With the introduction of WAP, mobile phones (and other mobile devices) have needed to know about certificates, CAs etc. As the devices become smarter, their needs are changing, and their capabilities increasing.
This page will hopefully become (in time) a guide to supporting the certificate needs of mobile devices with OpenSSL and other open source tools. At the moment, it's a mixture of the foundation information, and a collection of un-answered questions along the road to the goal.
Depending on the phone age and software, the certificates need to be in one of a few file formats, served with one of a number of mime types.
application/vnd.wap.wtls-ca-certificate - Binary WTLS certificate format. Should work with most phones, unsure of what it looks like...
application/vnd.wap.hashed-certificate WPKI certificate, where you'll need to enter the SHA-1 hash. Unsure of what one looks like...
application/vnd.wap.signed-certificate WPKI certificate, signed by another CA. Looks much like the one above.
application/vnd.wap.cert-response Still working on this one..
WTLS Certificates - a binary encoding of an x509 like certificate.
x509 like because they've tied down what you're allowed to put in and how
often, unlike x509 which is (excessivly) flexible. So, to make one of these,
you need to ensure you only have the allowed tags in the right numbers
(normally not a big problem), then binary encode it. Oh, but the internal
encoding format isn't ASN.1 like x509, it's slightly different.... The
encapsulation isn't DER. As far as I know (please tell me if you know
differently!), there aren't any open source tools to convert between
x509 and WTLS.
This is the most commonly used type of certificate on mobile devices.
x509 Certificates - normal, unchanged x509 certificates. Typically
in their binary encoded (DER) form for space reasons. The standards docs
keep talking about using these for more things (since everything supports
them), but very few mobile devices do.
Newer Symbian Series 60 devices will accept these. You need to go to a website hosting the certificate in DER format, then feed it to the phone with a mime type of application/x-x509-ca-cert, and the phone will launch the import wizard. Not all browsers on the phone will do this though, but the "Services" browser (wap and xhtml-mp) will do so.
x9.68 Certificates - another x509 like certificate, designed for
resource constrained devices and high transaction volume settings. More
compact than x509, but more flexible than WTLS certificates, and also
better specified (eg here). However,
it's yet to make it through all the standards body hoops. Oh, and it can
be XML encapsulated if you really want it to be.
Expect to see this used more and more frequently in future, but not very much yet.
Commercial - most of the commercial CAs support WTLS certificates, and are happy to spit them out. A few are starting to do x9.68 also.
OpenSSL - doesn't yet support x9.68 or WTLS certificates, either to read them in, spit them out, or convert them. Hopefully it will do soon...
Other Open Source - really quite limited. Often associated with the few WAP and other mobile gateway products. Kannel has a few WTLS add-ons, which support WTLS connections, but only have limited certificate generation or convertion tools in them.
Open Documents - there are a few research papers and talks floating about on the web. Enough to give you a taste, not enough for writing your own stuff.
Roll Your Own -
While there are a fair number of documents out there that ought to
tell you about the WTLS formatting, none of them seem to in a way where
I can understand them / in a a way where I actually notice the specs
being defined. As such, I'm still searching for the formatting guides.
If I ever find out how it all works, I'll write some tools and post them here.
Wap Certificate Profile Specs
Symbian's overview of WTLS and it's certificates
Intro to WTLS Security
IBM intro to WAP 2.0 security
WTLS add-ons to the Kannel Wap Gateway