Certificate Manager

p2501's picture
Submitted by p2501 on Mon, 2015/04/06 - 17:19
Rating: 
4.833335
Your rating: None Average: 4.8 (6 votes)

DON'T USE THIS WITH CURRENT SAILFISH VERSIONS

Certificate storage has changed in Sailfish, and this app is not compatible with it anymore. The "multi_c_rehash" tool mentioned in the comments is now gone, too.

Instead of this app, you can now use the "update-ca-trust" command line tool. See the following link (in spite of what the titlte says, it's not just for email):
https://jolla.zendesk.com/hc/en-us/articles/115004110933-Adding-a-new-email-certificate

If you already used this app and certificates are not working any more at all, try to delete the certificates in this app. If that doesn't work, remove the symlinks pointing to files in /home/nemo/.local/share/openrepos-certificatemanager/openrepos-certificatemanager in the directories /etc/pki/tls/certs and /data/misc/keychain/cacerts-added (leave any other symlinks and files be or be prepared for a device reset).

 

Former Description:

This app allows to add user certificates to the Jolla system, browser and Android compatibility storage, as well as to view and remove certificates, that have been installed through this app.

NOTICE: This app uses a helper with root rights. This is necessary to unlock the system and Android compatibility certificate storages. The helper will be installed automatically thanks to the dependency system, but it won't uninstall automatically. To uninstall it manually, log in as root and execute:
rpm -e openrepos-certificatemanager-helper

LICENSE: MIT

SOURCE:
https://bitbucket.org/christof_buergi/openrepos-certificatemanager
https://bitbucket.org/christof_buergi/openrepos-certificatemanager-helper

Screenshots: 

Category:

Application versions: 
AttachmentSizeDate
File openrepos-certificatemanager-0.1-1.armv7hl.rpm32.2 KB06/04/2015 - 17:19
Changelog: 

(none)

Comments

UiPo1goo's picture

UiPo1goo

Sat, 2018/07/21 - 05:16

Thank you for these warning. I wonder me that some apps on my phone won't work correctly any more, like storeman (update did but details not), official update (never told me again an new update is available) and so on.

I used this app in the past to add an self created root cert for my different servers. Now I found this addition has completly prevent many apps to use secure internet connections.

After removing the links as described now e.g. storeman is working again.

talisker's picture

talisker

Sun, 2018/02/25 - 22:27

Hi EveryBody,

Warning by using this apps with the latest version of Sailfish OS.

The Apps create symbolic link in /etc/pki/tls/certs, and lock the other entries :

lrwxrwxrwx 1 root nemo   92 Feb 24 09:22 590d426f.0 -> /home/nemo/.local/share/openrepos-certificatemanager/openrepos-certificatemanager/590d426f.0
lrwxrwxrwx 1 root nemo   92 Feb 24 09:22 99d0fa06.0 -> /home/nemo/.local/share/openrepos-certificatemanager/openrepos-certificatemanager/99d0fa06.0

For adding root certificate, I think use this way http://manpages.ubuntu.com/manpages/precise/man8/update-ca-certificates....

To restore your config, delete the synbolic link wtih unlink.

Regards

p2501's picture

p2501

Mon, 2018/02/26 - 10:44

Well, putting a symbolic link to the certificate into /etc/pki/tls/certs is how one usually installs a certificate in Linux (though the browser uses a seperate store), and so far it has worked for me. It has not worked for others though, for reasons I never understood, and I now suspect subtle differences between phones.

I did notice the new tools (update-ca-certificates, etc.) being installed from SailfishOS 2.0 on, but at first, they didn't work for me. I'll look into those again.

accumulator's picture

accumulator

Mon, 2016/10/03 - 17:05

When I install my custom CA, all SSL handshakes fail (e.g. to Jolla store).

Removing all certificates makes things work again

p2501's picture

p2501

Wed, 2016/10/05 - 19:44

Sorry, can't reproduce. The only thing I can think of is that something in your cert throws off OpenSSL. If you send me the certificate, I'll try and look into it.

juhaj's picture

juhaj

Mon, 2017/02/20 - 23:36

Hi, I think I've ran into the same issue except removing the loaded certificates does not solve the issue for me: I am unable to connect to any "accounts", email, Store etc. Basically anything that uses ssl except – for some reason – the regular web browser can still do https:// and openvpn still works, too. Any help reverting would be much appreciated.

p2501's picture

p2501

Tue, 2017/02/21 - 15:16

I suspect something else went wrong here. However, you can rebuild the system certificate store in the terminal by becoming root (through devel_su), starting multi_c_rehash, and reboot to clear all caches. The default browser, as well as AlienDalvik, the Jabber client and OpenVPN, all have seperate stores, and are thus unaffected.

Please note that the current Prerelease of Sailfish may have switched things around. I don't know yet.

coderus's picture

coderus

Tue, 2015/04/07 - 15:32

Will be nice to have it opensourced

p2501's picture

p2501

Wed, 2015/04/08 - 13:32

It is Open Source. I just included the links to the source code in the description.

Oh, if anyone finds a critical problem in the helper, PLEASE TELL ME IMMEDIATELY. Thanks.

Manankanchu's picture

Manankanchu

Mon, 2015/04/06 - 19:06

I hoped to install self-signed certificates like with "CAdroid" but was unsuccessful ...

p2501's picture

p2501

Tue, 2015/04/07 - 13:22

Judging from the description, CADroid opens an encrypted connection to a webserver and uses the certificate presented by the server. This app doesn't do this at the moment: Certificates need to be present as files (PEM or DER format). I might integrate this in the next version, though.

Bobsikus's picture

Bobsikus

Mon, 2015/04/06 - 18:21

does it mean I can open encrypted emails through native Sailfish Email app ?

p2501's picture

p2501

Tue, 2015/04/07 - 13:45

This app allows you to install certificates, which, in theory, allow you to encrypt mails. To decrypt them, you'd need the matching private key, which this app doesn't handle. Anyway, as it is, the native mail client supports neither en- nor decryption of mails, so no, sorry.

What the native mail client does support is encrypted communication with the mail server. However, home brew mail servers usually have certificates which are self-signed, or signed by an "unofficial" CA, and can't be automatically verified. This app allows you to install said certificates, thus making them verifiable.

heubergen's picture

heubergen

Mon, 2015/04/06 - 23:21

With this app you can install and mange certificates, not more and not less.

PGP (I think you want this) but work completely different. So it could be that this app will let you mange php keys in the future but not now. Theres also need a support in the Mail App that are not exist yet.