×

Discussion Board

Results 1 to 15 of 15
  1. #1
    Registered User
    Join Date
    Jan 2006
    Posts
    20

    Failed MIDlet install with VeriSign certificate

    Every attempt to install a MIDlet signed by a VeriSign issued certificate fails on my unbranded N70 and 6680 with the following error message:

    N70, "Unable to verify certificate"
    6680, "Installation security error, unable to install"

    N70 version:
    V 2.0536.0.2
    12-09-05
    RM-84

    6680 version:
    V 3.04.37
    01-06-05
    RM-36


    After researching a bit, I have tried the following modified phone settings without help:

    1. menu -> tools -> settings -> security -> certif management
    For all VeriSign Class 3 Certificate Authorities
    -> Options -> Trust settings
    App. Installation: yes
    Online certif check: no

    2. menu -> tools -> manager -> options -> settings
    Software installation: on or off
    Online certif check: off

    3. remove all MIDlet-Permissions from .jad and manifest. (taking a wild stab here)

    4. tempted to flash with a firmware upgrade but I thought I better post for an alternative solution first.


    Other items of note:

    1. On the N70 when I run the Installer and "View certificate" I see
    Issuer: VeriSign Inc.
    Expires: 05/26/2007
    Valid from: 05/26/2007


    2. I have been able to "self" sign and install this MIDlet without issues after importing the self signed certicate into the phone's certificate manager. Obviously this will not work as real solution. I need a CA generated certficate.


    Thanks in advance to anyone that can shed some light!

    Chuck
    Last edited by chgru; 2006-05-30 at 22:11.

  2. #2
    Regular Contributor
    Join Date
    Mar 2006
    Posts
    124

    Re: Failed MIDlet install with VeriSign certificate

    Is your cert really a class 3 cert ?
    I can see class 1 thu 4 are installed on my 6682.

    I can also see you can set trust status on the certificates themselves.
    Try settings them all to be able to install apps

  3. #3
    Registered User
    Join Date
    Jan 2006
    Posts
    20

    Re: Failed MIDlet install with VeriSign certificate

    Should be Class 3,

    > keytool -printcert returns (among other info)...

    Issuer: CN=VeriSign Class 3 Code Signing 2004 CA, O="VeriSign, Inc.",

    Issuer: OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.",

    Now I just noticed I have ST in the Owner string with the full spelling of the state:

    ST=California,

    I vaguely recall an issue using non-two letter abbreviations. Can anyone confirm this as the issue. I've already potentially thrown away $500 on this cert.

  4. #4
    Nokia Developer Champion
    Join Date
    Mar 2003
    Posts
    4,104
    Make sure the MIDlet-Certificate- fields in your JAD are correct. VeriSign certificates need an intermediate one and consequently a second MIDlet-Certificate-.
    Last edited by traud; 2008-01-25 at 11:58.

  5. #5
    Registered User
    Join Date
    Jan 2006
    Posts
    20

    Re: Failed MIDlet install with VeriSign certificate

    Thanks for the input but apologies for not quite following your post. For the Verisign version should I expect to see "MIDlet-Certificate-1-2=...?" As you can probably tell I used ant and antenna <wtkjad> task to create and sign my .jad file.

    I've provided both the non-working Verisign and working self-signed manifest and .jad snippets...



    === Verisign ===


    - .jar Manifest.mf

    Manifest-Version: 1.0
    MicroEdition-Configuration: CLDC-1.1
    MIDlet-Name: MyApp
    Created-By: 1.5.0_05-b05 (Sun Microsystems Inc.)
    Ant-Version: Apache Ant 1.6.5
    MIDlet-Permissions: javax.microedition.io.Connector.http, javax.microedition.io.Connector.socket, javax.microedition.io.Connector.datagram, javax.microedition.io.PushRegistry, javax.microedition.io.Connector.serversocket,javax.microedition.io.Connector.sms, javax.wireless.messaging.sms.send
    MIDlet-Vendor: MyApp
    MIDlet-1: MyAppApp, MyAppSpark42x29.gif, net.java.mypack.app.Pho
    neClient
    MIDlet-Version: 0.0.1
    MicroEdition-Profile: MIDP-2.0


    - .jad

    MIDlet-Jar-URL: MyApp.jar
    MIDlet-Jar-Size: 360685
    MIDlet-Name: MyApp
    MIDlet-Vendor: MyApp
    MIDlet-Version: 0.0.1
    MIDlet-1: MyAppApp, MyAppSpark42x29.gif, net.java.mypack.app.PhoneClient
    MicroEdition-Profile: MIDP-2.0
    MicroEdition-Configuration: CLDC-1.1
    MIDlet-Push-1: socket://:8099,net.java.mypack.app.PhoneClient,*
    MIDlet-Permissions: javax.microedition.io.Connector.http, javax.microedition.io.Connector.socket, javax.microedition.io.Connector.datagram, javax.microedition.io.PushRegistry, javax.microedition.io.Connector.serversocket,javax.microedition.io.Connector.sms, javax.wireless.messaging.sms.send
    MIDlet-Certificate-1-1: MIIE8jCCA...
    MIDlet-Jar-RSA-SHA1: Raz2aGQ...





    === Self Signed ===

    - .jar Manifest.mf

    Manifest-Version: 1.0
    MicroEdition-Configuration: CLDC-1.1
    MIDlet-Name: MyApp
    Created-By: 1.5.0_05-b05 (Sun Microsystems Inc.)
    Ant-Version: Apache Ant 1.6.5
    MIDlet-Permissions: javax.microedition.io.Connector.http, javax.microedition.io.Connector.socket, javax.microedition.io.Connector.datagram,javax.microedition.io.PushRegistry, javax.microedition.io.Connector.serversocket,javax.microedition.io.Connector.sms, javax.wireless.messaging.sms.send
    MIDlet-Vendor: MyApp
    MIDlet-1: MyAppApp, MyAppSpark42x29.gif, net.java.mypack.app.PhoneClient
    MIDlet-Version: 0.0.1
    MicroEdition-Profile: MIDP-2.0


    - .jad

    MIDlet-Jar-URL: MyApp.jar
    MIDlet-Jar-Size: 359159
    MIDlet-Name: MyApp
    MIDlet-Vendor: MyApp
    MIDlet-Version: 0.0.1
    MIDlet-1: MyAppApp, MyAppSpark42x29.gif, net.java.mypack.app.PhoneClient
    MicroEdition-Profile: MIDP-2.0
    MicroEdition-Configuration: CLDC-1.1
    MIDlet-Push-1: socket://:8099,net.java.mypack.app.PhoneClient,*
    MIDlet-Permissions: javax.microedition.io.Connector.http, javax.microedition.io.Connector.socket, javax.microedition.io.Connector.datagram, javax.microedition.io.PushRegistry, javax.microedition.io.Connector.serversocket,javax.microedition.io.Connector.sms, javax.wireless.messaging.sms.send
    MIDlet-Certificate-1-1: MIICUDCCA...
    MIDlet-Jar-RSA-SHA1: bYmyxiNr...


    Chuck

  6. #6
    Nokia Developer Champion
    Join Date
    Mar 2003
    Posts
    4,104
    Have a look at the phone and the issue date of the root certificate. If that is from 2001 and you are using a 2004 one, previous users on this board reported an intermediate certificate is required – do not have such a VerSign code-signing cert myself, so I cannot judge on that.

    Please have a search for this topic. This is a quite common problem with recent VeriSign code-signing certificates…there are bad behaving WTK JAD Signer versions out there.

  7. #7
    Registered User
    Join Date
    Jan 2006
    Posts
    20

    Re: Failed MIDlet install with VeriSign certificate

    I believe I found your related thread on this topic...

    http://discussion.forum.nokia.com/f...178248#poststop






    Note that Certificate number [3] in my keystore listing, the serial number and fingerprints match to my phone's (ommitted the fingerprints for clarity):

    Label: VeriSign, Inc. Class 3 Public Primary Certification Authority
    Issuer: VeriSign, Inc. Class 3 Public Primary Certification Authority, Us
    Subject: VeriSign, Inc. Class 3 Public Primary Certification Authority, Us
    Valid from: 01/29/1996
    Valid until: 09/01/2028
    Certificate format: X.509


    The other 2 VeriSign Class 3 Certificates on the phone are...

    Label: VeriSign Class 3 Public Primary Certification Authority - G2
    Issuer: VeriSign, Inc. Class 3 Public Primary Certification Authority - G2, (c) 1998 VeriSign, Inc. - For authorized use only, VeriSign Trust Network, US
    Subject: VeriSign, Inc. Class 3 Public Primary Certification Authority - G2, (c) 1998 VeriSign, Inc. - For authorized use only, VeriSign Trust Network, US
    Valid from: 05/18/1998
    Valid until: 08/01/2028
    Certificate format: X.509

    Label: VeriSign Class 3 Public Primary Certification Authority - G3
    Issuer: VeriSign, Inc. Class 3 Public Primary Certification Authority - G3, VeriSign, Inc., VeriSign Trust Network, (c) 1999 VeriSign, Inc. - For authorized use only,US
    Subject: VeriSign, Inc. Class 3 Public Primary Certification Authority - G3, VeriSign, Inc., VeriSign Trust Network, (c) 1999 VeriSign, Inc. - For authorized use only,US
    Valid from: 10/01/1999
    Valid until: 07/16/2036
    Certificate format: X.509



    If you look below in my keystore listing, it appears I have the 2004 year you cautioned about, however my phone does not appear have a 2001 version, correct?

    One thing I am not clear on is to which certificate does my app have signed?

    Somehow should MIDlet-Certificate-1-1: MIIE8jCCA... match to a fingerprint?

    Should MIDlet-Certificate-1-2 be present to somehow chain these together to Certificate[3]. I think I could just hand edit the .jad file and add these but I have yet to find a way to match up the magic ascii value for MIDlet-Certificate-1-x to a real certificate I was given to sign with?


    Sorry, I thought I had a handle on this until recently. If you have a good reference on the nitty gritty details of signing, that would be helpful
    as well. I think I have exhausted google and this forum.




    === list of certificates in my keystore ===

    >keytool -v -list -keystore ...

    Creation date: May 30, 2006
    Entry type: keyEntry
    Certificate chain length: 3

    Certificate[1]:
    Owner: CN=Agilent Technologies, OU=EMG, OU=Digital ID Class 3 - Java Object Sign
    ing, O=Agilent Technologies, L=Palo Alto, ST=California, C=US
    Issuer: CN=VeriSign Class 3 Code Signing 2004 CA, OU=Terms of use at https://www
    .verisign.com/rpa (c)04, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
    Serial number: 6909b0bfdfda38fd9877fc0583fa6427
    Valid from: Thu May 25 18:00:00 MDT 2006 until: Sat May 26 17:59:59 MDT 2007
    Certificate fingerprints:
    MD5: 4C:6B:3B:33:CC:2F:EC:C1:55:A0:3E:0B:BD:46:F3:8E
    SHA1: 05:72:F5:C9:2F7:F8:EF:CA:C5:90:9A5:16:46:63:12:C6:A1:C9

    Certificate[2]:
    Owner: CN=VeriSign Class 3 Code Signing 2004 CA, OU=Terms of use at https://www.
    verisign.com/rpa (c)04, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
    Issuer: OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C
    =US
    Serial number: 4191a15a3978dfcf496566381d4c75c2
    Valid from: Thu Jul 15 18:00:00 MDT 2004 until: Tue Jul 15 17:59:59 MDT 2014
    Certificate fingerprints:
    MD5: 63:FE:60:C5:5A:44:AF:8E:E2:11:5A:27:62:2A:B0:7C
    SHA1: 19:7A:4A:EBB:25:F0:17:00:79:BB:8C:73:CB:2D:65:5E:00:18:A4


    =================================
    ==== THE MATCHING CERTIFICATE ===
    =================================
    Certificate[3]:
    Owner: OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=
    US
    Issuer: OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C
    =US
    Serial number: 70bae41d10d92934b638ca7b03ccbabf
    Valid from: Sun Jan 28 17:00:00 MST 1996 until: Tue Aug 01 17:59:59 MDT 2028
    Certificate fingerprints:
    MD5: 10:FC:63:5D:F6:26:3E:0D:F3:25:BE:5F:79:CD:67:67
    SHA1: 74:2C:31:92:E6:07:E4:24:EB:45:49:54:2B:E1:BB:C5:3E:61:74:E2





    === error while running on Nokia MIDP Emulator ====

    I have no idea if the emulator should know of the CA, don't see any config to add one however while running

    NDS SDK 2 Emulator set to run in real life mode for S60:


    ** Error installing suite (6):
    The content provider certificate issuer
    C=US;O=VeriSign, Inc.;
    OU=VeriSign Trust Network;OU=Terms of use at https://www.verisign.com/rpa (c)04;CN=VeriSign Class 3 Code Signing 2004 CA
    is unknown.
    Last edited by chgru; 2006-05-31 at 22:44.

  8. #8
    Registered User
    Join Date
    Jan 2006
    Posts
    20

    Re: Failed MIDlet install with VeriSign certificate

    I believe I found your related thread on this topic...

    http://discussion.forum.nokia.com/fo...78248#poststop






    Note that Certificate number [3] in my keystore listing, the serial number and fingerprints match to my phone's (ommitted the fingerprints for clarity):

    Label: VeriSign, Inc. Class 3 Public Primary Certification Authority
    Issuer: VeriSign, Inc. Class 3 Public Primary Certification Authority, Us
    Subject: VeriSign, Inc. Class 3 Public Primary Certification Authority, Us
    Valid from: 01/29/1996
    Valid until: 09/01/2028
    Certificate format: X.509


    The other 2 VeriSign Class 3 Certificates on the phone are...

    Label: VeriSign Class 3 Public Primary Certification Authority - G2
    Issuer: VeriSign, Inc. Class 3 Public Primary Certification Authority - G2, (c) 1998 VeriSign, Inc. - For authorized use only, VeriSign Trust Network, US
    Subject: VeriSign, Inc. Class 3 Public Primary Certification Authority - G2, (c) 1998 VeriSign, Inc. - For authorized use only, VeriSign Trust Network, US
    Valid from: 05/18/1998
    Valid until: 08/01/2028
    Certificate format: X.509

    Label: VeriSign Class 3 Public Primary Certification Authority - G3
    Issuer: VeriSign, Inc. Class 3 Public Primary Certification Authority - G3, VeriSign, Inc., VeriSign Trust Network, (c) 1999 VeriSign, Inc. - For authorized use only,US
    Subject: VeriSign, Inc. Class 3 Public Primary Certification Authority - G3, VeriSign, Inc., VeriSign Trust Network, (c) 1999 VeriSign, Inc. - For authorized use only,US
    Valid from: 10/01/1999
    Valid until: 07/16/2036
    Certificate format: X.509



    If you look below in my keystore listing, it appears I have the 2004 year you cautioned about, however my phone does not appear have a 2001 version, correct?

    One thing I am not clear on is to which certificate does my app have signed?

    Somehow should MIDlet-Certificate-1-1: MIIE8jCCA... match to a fingerprint?

    Should MIDlet-Certificate-1-2 be present to somehow chain these together to Certificate[3]. I think I could just hand edit the .jad file and add these but I have yet to find a way to match up the magic ascii value for MIDlet-Certificate-1-x to a real certificate I was given to sign with?


    Sorry, I thought I had a handle on this until recently. If you have a good reference on the nitty gritty details of signing, that would be helpful
    as well. I think I have exhausted google and this forum.




    === list of certificates in my keystore ===

    >keytool -v -list -keystore ...

    Creation date: May 30, 2006
    Entry type: keyEntry
    Certificate chain length: 3

    Certificate[1]:
    Owner: CN=Agilent Technologies, OU=EMG, OU=Digital ID Class 3 - Java Object Sign
    ing, O=Agilent Technologies, L=Palo Alto, ST=California, C=US
    Issuer: CN=VeriSign Class 3 Code Signing 2004 CA, OU=Terms of use at https://www
    .verisign.com/rpa (c)04, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
    Serial number: 6909b0bfdfda38fd9877fc0583fa6427
    Valid from: Thu May 25 18:00:00 MDT 2006 until: Sat May 26 17:59:59 MDT 2007
    Certificate fingerprints:
    MD5: 4C:6B:3B:33:CC:2F:EC:C1:55:A0:3E:0B:BD:46:F3:8E
    SHA1: 05:72:F5:C9:2F7:F8:EF:CA:C5:90:9A5:16:46:63:12:C6:A1:C9

    Certificate[2]:
    Owner: CN=VeriSign Class 3 Code Signing 2004 CA, OU=Terms of use at https://www.
    verisign.com/rpa (c)04, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
    Issuer: OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C
    =US
    Serial number: 4191a15a3978dfcf496566381d4c75c2
    Valid from: Thu Jul 15 18:00:00 MDT 2004 until: Tue Jul 15 17:59:59 MDT 2014
    Certificate fingerprints:
    MD5: 63:FE:60:C5:5A:44:AF:8E:E2:11:5A:27:62:2A:B0:7C
    SHA1: 19:7A:4A:EBB:25:F0:17:00:79:BB:8C:73:CB:2D:65:5E:00:18:A4


    =================================
    ==== THE MATCHING CERTIFICATE ===
    =================================
    Certificate[3]:
    Owner: OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=
    US
    Issuer: OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C
    =US
    Serial number: 70bae41d10d92934b638ca7b03ccbabf
    Valid from: Sun Jan 28 17:00:00 MST 1996 until: Tue Aug 01 17:59:59 MDT 2028
    Certificate fingerprints:
    MD5: 10:FC:63:5D:F6:26:3E:0D:F3:25:BE:5F:79:CD:67:67
    SHA1: 74:2C:31:92:E6:07:E4:24:EB:45:49:54:2B:E1:BB:C5:3E:61:74:E2





    === error while running on Nokia MIDP Emulator ====

    I have no idea if the emulator should know of the CA, don't see any config to add one however while running

    NDS SDK 2 Emulator set to run in real life mode for S60:


    ** Error installing suite (6):
    The content provider certificate issuer
    C=US;O=VeriSign, Inc.;
    OU=VeriSign Trust Network;OU=Terms of use at https://www.verisign.com/rpa (c)04;CN=VeriSign Class 3 Code Signing 2004 CA
    is unknown.
    Last edited by chgru; 2006-05-31 at 22:26.

  9. #9
    Nokia Developer Champion
    Join Date
    Mar 2003
    Posts
    4,104
    The VeriSign Code Signing Intermediate CA Certificate is missing.

    Copy the code, remove – beside the carriage returns – the first and last line and use it as value of a MIDlet-Certificate-1-2. That should work. There are broken signer tools out there. Make sure to use the latest Sun Java Wireless Toolkit or Nokia Carbide.j.

    Please forget that other thread. I was more confusing than helping there. Additionally, there seemed to be a different problem. Better have a look at this one or have a search about MIDlet-Certificate-1-2 on the Internet and this forum.

    Additionally, forget about this 2001 issue. Your 2004 code-signing certificate, signed to this 2004 root intermediate seems to be linked to this root certificate with the SHA1 7A:2C… fingerprint on the phone anyway. The latter is the only VeriSign one which allows code signing on my Nokia 6680. I cannot be 100% sure, as I have no VeriSign certificate, however, it looks reasonable. Correct me, if I am wrong.
    Last edited by traud; 2006-06-02 at 12:13.

  10. #10
    Registered User
    Join Date
    Jan 2006
    Posts
    20

    Re: Failed MIDlet install with VeriSign certificate

    Thanks for the links, I will work with them and post my results. This will be a big help.


    Some other info I should clear up for others that may be following this thread....

    Earlier I stated I was using wtkjad antenna task to sign the .jad/jar, Wrong!!

    I was acutally using WTK2.1's JadTool.jar with -addjarsig followed by -addcert. I also tried NDS 3.0, same issue. I found what appeared to be a good link regarding signing for Nokia with VeriSign here:

    http://sw.nokia.com/id/fe8f54d9-c53d...ts_v1_0_en.pdf

    However no matter which JadTool.jar used, I only get the single MIDlet-Certificate-1-1, no chain to the CA.

    Also, I think I have identified by Serial Number which certificate is signed to the .jad/jar. It is the first one ("[1]") listed in keystore list I provided. I simply did a "View Certificate" on the phone during the install and compared the serial number to the ones enumerated in my keystore listing.

    I think I am getting closer with traud's help. Thanks.

    Chuck

  11. #11
    Registered User
    Join Date
    Jan 2006
    Posts
    20

    Thumbs up Re: Failed MIDlet install with VeriSign certificate

    Success!

    Adding the intermediate certificate by hand did the trick. You saved me several days of head banging. Many Thanks!

  12. #12
    Nokia Developer Champion
    Join Date
    Mar 2003
    Posts
    4,104
    You are welcome! I learned a lot in this, too. Let us share it with the community:
    When your code signing certificate makes trouble have a look at your JAD and check at least a MIDlet-Certificate-1-2 field is present. If not and you are using a VeriSign 2009-2 code signing certificate, add this line, which is the intermediate certificate as Base64 (a constant value):
    Code:
    MIDlet-Certificate-1-2: MIIE/DCCBGWgAwIBAgIQZVIm4bIuGOFZDymFrCLnXDANBgkqhkiG9w0BAQUFADBfMQswCQYDVQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xNzA1BgNVBAsTLkNsYXNzIDMgUHVibGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMDkwNTIxMDAwMDAwWhcNMTkwNTIwMjM1OTU5WjCBtjELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2UgYXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykwOTEwMC4GA1UEAxMnVmVyaVNpZ24gQ2xhc3MgMyBDb2RlIFNpZ25pbmcgMjAwOS0yIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvmcdtGCqEElvVhd8Zslehg3V8ayncYOOi4n4iASJFQa6LYQhleTRnFBM+9IivdrysjU7Ho/DCfv8Ey5av4l8PTslHvbzWHuc9AG1xgq4gM6+J3RhZydNauXsgWFYeaPgFxASFSew4U00fytHIES53mYkZorNT7ofxTjIVJDhcvYZZnVquUlozzh5DaowqNssYEie16oUAamD1ziRMDkTlgM6fEBUtq3gLxuD3KgRUj4Cs9cr/SG2p1yjDwupphBQDjQuTafOyV4l1Iy88258KbwBXfwxh1rVjIVnWIgZoL818OoroyHnkPaD5ajtYHhee2CD/VcLXUENY1Rg1kMh7wIDAQABo4IB2zCCAdcwEgYDVR0TAQH/BAgwBgEB/wIBADBwBgNVHSAEaTBnMGUGC2CGSAGG+EUBBxcDMFYwKAYIKwYBBQUHAgEWHGh0dHBzOi8vd3d3LnZlcmlzaWduLmNvbS9jcHMwKgYIKwYBBQUHAgIwHhocaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYTAOBgNVHQ8BAf8EBAMCAQYwbQYIKwYBBQUHAQwEYTBfoV2gWzBZMFcwVRYJaW1hZ2UvZ2lmMCEwHzAHBgUrDgMCGgQUj+XTGoasjY5rw8+AatRIGCx7GS4wJRYjaHR0cDovL2xvZ28udmVyaXNpZ24uY29tL3ZzbG9nby5naWYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMDMDQGCCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AudmVyaXNpZ24uY29tMDEGA1UdHwQqMCgwJqAkoCKGIGh0dHA6Ly9jcmwudmVyaXNpZ24uY29tL3BjYTMuY3JsMCkGA1UdEQQiMCCkHjAcMRowGAYDVQQDExFDbGFzczNDQTIwNDgtMS01NTAdBgNVHQ4EFgQUl9BrqCZwyKE/lB8ILcQ1m6ShHvIwDQYJKoZIhvcNAQEFBQADgYEAiwPA3ZTYQaJhabAVqHjHMMaQPH5C9yS25INzFwR/BBCcoeL6gS/rwMpE53LgULZVECCDbpaS5JpRarQ3MdylLeuMAMcdT+dNMrqF+E6++mdVZfBqvnrKZDgaEBB4RXYx84Z6Aw9gwrNdnfaLZnaCG1nhg+W9SaU4VuXeQXcOWA8=
    If not and you are using a thawte code signing certificate, add this line, which is the intermediate certificate as Base64 (a constant value):
    Code:
    MIDlet-Certificate-1-2: MIIDTjCCAregAwIBAgIBCjANBgkqhkiG9w0BAQUFADCBzjELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3duMR0wGwYDVQQKExRUaGF3dGUgQ29uc3VsdGluZyBjYzEoMCYGA1UECxMfQ2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjEhMB8GA1UEAxMYVGhhd3RlIFByZW1pdW0gU2VydmVyIENBMSgwJgYJKoZIhvcNAQkBFhlwcmVtaXVtLXNlcnZlckB0aGF3dGUuY29tMB4XDTAzMDgwNjAwMDAwMFoXDTEzMDgwNTIzNTk1OVowVTELMAkGA1UEBhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xHzAdBgNVBAMTFlRoYXd0ZSBDb2RlIFNpZ25pbmcgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMa4uSdgrwvjkWll236N7ZHmqvG+1e3+bdQsf9Fwd/smmVe03T8wuNwh6miNgZL8LkuRNYQg8tpKurT85tqI8iDFIZIJR5WgCRymeb6xTB388YpuVNJpofFMkzpB/n3UZHtjRfdgYB0xHaTp0w+L+24mJLOo/+XlkNS0wtxQYK5ZAgMBAAGjgbMwgbAwEgYDVR0TAQH/BAgwBgEB/wIBADBABgNVHR8EOTA3MDWgM6Axhi9odHRwOi8vY3JsLnRoYXd0ZS5jb20vVGhhd3RlUHJlbWl1bVNlcnZlckNBLmNybDAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwMwDgYDVR0PAQH/BAQDAgEGMCkGA1UdEQQiMCCkHjAcMRowGAYDVQQDExFQcml2YXRlTGFiZWwyLTE0NDANBgkqhkiG9w0BAQUFAAOBgQB2spzuE58b9i00kpRFczTcjmsuXPxMfYnrw2jx15kPLh0XyLUWi77NigUG8hlJOgNbBckgjm1S4XaBoMNliiJn5BxTUzdGv7zXL+t7ntAURWxAIQjiXXV2ZjAe9N+Cii+986IMvx3bnxSimnI3TbB3SOhKPwnOVRks7+YHJOGv7A==
    When there are still problems, copy and paste your MIDlet-Certificate- values to a text editor, like this
    Code:
    -----BEGIN CERTIFICATE-----
    MII…
    -----END CERTIFICATE-----
    and then save it as .pem as this is a X.509 certificate in PEM format. Although the line endings are wrong for PEM, you are still able to import these into any certificate manager like the one of Firefox. There you can inspect the individual certs and make sure the chain is complete (compare the authority and issuer name). Remember, the root certificate should not be included in your JAD as it is stated in the MIDP 2.0 specification chapter 4.

    chgru, I am still curious, why your signing tool failed. Because the root certificate (last one in the chain) is never included in the JAD, perhaps you need Verisign's class 3 root certificate (filename = PCA3ss_v4.509) in your key store, too? I have no idea…
    Last edited by traud; 2009-09-03 at 18:26. Reason: Added the thawte (constant) certificate; changed VeriSign intermediate

  13. #13
    Registered User
    Join Date
    Jan 2006
    Posts
    20

    Re: Failed MIDlet install with VeriSign certificate

    Not sure why the root CA is not include in the .jad. As I update NDS to Carbide.j I'll post to this thread if anything changes. Again, thanks for the help. Save me several days of effort.

  14. #14
    Nokia Developer Champion
    Join Date
    Mar 2003
    Posts
    4,104
    No, I meant the root is never included in the JAD – in your case and for everyone else. This is the way it is designed by MIDP 2. Perhaps therefore, these signing tools omit the last certificate in the chain. As you pointed out, your key store does not include the root certificate of VeriSign. Therfore, in your case, the intermediate is not included.
    Could this be the reason of all that trouble?

  15. #15
    Registered User
    Join Date
    Jan 2006
    Posts
    20

    Re: Failed MIDlet install with VeriSign certificate

    Isn't certificate[3] in my keystore a root cert?

    Certificate[3]:
    Owner: OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=
    US
    Issuer: OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C
    =US
    Serial number: 70bae41d10d92934b638ca7b03ccbabf
    Valid from: Sun Jan 28 17:00:00 MST 1996 until: Tue Aug 01 17:59:59 MDT 2028
    Certificate fingerprints:
    MD5: 10:FC:63:5D:F6:26:3E:0D:F3:25:BE:5F:79:CD:67:67
    SHA1: 74:2C:31:92:E6:07:E4:24:EB:45:49:54:2B:E1:BB:C5:3E:61:74:E2

Similar Threads

  1. 6680:socket push registry does not work with Verisign certificate ?
    By dlacan in forum Mobile Java Networking & Messaging & Security
    Replies: 1
    Last Post: 2006-04-05, 13:34
  2. Replies: 2
    Last Post: 2005-06-27, 07:04
  3. Install MIDlet and Authorisation failed!
    By benjos in forum Mobile Java General
    Replies: 3
    Last Post: 2005-04-09, 06:36
  4. Signing midlets with Verisign certificate for Nokia 6600
    By rmellado in forum Mobile Java General
    Replies: 0
    Last Post: 2004-07-02, 10:36
  5. How to install a signed MIDlet into S60 SDK?
    By nn_tt in forum Mobile Java General
    Replies: 0
    Last Post: 2004-03-18, 07:18

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •