Many mobile devices (including Nokia and Sony Ericsson phones) require the certificate to be installed in DER format. The Comodo AddTrust External CA Root certificate, currently needed for eduroam and likely needed for other services (e.g. Hermes, Raven) in the future, does not currently exist in this format; it needs to be downloaded from the Comodo website, converted and sent to the mobile device.
IMPORTANT! Before you start this process, please note that you are importing a new trusted root certification authority (CA) - these are people your device will trust to identify secure websites and other services (e.g. secure IMAP to mailservers, etc.). You should only go through this process for a CA you trust. In this situation, you only have our word for this and you must trust the person or group issuing these instructions. If in doubt, you may wish to contact the UCS separately to confirm the instructions.
This page provides instructions for downloading and converting the certificate using
- Windows XP
- Unix (including Linux and Mac OS X using the Terminal)
- Mac OS X (using the Keychain Utility)
Note that the converted certificate could be stored and sent to multiple devices. However, because of the importance of this (it controls all the trust for security on any device which it is installed on), it should only be served to clients in a secure manner. We don't have a mechanism to do this. If you wish to give this to other people, please do so, but please don't disseminate it widely as it may present a security problem (to all websites and secure services - including banking, university services like Hermes, etc.), if it gets compromised.
Windows XP
- Using a web browser from your Windows XP PC go to
https://support.comodo.com/index.php?_m=downloads&_a=viewdownload&downloaditemid=11&nav=0,1 - Click the Download button and download the file somewhere on your PC. You should end up with a file called AddTrustExternalCARoot.crt.
- Right-click on that file in Explorer, go to the submenu under Open With... and pick Crypto Shell Extensions. Agree to Open the file.
- You should get a dialog box appear with information about the Certificate. Select the Details tab.
- Press the Copy to File... button to open the Certificate Export Wizard. Press Next > to skip the first page.
- The default option should be DER encoded binary X.509 (.CER) - if not, select it. Press Next > to go to the next page.
- Type in a filename to save the converted certificate under - something like AddTrust is fine. The extension .cer will be added to the name you type. Press Next >.
- A summary of the options selected will appear - choose Finish to complete the export. You should now have a file called AddTrust.cer in the same folder as the downloaded .crt file.
- You need to get this file onto your mobile device. You cannot email it through hermes as .cer extensions are blocked for the security reasons outlined above. Bluetoothing it (just send the file to the device; don't specifically drop it into a folder), putting it on a webpage or such like is fine.
- Once the file arrives on your mobile device, opening it should offer to add it to the list of trusted root certification authorities (CA).
- This should give you the option of that certificate in the eduroam wireless configuration.
Unix (including Linux and Mac OS X using the Terminal)
- Go to the following page in your web browser:
https://support.comodo.com/index.php?_m=downloads&_a=viewdownload&downloaditemid=11&nav=0,1 - Click the Download button and download the file somewhere on your computer - you should end up with a file called AddTrustExternalCARoot.crt.
- Open a Terminal / Shell window, change to the directory where you downloaded the above file and type in:
openssl x509 -in AddTrustExternalCARoot.crt -out AddTrust.cer -outform der - You should now have a file called AddTrust.cer in the same folder as the downloaded .crt file.
- You need to get this file onto your mobile device - you cannot email it through hermes as .cer extensions are blocked for the security reasons outlined above. Bluetoothing it (just send the file to the device; don't specifically drop it into a folder), putting it on a webpage or such like is fine.
- Once the file arrives on your mobile device, opening it should offer to add it to the list of trusted root certification authorities (CA).
Mac OS X (using the Keychain Utility)
- Go to the following page in your web browser:
https://support.comodo.com/index.php?_m=downloads&_a=viewdownload&downloaditemid=11&nav=0,1 - Click the Download button and download the file somewhere on your computer - you should end up with a file called AddTrustExternalCARoot.crt.
- Open Applications -> Utilities -> Keychain Utility. The Keychain Access window should appear, showing a list of certificates and saved passwords.
- In the Keychains box in the top left, select System Roots. In the Category box in the bottom right, select Certificates.
- From the main list on the right side, find AddTrust External CA Root and right-click (or hold down Control/Ctrl and click) then select Export "AddTrust External CA Root"... from the pop-up menu.
- In the dialog which appears, choose a location (probably the default in Documents is fine) and confirm the File Format is Certificate (.cer). Press Save to export the certificate.
- You need to get this file onto your mobile device - you cannot email it through hermes as .cer extensions are blocked for the security reasons outlined above. If you have Bluetooth configured between your phone and Mac, choose Send File... from the Bluetooth menu, select your phone and the certificate file just saved and accept the file on the phone.
- Once the file arrives on your mobile device, opening it should offer to add it to the list of trusted root certification authorities (CA).