Hi,

I am having a hard time fiddling around with certificates on the N9:

I am trying to import my own created CA so that I do not get the certificate errors when surfing on my own sites using https.
The certificate seems to install fine using GUI, before I hit "install" all the four toggle switches for Websites, Wi-Fi, Mail users and Software makers are activated.

For some reason the Websites switch is set to off when I check after the certificate has been installed. I can activate it but it will be deactivated again (magically) when I reenter the menu.

acmcli shows what would be expected:
acmcli -t ssl-ca -L
(nothing listed)

it is not listed in common-ca either. It is listed in codesign-ca, smime-ca and wifi-ca though.

Toggeling the switch will write this to /var/log/syslog:
Sep 10 17:53:50 (2012) certificate_install: aegis_storage.cpp(1436): ERROR add_file: access denied
Sep 10 17:53:50 (2012) certificate_install: aegis_storage.cpp(1641): ERROR add_link: access denied
Sep 10 17:53:50 (2012) certificate_install: aegis_storage.cpp(1935): ERROR commit: access denied, cannot commit '/var/lib/aegis/ps/Ss/certman.ssl-ca'
Sep 10 17:53:50 (2012) certificate_install: dbusservice.cpp(552): ERROR _installCertToDomains: failed adding certificate to 'ssl-ca' (13)
Sep 10 17:53:50 (2012) dcp-appletloader[13415]: certificatesapplet.cpp(486): ERROR settingsChanged: insert failed


When I try to add the certificate to the ssl-ca domain I get this error:

acmcli -p ssl-ca -a /home/user/MyDocs/ca.crt
ERROR: cannot add certificates (Permission denied)


This seems to happen with every change that I am trying perform using acmcli:

acmcli -p wifi-ca -r 54c06f[...] -f
ERROR: cannot remove certificate (Permission denied)

The "verbose" switch -d / -dd does not seem to work either.

Is there some kind of a trick to invoke acmcli with some kind of a wrapper? So that the permission denied error does not occur?

Regards
finnjet

use opensh with all capas.

Hei Rainisto,

I did install inception and then used ariadne (instead of opensh) that worked for the removal of a certificate wrom wifi-ca.
I was still not able to add a new one to ssl-ca though. After the attempt I found an entry in syslog saying that access to
/var/lib/aegis/ps/Ss/certman.ssl-ca
has been denied. The files ownership looked odd:
-rw-r--r-- 1 aegisfs crypto 207 Sep 12 09:55 certman.ssl-ca
-rw-r--r-- 1 user users 590 Sep 12 23:07 certman.ssl-user

So I renamed the file ssl-ca to ssl-ca.sav and with the next attempt the domain had been created again with correct user and group. Just writing that in case somebody has the same problem...
So that works now, thanks a lot!

I still have two questions though:
1. I tried to import a private user certificate that I would like to use to login into a webpage using the stock Nokia browser. This does not seem to work. Should the stock Browser use Client Certificates to sign into websites? Or has this never been implemented?

2 . I have two certificates in the GUI list of Certificates that I got in there by pressing the "Always trust" button while connection to an Enterprise WLAN. Those certifcates have no remove button in the gui and are not listed in any one of the domains using acmcli. They are listed as "server certificates" Where can I find them?

Thanks so much for your help.

Regards
finnjet

Did anyone got success with this? I tried removing certman.ssl-ca but I get the same error, 'resource temporarily not available'. I'm not using inception btw, because I need to get this working on not jailbroken devices....

Are you using opensh to do it? From what you have posted it seems like because you don't want to use inception you may not have opensh too.

What you can do is incept the device, install opensh via inception then uninstall inception so that opensh still remains with the necessary privileges.

Thanks, finally I had to use inception to add CA authority into common-ca group. Just for reference, minimal steps to add a CA.der file to a N9 device are:

1. openssh X509 -inform der -in CA.der -out CA.pem
2. sha1sum CA.pem
3. Use sha1sum output of CA.pem to rename CA.pem to <sha1sum>.pem
4. Install inception 2.5 for PR1.3 firmware
5. devel-su
6. /usr/bin/pasiv
7. move <sha1sum>.pem to N9
8. ariadne acmcli -C aegis-certman-common-ca::CertCACommonAdd -lc common-ca -a <sha1sum>.pem