Certification Generator syntax: makekeys.exe

The Certification Generator is a PC based command line tool which creates a private/public key pair and issues certificate requests. The resultant private key is used to digitally sign installation files, enabling the install system to authenticate them. It carries out the following tasks:

• Creation of a private/public key pair, where the public key is in the form of a self signed certificate.

• Construction of a certificate request.

• Optional viewing of certificate details.

Package file format .pkg

makekeys -cert [-v] [-len key-length ] [-password password ] -dname distinguished-name-string private-key-file public-key-cert

For example:

makekeys -cert -dname "CN=Symbian OU=Development OR=Symbian Ltd CO=GB" mykey.key mycert.cer

Note:

• The Certification Generator uses a mouse input mechanism to generate the private key. The MSDOS property QuickEdit must be turned off in order for sampling of random data from the mouse to work.

makekeys – req [-v][-password password] -dname distinguished-name-string private-key-file public-key-cert cert-request-file

For example:

–makekeys req -dname "CN=Symbian OU=Development OR=Symbian Ltd CO=GB" mykey.key mycert.cer myreq.p10

It is then up to the developer to send the certificate request to be signed by a trusted third party, i.e. a Certificate Authority. The CA uses various means to establish that the originator of the certificate request is who they claim to be. The developer’s public key is signed by the CA, using the CA’s private key, creating a certificate, which is then sent back to the applicant. The CA may return a single certificate, or a file containing a chain of certificates.

It is important that certificates returned by CA's are in the base64 encoded ASCII format. The Certification Generator generates base 64 encoded certificate files and expects certificates which come back from a CA to be in the same format.

The CA may return a file containing a certificate chain. These are supported, and are needed if intermediate certificates are required between the CA’s root certificate on the EPOC device and the developer certificate.

makekeys – view public-key-cert

Displays details of a certificate or certificate chain file. The -view command should be used with an existing certificate file (which should be in base 64 encoded format).

For example:

makekeys – view mycert.cer

-cert Create the private key (private-key-file) and self signed certificate (public-key-cert). If the private key file already exists it will be used to create the self signed certificate. -req Create a certificate request. -view View certificate details. -v Verbose mode — displays additional diagnostic information. -dname distinguished-name-string The distinguished-name-string specifies the distinguished name parameters required for the self-signed public key certificate file. This command line option should be constructed of a string of white space separated key/value pairs as follows: CN=common name OU=organisational unit OR=organisation LO=locality ST=state CO=country EM=e-mail address -password password Password (optional). After creation, the password must be supplied to subsequently use the private key. -len key-length The key-length. The minimum is 512, maximum is 4096. The key length defaults to 1024. private-key-file The file containing the private key. The private key should kept secret by the developer, whereas the public key is usually made generally available. Has a .key extension public-key-cert A self-signed certificate containing the public key. Has a .cer extension cert-request-file A self-contained file which is sent to the CA. The Certification Generator will create this file given a private and public key. It is then up to the developer to send the file to the CA and arrange for the application for the certificate. Has a .p10 extension.