Generating a developer certificate request using OpenSSL

Using tools described here, one can do most parts of Symbian development in a Linux environment. On of the parts which one can't do, is generate a developer certificate. (The certificate request tool might work in wine, but I haven't tried.) However, a developer certificate request can easily be generated using OpenSSL.

Most parts of the certificate request can be specified in a configuration file. Copy this content into a file, and name it request.cnf.

[req]
default_bits=1024
distinguished_name=req_distinguished_name
prompt=no
req_extensions=extend
[req_distinguished_name]
C=GB
ST=State
O=Acme
CN=Joe Bloggs
[extend]
1.2.826.0.1.1796587.1.1.1.1=critical,DER::30110c0f<IMEI>
1.2.826.0.1.1796587.1.1.1.6=critical,DER::0309002d8ff00000000000

The distinguished name of the certificate can easily be modified directly in the section below [req_distinguished_name]. The parts which configure the function of the certificate are in the extension section, below [extend].

The IMEI code the certificate is for should be entered as the IMEI code in ascii, expressed in hex. This can be generated e.g. like this:

$ echo -n 123456789012345 | od -t x1 | sed s/^.......// | sed 's/ //g'
313233343536373839303132333435

This is actually the same as the IMEI code string, with each number prepended by a 3. Replace <IMEI> with this. The four bytes before the IMEI code (30110c0f) probably is some kind of a header.

The second line below [extend] is the capabilities requested. The rest of the data (2d8ff00000000000) after the three byte header is a bit field specifying which capabilities the certificate should request. This default value includes all capabilities that were earlier grantable without a TC TrustCenter Publisher ID. (For a quick reference on which bit equals which capability, check e.g. symbianutil.py in the Ensymble source.) Note, requesting a developer certificate without a TC TrustCenter Publisher ID is no longer possible.

When the request configuration file is ready, generate the csr file like this:

$ openssl req -new -key mykey.key -config request.cnf > request.csr

If you haven't got a private key (mykey.key in this case), generate it before generating the csr file:

$ openssl dsaparam -genkey 1024 > dsaparam
$ openssl gendsa -des3 dsaparam > mykey.key

Leave out -des3 if you don't want to have the key password protected.

Publisher ID

Please note that nowadays, requesting a developer certificate requires a TC TrustCenter Publisher ID. Using the process outlined above makes no difference compared to the official tools, a Publisher ID still is required.

Script

Later, I've made a script to automate the generation of developer certificate requests. I've also made this script support adding more than one IMEI number into the certificate requests, and to support generating certificate requests with a Publisher ID. Run ./generate.py --help to see the available options.

The script reads IMEI numbers from a file, one number per line, only the first words of the line is used (the rest can be used as a comment), and empty lines and lines beginning with a # are ignored.

The script requires that you've already got a certificate, to be used as a template for the certificate request, and that you've got the corresponding key file. The script can equally well use a self-signed certificate instead of a TC TrustCenter Publisher ID, but a Publisher ID still currently is required for symbiansigned.com to issue the developer certificate.

Contact

// Martin Storsjö ()