The CA certificate of freenet.de‘s certificate used for encrypted mailbox access was missing on my K750i. Trying to access my IMAP mailbox with SSL/TLS activated, it aborted with an error about untrusted certificate or something like that.
I found out by sniffing my PC mail client Evolution with tcpdump/Wireshark that the needed CA certificate is “TC TrustCenter Class 2 CA” by http://trustcenter.de/.
The K750i expects uploaded certificate files to be in DER format with the file extension cer. Download the DER file http://trustcenter.de/certservices/cacerts/tcclass2-2011.der as found at http://trustcenter.de/root_certificates.htm and rename it to tcclass2-2011.cer. Then upload the file to your mobile for example via Bluetooth and enjoy secure E-Mail access!
If you want to check the certificate being correctly installed, go to Settings > Connectivity: Internet settings > Security > Trusted cert. and you should find it at the bottom of the list.
This solution should most likely also cover POP3/SMTP access as well as paid freenet mail accounts and should be working on similar Sony Ericsson mobile phones.
I tried to do the same for the GMX.net‘s CA “Thawte Premium Server CA” found in the Zip file available here: http://www.thawte.com/roots/index.html. But sadly the included ThawtePremiumServerCA.cer (resp. identical ThawtePremiumServerCA.509) were not installable. After accepting the file transfer the phone kept flashing between white and black screen with backlights on and off and finally returned to the contacts menu after some message like “loading contacts…”.
I had the same effect when I first uploaded the PEM file from TrustCenter to the phone. But PEM files are base64 encoded and DER files are “binary”. Probably the certificate has to be converted with something like OpenSSL. Eventually I’ll try to get this working, but it isn’t that important for me now.
UPDATE
I finally got this Thawte certificate installed. But I haven’t tested yet, if it’s working.
My first attempt was to convert the base64 certificate to DER format with the command below, which resulted in an identical file as already provided.
openssl x509 -in ThawtePremiumServerCA_b64.txt -inform PEM -out ThawtePremiumServerCA_conv.cer -outform DER
Looking at the plain text certificate, I only found the X509v3 extensions to be different from the TrustCenter certificate. To see the plan text cert I did this:
[scheff@p512o downloads]$ openssl x509 -in ThawtePremiumServerCA_b64.txt -inform PEM -text Certificate: Data: Version: 3 (0x2) Serial Number: 1 (0x1) Signature Algorithm: md5WithRSAEncryption Issuer: C=ZA, ST=Western Cape, L=Cape Town, O=Thawte Consulting cc, OU=Certification Services Division, CN=Thawte Premium Server CA/emailAddress=premium-server@thawte.com Validity Not Before: Aug 1 00:00:00 1996 GMT Not After : Dec 31 23:59:59 2020 GMT Subject: C=ZA, ST=Western Cape, L=Cape Town, O=Thawte Consulting cc, OU=Certification Services Division, CN=Thawte Premium Server CA/emailAddress=premium-server@thawte.com Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:d2:36:36:6a:8b:d7:c2:5b:9e:da:81:41:62:8f: 38:ee:49:04:55:d6:d0:ef:1c:1b:95:16:47:ef:18: 48:35:3a:52:f4:2b:6a:06:8f:3b:2f:ea:56:e3:af: 86:8d:9e:17:f7:9e:b4:65:75:02:4d:ef:cb:09:a2: 21:51:d8:9b:d0:67:d0:ba:0d:92:06:14:73:d4:93: cb:97:2a:00:9c:5c:4e:0c:bc:fa:15:52:fc:f2:44: 6e:da:11:4a:6e:08:9f:2f:2d:e3:f9:aa:3a:86:73: b6:46:53:58:c8:89:05:bd:83:11:b8:73:3f:aa:07: 8d:f4:42:4d:e7:40:9d:1c:37 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: critical CA:TRUE Signature Algorithm: md5WithRSAEncryption 26:48:2c:16:c2:58:fa:e8:16:74:0c:aa:aa:5f:54:3f:f2:d7: c9:78:60:5e:5e:6e:37:63:22:77:36:7e:b2:17:c4:34:b9:f5: 08:85:fc:c9:01:38:ff:4d:be:f2:16:42:43:e7:bb:5a:46:fb: c1:c6:11:1f:f1:4a:b0:28:46:c9:c3:c4:42:7d:bc:fa:ab:59: 6e:d5:b7:51:88:11:e3:a4:85:19:6b:82:4c:a4:0c:12:ad:e9: a4:ae:3f:f1:c3:49:65:9a:8c:c5:c8:3e:25:b7:94:99:bb:92: 32:71:07:f0:86:5e:ed:50:27:a6:0d:a6:23:f9:bb:cb:a6:07: 14:42 -----BEGIN CERTIFICATE----- MIIDJzCCApCgAwIBAgIBATANBgkqhkiG9w0BAQQFADCBzjELMAkGA1UEBhMCWkEx FTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3duMR0wGwYD VQQKExRUaGF3dGUgQ29uc3VsdGluZyBjYzEoMCYGA1UECxMfQ2VydGlmaWNhdGlv biBTZXJ2aWNlcyBEaXZpc2lvbjEhMB8GA1UEAxMYVGhhd3RlIFByZW1pdW0gU2Vy dmVyIENBMSgwJgYJKoZIhvcNAQkBFhlwcmVtaXVtLXNlcnZlckB0aGF3dGUuY29t MB4XDTk2MDgwMTAwMDAwMFoXDTIwMTIzMTIzNTk1OVowgc4xCzAJBgNVBAYTAlpB MRUwEwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNVBAcTCUNhcGUgVG93bjEdMBsG A1UEChMUVGhhd3RlIENvbnN1bHRpbmcgY2MxKDAmBgNVBAsTH0NlcnRpZmljYXRp b24gU2VydmljZXMgRGl2aXNpb24xITAfBgNVBAMTGFRoYXd0ZSBQcmVtaXVtIFNl cnZlciBDQTEoMCYGCSqGSIb3DQEJARYZcHJlbWl1bS1zZXJ2ZXJAdGhhd3RlLmNv bTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA0jY2aovXwlue2oFBYo847kkE VdbQ7xwblRZH7xhINTpS9CtqBo87L+pW46+GjZ4X9560ZXUCTe/LCaIhUdib0GfQ ug2SBhRz1JPLlyoAnFxODLz6FVL88kRu2hFKbgifLy3j+ao6hnO2RlNYyIkFvYMR uHM/qgeN9EJN50CdHDcCAwEAAaMTMBEwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG 9w0BAQQFAAOBgQAmSCwWwlj66BZ0DKqqX1Q/8tfJeGBeXm43YyJ3Nn6yF8Q0ufUI hfzJATj/Tb7yFkJD57taRvvBxhEf8UqwKEbJw8RCfbz6q1lu1bdRiBHjpIUZa4JM pAwSremkrj/xw0llmozFyD4lt5SZu5IycQfwhl7tUCemDaYj+bvLpgcUQg== -----END CERTIFICATE----- [scheff@p512o downloads]$ openssl x509 -in tcclass2-2011.pem -inform PEM -text Certificate: Data: Version: 3 (0x2) Serial Number: 1002 (0x3ea) Signature Algorithm: md5WithRSAEncryption Issuer: C=DE, ST=Hamburg, L=Hamburg, O=TC TrustCenter for Security in Data Networks GmbH, OU=TC TrustCenter Class 2 CA/emailAddress=certificate@trustcenter.de Validity Not Before: Mar 9 11:59:59 1998 GMT Not After : Jan 1 11:59:59 2011 GMT Subject: C=DE, ST=Hamburg, L=Hamburg, O=TC TrustCenter for Security in Data Networks GmbH, OU=TC TrustCenter Class 2 CA/emailAddress=certificate@trustcenter.de Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:da:38:e8:ed:32:00:29:71:83:01:0d:bf:8c:01: dc:da:c6:ad:39:a4:a9:8a:2f:d5:8b:5c:68:5f:50: c6:62:f5:66:bd:ca:91:22:ec:aa:1d:51:d7:3d:b3: 51:b2:83:4e:5d:cb:49:b0:f0:4c:55:e5:6b:2d:c7: 85:0b:30:1c:92:4e:82:d4:ca:02:ed:f7:6f:be:dc: e0:e3:14:b8:05:53:f2:9a:f4:56:8b:5a:9e:85:93: d1:b4:82:56:ae:4d:bb:a8:4b:57:16:bc:fe:f8:58: 9e:f8:29:8d:b0:7b:cd:78:c9:4f:ac:8b:67:0c:f1: 9c:fb:fc:57:9b:57:5c:4f:0d Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: critical CA:TRUE X509v3 Key Usage: critical Digital Signature, Certificate Sign, CRL Sign Netscape CA Policy Url: http://www.trustcenter.de/guidelines Netscape Cert Type: SSL CA, S/MIME CA, Object Signing CA Signature Algorithm: md5WithRSAEncryption 84:52:fb:28:df:ff:1f:75:01:bc:01:be:04:56:97:6a:74:42: 24:31:83:f9:46:b1:06:8a:89:cf:96:2c:33:bf:8c:b5:5f:7a: 72:a1:85:06:ce:86:f8:05:8e:e8:f9:25:ca:da:83:8c:06:ac: eb:36:6d:85:91:34:04:36:f4:42:f0:f8:79:2e:0a:48:5c:ab: cc:51:4f:78:76:a0:d9:ac:19:bd:2a:d1:69:04:28:91:ca:36: 10:27:80:57:5b:d2:5c:f5:c2:5b:ab:64:81:63:74:51:f4:97: bf:cd:12:28:f7:4d:66:7f:a7:f0:1c:01:26:78:b2:66:47:70: 51:64 -----BEGIN CERTIFICATE----- MIIDXDCCAsWgAwIBAgICA+owDQYJKoZIhvcNAQEEBQAwgbwxCzAJBgNVBAYTAkRF MRAwDgYDVQQIEwdIYW1idXJnMRAwDgYDVQQHEwdIYW1idXJnMTowOAYDVQQKEzFU QyBUcnVzdENlbnRlciBmb3IgU2VjdXJpdHkgaW4gRGF0YSBOZXR3b3JrcyBHbWJI MSIwIAYDVQQLExlUQyBUcnVzdENlbnRlciBDbGFzcyAyIENBMSkwJwYJKoZIhvcN AQkBFhpjZXJ0aWZpY2F0ZUB0cnVzdGNlbnRlci5kZTAeFw05ODAzMDkxMTU5NTla Fw0xMTAxMDExMTU5NTlaMIG8MQswCQYDVQQGEwJERTEQMA4GA1UECBMHSGFtYnVy ZzEQMA4GA1UEBxMHSGFtYnVyZzE6MDgGA1UEChMxVEMgVHJ1c3RDZW50ZXIgZm9y IFNlY3VyaXR5IGluIERhdGEgTmV0d29ya3MgR21iSDEiMCAGA1UECxMZVEMgVHJ1 c3RDZW50ZXIgQ2xhc3MgMiBDQTEpMCcGCSqGSIb3DQEJARYaY2VydGlmaWNhdGVA dHJ1c3RjZW50ZXIuZGUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANo46O0y AClxgwENv4wB3NrGrTmkqYov1YtcaF9QxmL1Zr3KkSLsqh1R1z2zUbKDTl3LSbDw TFXlay3HhQswHJJOgtTKAu33b77c4OMUuAVT8pr0VotanoWT0bSCVq5Nu6hLVxa8 /vhYnvgpjbB7zXjJT6yLZwzxnPv8V5tXXE8NAgMBAAGjazBpMA8GA1UdEwEB/wQF MAMBAf8wDgYDVR0PAQH/BAQDAgGGMDMGCWCGSAGG+EIBCAQmFiRodHRwOi8vd3d3 LnRydXN0Y2VudGVyLmRlL2d1aWRlbGluZXMwEQYJYIZIAYb4QgEBBAQDAgAHMA0G CSqGSIb3DQEBBAUAA4GBAIRS+yjf/x91AbwBvgRWl2p0QiQxg/lGsQaKic+WLDO/ jLVfenKhhQbOhvgFjuj5Jcrag4wGrOs2bYWRNAQ29ELw+HkuCkhcq8xRT3h2oNms Gb0q0WkEKJHKNhAngFdb0lz1wlurZIFjdFH0l7/NEij3TWZ/p/AcASZ4smZHcFFk -----END CERTIFICATE-----
So I simply added the missing X509v3 extensions to the text file and converted it to DER like this:
$ openssl x509 -in ThawtePremiumServerCA_b64.txt -inform PEM -text > ThawtePremiumServerCA_text.txt $ vi ThawtePremiumServerCA_text.txt $ openssl x509 -in ThawtePremiumServerCA_b64.txt -inform PEM -text | diff - ThawtePremiumServerCA_text.txt 27a28,33 > X509v3 Key Usage: critical > Digital Signature, Certificate Sign, CRL Sign > Netscape CA Policy Url: > http://www.thawte.com/en/ssl-digital-certificates/free-guides-whitepapers > Netscape Cert Type: > SSL CA, S/MIME CA, Object Signing CA $ openssl x509 -in ThawtePremiumServerCA_text.txt -inform PEM -outform DER -out ThawtePremiumServerCA_text.cer
You can download the edited certificate in text and DER format here.
ChangeLog
[070429 Further attempts with Thawte Premium Server CA certs. Add photo.]
[2009-04-26: Fix box.net links.]