×

Discussion Board

Results 1 to 15 of 15
  1. #1
    Regular Contributor
    Join Date
    Mar 2009
    Posts
    50

    Red face Best way to Choose certtificate?

    Hi all,
    I have a problem and I don’t know the best way to solve it. Please help me.
    I want to connect to secure site via https, I found error certificate library error and sometimes certificate verification failed
    1. The problem is I don’t have valid certificate in my midlet?right?(I build my own keystore from netbeans 6.1).
    2. The server I want to connect, use GoDaddy Class 2 certificate(https://secure.payglobalone.com). It means, I must have “GoDaddy code signing certificate” in my midlet (jar) to connect to server? Or the other code signing certificate like verisign, thawte?
    3.Is it possible to create my own certificate(use x.509) and make it valid for server (server have GoDaddy Class 2 certificate)?

    My device Nokia 6280
    Thanks in advanced for reply me..


    Regards,
    raja

  2. #2
    Super Contributor
    Join Date
    Jun 2003
    Location
    Cheshire, UK
    Posts
    7,395

    Re: Best way to Choose certtificate?

    Certificates for HTTPS are not the same as code-signing certificates. So, signing your MIDlet will not help you.

    I have a feeling that you cannot add your own HTTPS certificates. You certainly cannot add them "in the MIDlet"; they would have to be added to the browser's certificate list, I think.

    Have a search in the discussion boards and the wiki, as this question has certainly been asked before.

    Graham.

  3. #3
    Registered User
    Join Date
    Mar 2009
    Posts
    18

    Re: Best way to Choose certtificate?

    Hi,

    From my experience you can't connect a Midlet through https to GoDaddy SSL signed websites.

  4. #4
    Regular Contributor
    Join Date
    Mar 2009
    Posts
    50

    Re: Best way to Choose certtificate?

    Thanks psorobka for your reply..are you sure I can't connect my midlet to Godadday website?can u tell me more? I've to this for my project..is it imposible?


    Thanks..

  5. #5
    Regular Contributor
    Join Date
    Mar 2009
    Posts
    50

    Re: Best way to Choose certtificate?

    Hi all,
    psorobka say, with midlet we can not connect to godaddy ssl website..could some one help, for the other reason??or clarify it?

    thanks..

  6. #6
    Registered User
    Join Date
    Mar 2009
    Posts
    18

    Re: Best way to Choose certtificate?

    I've developed small midlet to check various SSL certificates, you can use it to check it.

    Code:
    import java.io.*;
    
    import javax.microedition.io.*;
    import javax.microedition.midlet.*;
    import javax.microedition.lcdui.*;
    
    public class Midlet extends MIDlet
            implements CommandListener, Runnable {
    
        private Display mDisplay;
        private Form mForm;
    
        public void startApp() {
            mDisplay = Display.getDisplay(this);
            if (mForm == null) {
                mForm = new Form("HttpsMIDlet");
                mForm.addCommand(new Command("Exit", Command.EXIT, 0));
                mForm.addCommand(new Command("Send", Command.SCREEN, 0));
                mForm.setCommandListener(this);
                mForm.append(getAppProperty("MIDlet-Jar-URL"));
            }
    
            mDisplay.setCurrent(mForm);
        }
    
        public void pauseApp() {
        }
    
        public void destroyApp(boolean unconditional) {
        }
    
        public void commandAction(Command c, Displayable s) {
            if (c.getCommandType() == Command.EXIT) {
                notifyDestroyed();
            } else {
                Form waitForm = new Form("Connecting...");
                mDisplay.setCurrent(waitForm);
                Thread t = new Thread(this);
                t.start();
            }
        }
    
        public boolean checkHttpsConnection(String url) {
            try {
                HttpsConnection hc = (HttpsConnection) Connector.open(url);
                InputStream is = hc.openInputStream();
                is.read();
                is.close();
                hc.close();
                return true;
    
            } catch (Throwable ex) {
                ex.printStackTrace();
                return false;
            }
        }
    
        public void run() {
            mDisplay.setCurrent(mForm);
            String thawte = "https://www.thawte.com/";
            String verisign = "https://www.verisign.com/";
            String godaddy = "https://www.godaddy.com/";
    
            mForm.append("connected to " + thawte + "? " + checkHttpsConnection(thawte));
            mForm.append("connected to " + verisign + "? " + checkHttpsConnection(verisign));
            mForm.append("connected to " + godaddy + "? " + checkHttpsConnection(godaddy));
        }
    }

  7. #7
    Regular Contributor
    Join Date
    Mar 2009
    Posts
    50

    Re: Best way to Choose certtificate?

    I check it and it cannot connect..why midlet can't connect to them(godaddy)?any other way to connect to godaddy?do you have sugestion?I bulding my project there (at godady)
    thnks...


    raja

  8. #8
    Registered User
    Join Date
    Mar 2009
    Posts
    18

    Re: Best way to Choose certtificate?

    It happens because the mobile don't have the CA certificate for GoDaddy - best way is to avoid GoDaddy

  9. #9
    Regular Contributor
    Join Date
    Mar 2009
    Posts
    50

    Re: Best way to Choose certtificate?

    Thanks psorobka for reply.
    How about adding goddady certificate to mobile? avoid is last choice for me.
    I've search in this forum, and I found someone say that if with mobile browser we can connect to secure site (https://www.godaddy.com), it means with midlet it can be too.is it true?
    My device is nokia 6280,is it possible to add godaddy certificate in this phone? Which phone are qualified to add certificate?

    Thanks for all




    regards,
    raja

  10. #10
    Registered User
    Join Date
    Mar 2003
    Posts
    4,105

    Smile

    Short answer (Go Daddy specific)

    raja, please point the internal (Nokia) Web browser to devicescape.com/certs. There, click on the last item (ValiCert) to save it. Then you should be able to access your webpage, at least I am able to connect to that site on my Nokia 6270 and psorobka’s code.

    Long answer (Generic, for all self-signed authorites)

    The latest Nokia devices work with Go Daddy (including ValiCert and Starfield) secured webpages out of the box. As far as I know (just device testing experience), those certificates were added with Series 40 5th Edition and S60 3rd Edition Feature Pack 1. If you have to target older Nokia devices, you have several options:
    1. The academic answer is to install the CA certificate.
    2. You secure your web server via VeriSign or Entrust rather than something else (recommendation, again, simply based on my testing experience).
    3. If you are not in control of the server, direct all your traffic through your own proxy server and from there you start the SSL/TLS connection. To secure the traffic use between your proxy and the mobile phone
      1. Use Http(s)Connection/SecureConnection Java classes and VeriSign/Entrust on your proxy or
      2. Built your own security protocol like Opera Mini does.


    Question 1: Even after installing ValiCert, the web browser gives a warning.
    Go Daddy has several roots. If you install the ValiCert root certificate not all Go Daddy secured websites will work. If it is your server and you care about compatibility, change your intermediate. If you have no control, you have to install the new Go Daddy root.

    Question 2: Using the certificate directly from Go Daddy does not work (plain text is shown or device asks where to store).
    Make sure to use the DER (binary) encoded certificate and not the PEM (Base64) one. However even with that, Go Daddy sends plain/text as MIME media type (a header on the HTTP leayer) rather than application/x-x509-ca-cert. You have to place that certificate on your own server, send the correct MIME media type or use the link above.

    Question 3: Even then, it does not work and the internal web browser gives a warning.
    1. Read the warning; sometimes it tells you what is wrong!
    2. Check the date on your phone.
    3. Wireshark or OpenSSL, make sure your server sends an intermediate certificate in the chain of certificates.
    4. Make sure that chain is in the right order (most special to more general) as Nokia devices are picky about that, too.
    5. Very old phones require WPKI or even WTLS based certificates.
    6. Use recent edition and feature packed S60 phone to cross check.
    7. If using an IP address rather than an FQDN, I had to include it as alternative subject name, typecast as IP address rather than as common name.
    8. Happy, happy bug hunting – no idea what is wrong now.
    Question 4: Is it possible to ship the certificate with my MIDlet?
    If someone is able to make that work, it would be really cool. I am not aware of a trick.
    Last edited by traud; 2009-09-22 at 10:33.

  11. #11
    Regular Contributor
    Join Date
    Mar 2009
    Posts
    50

    Nice touch to certificate

    hi all, thanks for your comment..it works nicely..How I solve this:
    1. My devices nokia 6280 reject to install new certificate in DER or even in WPKI..I dont know why?
    2. I try another devices nokia 6600 (S60 2nd) v5.53
    --Import certificate from godaddy (like traud said and convert it into DER format).The other way, go to server you want to connect. Look at the SSL symbol in your web browser (symbol like a key), open it, and choose view certificate, then choose import, and save the new certificate.(save in DER format).
    --Send it to devices (I use 6600),and install it.
    --Just it.your midlet connect server now.
    3.I try with my code to get all header from server (https://www.godaddy.com)and it works!phone will give you warning untrust certificate.but you can go through.

    thanks psorobka,just not to avoid godaddy.
    Thanks traud for your comments..
    New challenge begin..


    thanks
    regards,
    raja

  12. #12
    Registered User
    Join Date
    Mar 2003
    Posts
    4,105
    raja, I did not understand. Could you please explain in more detail? Is there a question? For some reason, your webpage changed its configuration and does not send an intermediate at all anymore – is it broken?

  13. #13
    Regular Contributor
    Join Date
    Mar 2009
    Posts
    50

    Re: Best way to Choose certtificate?

    Quote Originally Posted by traud View Post
    For some reason, your webpage changed its configuration and does not send an intermediate at all anymore – is it broken?
    Yes,I will..But I dont get your point??can u explain your point more??

  14. #14
    Registered User
    Join Date
    Mar 2003
    Posts
    4,105
    Go Daddy does not give its private key to anyone else. Go Daddy uses their private key of their certificate authority (CA) to certify the public key of a customer. Consequently, Each customer gets is own certificate. However, Go Daddy organises (as many other, too) its CA into several sub (intermediate) CAs. That intermediate is certificated against the root CA. Now, browser manufacturers do not want to have zillions of certificates in their store. The trick is: The customer certificate tells the browser which intermediate certificate(s) was used and that root matches to the (well know) certificate in the store of the browser.

    At the end, the website owner has two ways to tell the browsers about the intermediate. Either he sends the chain of certificates within the request or the certificate itself contains a link to its intermediate, which has a link to its root. The latter is a rather new trick any many, many browsers do not support it, yet. Nevertheless, some website owners do not check their chain of certificates with a tool like OpenSSL and just test it with one or two browsers.

    I hope I got all terms and the alike right and there are not too many flaws in that description. Anyway, please consult a specialist, if you need in-depth and/or valid knowledge!

  15. #15
    Regular Contributor
    Join Date
    Mar 2009
    Posts
    50

    Re: Best way to Choose certtificate?

    Thanks traud,

    Quote Originally Posted by traud View Post
    I hope I got all terms and the alike right and there are not too many flaws in that description. Anyway, please consult a specialist, if you need in-depth and/or valid knowledge!
    Maybe need to do that..upgrade my knowledge..

    Quote Originally Posted by traud;
    Question 1: Even after installing ValiCert, the web browser gives a warning.
    Go Daddy has several roots. If you install the ValiCert root certificate not all Go Daddy secured websites will work. If it is your server and you care about compatibility, change your intermediate. If you have no control, you have to install the new Go Daddy root.
    1,I have no control traud,I install the new godaddy root (convert to DER)..and its work..

    2,I do this way

    The other way, go to server you want to connect. Look at the SSL symbol in your web browser (symbol like a key), open it, and choose view certificate, then choose import certificate, and save the new certificate.(save in DER format).
    its work too...


    regards,

    raja

Similar Threads

  1. Choose contact
    By gerlow in forum Browsing and Mark-ups
    Replies: 3
    Last Post: 2008-08-29, 07:49
  2. NetBeans, ProGuard, choose the correct obfuscation level...
    By sblantipodi in forum Mobile Java General
    Replies: 0
    Last Post: 2008-08-27, 18:47
  3. Choose IAP for video streaming session
    By molst in forum Symbian Media (Closed)
    Replies: 2
    Last Post: 2006-12-05, 08:01
  4. Is there any Program way to choose AP in Midlet?
    By kosat in forum Mobile Java Networking & Messaging & Security
    Replies: 0
    Last Post: 2006-04-02, 15:22
  5. Which SDK to choose for series 60?
    By eyvind1 in forum Symbian Tools & SDKs
    Replies: 1
    Last Post: 2005-01-11, 19:51

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
×