| Thursday, May 5, 2005 |
|---|
Getting your Sony Ericsson K700i to use your IMAP4 server with self-signed SSL certificate
A nice feature of Sony Ericsson K700i is a built-in IMAP4 support with encryption. So, today I decided to get it to work with my IMAP server (dovecot). I'd better write down all the steps before I forget. Thanks Carsten for help with the CA stuff!I did this on Red Hat Enterprise Linux AS release 4 with dovecot-0.99.11-2.EL4.1 and openssl-0.9.7a-43.1.
- Become a Certification Authority by following steps in http://mia.ece.uic.edu/~papers/volans/settingupCA.html. The key step is generating a root certificate:
openssl req -x509 -newkey rsa -out cacert.pem -outform PEM -days 10000
It will generate a public/private key pair. The private key will stay on your server and will be used only for signing certificates. The public key (a.k.a. the CA certificate) is what you'll need to put on your phone so that it trusts certificates signed by you. Unlike most desktop mail clients K700i won't just warn you, it will refuse to work unless you do this. - Install the CA certificate on your phone. SE K700i seems to require the DER format of the certificate as well as .cer extension. If you use a different filename or format it will simply say "invalid certificate" or "ungültiges zertifikat" and refuse to proceed. Here's how you can convert the certificate to DER format:
openssl x509 -in cacert.pem -inform PEM -out cacert.cer -outform DER
Next step is to upload the certificate to your phone via Bluetooth (Connectivity -> Bluetooth -> My devices -> your-computer-name -> navigate to cacert.cer. The phone will give you a happy message that it accepted the certificate. If you go to Connectivity -> Internet settings -> Security -> Trusted cert., your certificate should be there among others. From now on your phone should accept certificates signed by you.
- Generate a certificate request as described in http://mia.ece.uic.edu/~papers/volans/settingupCA.html and issue the certificate as described on the same page. Suppose you call your certificate and private key wfcert.pem and wfkey.pem respectively.
- Edit /etc/dovecot.conf, put something like this in it:
... and restart your dovecot IMAP4 server.ssl_cert_file = /etc/ssl/certs/wfcert.pem ssl_key_file = /etc/ssl/private/wfkey.pem
- Configure the email account on your phone. Here are some important things that can go wrong
- When setting Encryption to TLS/SSL be sure to also set the Domain to whatever domain your certificate is issued for. If there is a mismatch here., the phone will give you a helpful message "TLS/SSL handshake failure".
- Mailbox should be set, believe it or not, to your login name.
|
Posted by Branimir Dolicki at 16:50 |
|
# - G - 2 comments - Add comment |
You may request notification for Branimir's Blog.