Certificates And Mobile Phones with OpenSSL

With the introduction of WAP, mobile phones (and other mobile devices) have needed to know about certificates, CAs etc. As the devices become smarter, their needs are changing, and their capabilities increasing.

This page will hopefully become (in time) a guide to supporting the certificate needs of mobile devices with OpenSSL and other open source tools. At the moment, it's a mixture of the foundation information, and a collection of un-answered questions along the road to the goal.

Mime Types for Delivery

Depending on the phone age and software, the certificates need to be in one of a few file formats, served with one of a number of mime types.

application/vnd.wap.wtls-ca-certificate - Binary WTLS certificate format. Should work with most phones, unsure of what it looks like...

application/vnd.wap.hashed-certificate WPKI certificate, where you'll need to enter the SHA-1 hash. Unsure of what one looks like...

application/vnd.wap.signed-certificate WPKI certificate, signed by another CA. Looks much like the one above.

application/vnd.wap.cert-response Still working on this one..

Certificate Formats

WTLS Certificates - a binary encoding of an x509 like certificate. x509 like because they've tied down what you're allowed to put in and how often, unlike x509 which is (excessivly) flexible. So, to make one of these, you need to ensure you only have the allowed tags in the right numbers (normally not a big problem), then binary encode it. Oh, but the internal encoding format isn't ASN.1 like x509, it's slightly different.... The encapsulation isn't DER. As far as I know (please tell me if you know differently!), there aren't any open source tools to convert between x509 and WTLS.
This is the most commonly used type of certificate on mobile devices.

x509 Certificates - normal, unchanged x509 certificates. Typically in their binary encoded (DER) form for space reasons. The standards docs keep talking about using these for more things (since everything supports them), but very few mobile devices do.
Newer Symbian Series 60 devices will accept these. You need to go to a website hosting the certificate in DER format, then feed it to the phone with a mime type of application/x-x509-ca-cert, and the phone will launch the import wizard. Not all browsers on the phone will do this though, but the "Services" browser (wap and xhtml-mp) will do so.

x9.68 Certificates - another x509 like certificate, designed for resource constrained devices and high transaction volume settings. More compact than x509, but more flexible than WTLS certificates, and also better specified (eg here). However, it's yet to make it through all the standards body hoops. Oh, and it can be XML encapsulated if you really want it to be.
Expect to see this used more and more frequently in future, but not very much yet.

Mobile Certificate Software

Commercial - most of the commercial CAs support WTLS certificates, and are happy to spit them out. A few are starting to do x9.68 also.

OpenSSL - doesn't yet support x9.68 or WTLS certificates, either to read them in, spit them out, or convert them. Hopefully it will do soon...

Other Open Source - really quite limited. Often associated with the few WAP and other mobile gateway products. Kannel has a few WTLS add-ons, which support WTLS connections, but only have limited certificate generation or convertion tools in them.

Open Documents - there are a few research papers and talks floating about on the web. Enough to give you a taste, not enough for writing your own stuff.

Roll Your Own - While there are a fair number of documents out there that ought to tell you about the WTLS formatting, none of them seem to in a way where I can understand them / in a a way where I actually notice the specs being defined. As such, I'm still searching for the formatting guides.
If I ever find out how it all works, I'll write some tools and post them here.

Some guides:

Wap Certificate Profile Specs

WPKI Specs

Symbian's overview of WTLS and it's certificates

Intro to WTLS Security

IBM intro to WAP 2.0 security

WTLS add-ons to the Kannel Wap Gateway

Guides Index
Written By: Nick Burch    Last modified: Thursday, 15-Jul-2004 17:15:23 BST
These pages are from http://www.gagravarr.org/writing/openssl-certs/
Creative Commons License This work is licensed under a Creative Commons License.