Skip to main content

https certficates

1 reply [Last post]
Anonymous

Hi,

I am working on a project that requires https and am running into
problems with getting the 'server not certified' dialog on handsets.

Can anyone help me resolve this? I have found and read this article...

http://developers.sun.com/mobility/midp/articles/https/

...which unfortunately assumes I am building MIDlets using the WTK
which is not the case. I presume if I am using a certificate issued by
an authority other than the ones the phone accepts by default then
there must be some way of packaging it into the jar file?

Alternatively, and probably easier, could someone let me know which
certification authorities are accepted on most phones by default so I
don't need to mess around including certificates in the jar at all?

best regards

====

James Closs, Director, bitBull Ltd

http://www.bitbull.com

07771 991171

====

===========================================================================
To unsubscribe, send email to listserv@java.sun.com and include in the body
of the message "signoff KVM-INTEREST". For general help, send email to
listserv@java.sun.com and include in the body of the message "help".
[att1.html]

Reply viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.
sfitzjava
Offline
Joined: 2003-06-15
Points: 0

Sadly for security reasons most phones do not allow for the CA roots to be augmented by the contents of the Jar, and only a couple that I've seen (usually unlocked) have the ability to upload new CA certs.

Verisign is the most widely used CA that I've seen, and of course the most expensive.

Without the cert on the phone the standard HTTPS GCF logic will not work (at least on the phones that I've used). Setting up an SSL over HTTP can be done with 3rd party libraries like Bouncy Castle, and I saw a while back a really good library (good marketing material anyway) called EncryptME which is supposed to be small and fast with 3rd party cert supports.
http://www.masabi.com/tech_encryptME.html

Good luck, HTTPS is one of those painful roads to have to go down. None of the phone makers really got the spec 100%, I found several issues with IBM's old J9 VM in this area, and finally just had to drop it. That was 4 or 5 years ago so hopefully things have moved forward.

-Shawn