CA and not by one of the "well-known" CAs such as Verisign or Thawte: using your own CA is less expensive and third-party CAs cannot be implicitly trusted for in-house applications such as VPNs.

In most cases the user credentials (private key plus certificates) are distributed in a PKCS#12 file. This file is handed to you by your system administrator. The PKCS#12 file is encrypted with a password, which is also supplied to you. Alternatively, if you already have a certificate with private key on your desktop (Windows) PC, you can export it from that PC to a PKCS#12 file. You will be asked to enter a password to protect the PKCS#12 file. If you have multiple PCs or PDAs, you actually do not have to request different certificates. You can import the same certificate to all these devices, if you want. In fact, if you obtained your certificate from a well-known CA such as Verisign, exporting to PKCS#12 is probably the only way to get this certificate installed on Pocket PC because these CAs only support desktop PCs for requesting certificates. Instructions for exporting your personal certificate from your browser (Internet Explorer, Mozilla or Netscape) to a PKCS#12 file can be found on this page (note: if you export from IE you should select the option "Include all certificates in the certification path if possible". This will add all intermediate certificates in the PKCS#12 file. This is required because Windows Mobile does not have the ability to automatically retrieve intermediate certificates from a server).

If you are a system administrator you need a CA to generate the keys and certificates for your users. You can for instance use OpenSSL (with or without front-ends such as OpenCA, TinyCA or IDX-PKI) or you could use Windows 2000/2003 Certificate Services.

Back to Contents

6. Importing a personal certificate

A personal certificate has an associated private key which also has to be installed (see "Public Key cryptography" for the basics on this). There are basically two methods of installing a personal certificate: certificate enrolment and certificate import.

Enrolling for a personal certificate can be done at websites of vendors such as Verisign and CAcert. You can also enrol at your own CA if you have one. Unfortunately, Symbian does not appear to support enrolling for a certificate. But what you can do is enrol at a desktop PC and export the personal certificate you get to a PKCS#12 file.

Here is the procedure for importing a personal certificate on a Symbian based device:

Back to Contents

7, Protecting the private key of your personal certificate

Once you have imported a personal certificate to your Symbian device, its associated private key is protected with a "phone key store" password. Every time the private key is used (for example, for authenticating to a website) you are prompted for this password. The password can be changed in Tools -> Settings -> Security -> Security Module. If you have not yet imported a personal certificate it will report "(no security modules)". Once you have imported a personal certificate you should see a "Phone key store". If you open it, you see the "Module PIN" key store. Open that one, and you see the options "Phone key store code", "Module PIN request" and "Status". You can change the phone key store password (or "code") by selecting the first option. For some reason I could not select the other two options. My Nokia device kept asking for the phone key store password when I used my personal certificate. This is a bit of a nuisance. I would preferred that it cached the password for some time, similar to what Mozilla Firefox and Thunderbird do.

Back to Contents

8. Web enrolment

Windows clients support web enrolment, an alternative to importing a certificate from a file. I do not know if Symbian support web enrolment. I suspect it does not.

Check out my other webpage for information on web enrolment in general.

Back to Contents

9. Web client authentication

As you probably know, webbrowsers can secure their connections with the SSL protocol. Most SSL websites use a server certificate to authenticate the server and  usernames and passwords for clients that wish to authenticate. The advantage is that this is easy to use. However, some websites (for instance, Internet banking sites) may require personal certificates instead because these are more secure than usernames and passwords.

The native webbrowser included with Symbian is Nokia's Web Browser for S60. This browser is based on Apple's WebKit, which is on its turn is based on KDE's KHTML.

If you would like to test client side certificate authentication with your Symbian device, you can obtain a free personal certificate from, install it on your Symbian device and use it to connect to the CAcert "Cert Login" website.

Here is the procedure for web client authentication with a personal certificate:
Symbian supports server certificates which contain a wildcard (e.g. * The CAcert website uses a wildcard certificate, for example. I do not know if Symbian can retrieve intermediate certificates if the (web)server does not send the chain of intermediate certificates on its own initiative.

Back to Contents


Some Symbian devices ship with built-in WiFi wireless network support. Examples are the Nokia E60/E61/E70/N95 and others. Wireless networks often need to be secured so that only authenticated users are allowed to use them. Home networks often use authentication based on a preshared key (similar to a password) but enterprise networks usually employ a more elaborate authentication framework based on the Extensible Authentication Protocol (EAP).

There is a large number of EAP authentication methods. Symbian supports several of these EAP methods out of the box: EAP-SIM, EAP-AKA, EAP-PEAP (Microsoft), EAP-TLS, EAP-TTLS (Funk) and EAP-LEAP (Cisco). However, I have read that their implementation is a bit lacking.

EAP-TLS requires the use of personal certificates. For the other protocols you do not need to import a personal certificate. Instead, you typically buy a server certificate from one of the "trusted" root certification authorities that are present in Symbian devices. Or, you would install your own CA certificate on your Symbian device. In the latter case you would save some money, but it may turn out to be a bit of a hassle if you have a large number of Symbian clients.

EAP-TLS is more secure than PEAP et al. because it uses certificates for both user and server authentication. Plus, EAP-TLS is supported by many vendors and ratified by the IETF in RFC 2716, whereas the other proposed EAP standards are currently still in draft phase. Therefore EAP-TLS is often used by enterprises with strong security requirements. The drawback of EAPl-TLS is that personal certificates are more difficult to distribute and manage than passwords or PSKs.

Here is the procedure for configuring EAP-TLS authentication with a personal certificate:
Personal certificates that are used in EAP-TLS should probably contain the "Client Authentication" Extended Key Usage purpose (EKU), which has the value "". This is the case for Windows clients and it might also be the case for Symbian clients as well.

Back to Contents

11. Certificates and

Nokia has released an Exchange client for E-series phones and a number of N-series phones. Apparently they have licensed the ActiveSync protocol from Microsoft. "Mail for Exchange" can be downloaded here.

Connections between this client and Exchange can be secured with SSL. In fact, the use of SSL is highly recommended when clients connect over a hostile network such as the Internet. As with any other SSL server, this requires a server certificate to be installed on the IIS / Exchange server. The server presents this server certificate to authenticate itself to clients. You may need to install the root certificate of your CA on the Symbian device, if it is not already there. Then the clients authenticate to the server.

On SSL webservers, there are two options for client authentication: basic authentication (usernames/passwords) and certificate based authentication (personal certificates). Personal certificates provides stronger authentication than usernames and passwords. But usernames and passwords are probably easier to use. Nokia's "Mail for Exchange" client supports authentication with usernames/passwords but it does seem to support personal certificates.

If you don't want to install a root certificate, there is an option "Secure connection" that you could set to "no". This will disable SSL encryption on the Nokia Mail for Exchange client. But it is only recommended to do this when you are testing over a secure network, e.g. on your own LAN! Windows Mobile has another option which does use SSL encryption but without verification of the server certificate. The Nokia client does not support this option, which is probably for the best because it only seems to confuse people into thinking that it is secure.

Back to Contents

12. Acknowledgements and disclaimers

This page shows screenshots of a device resembling a Nokia device but this does not necessarily mean an endorsement of, or by, Nokia, Symbian or any other company. I disclaim everything anyway :-). Nokia and Symbian are trademarks or registered trademarks of Nokia Corporation and Symbian Ltd, respectively. The author of this webpage is not associated with Nokia or any other company mentioned on the page. All trademarks are owned by their respective companies. 

Back to Contents

13. Revision history

Oct 21, 2007: Moved info to seperate page.
Oct 1, 2007: Added more on Symbian.
Oct 26, 2006: Added info on Symbian devices.

Jacco de Leeuw