Wednesday, May 27, 2009

Importing mail ssl cert into iPhone

Here is how I got a certificate from our courier imap mail server onto a new 3G iPhone.

If your mail server is using imap and has a self-signed certificate, then you'll need to do something like this, because the iPhone will not trust it otherwise.

This trick was done with on a Linux PC, but it should work on Windows or Mac if you know where to find your Thunderbird and Firefox settings directories. You don't need to have the PC plugged into the iPhone for this to work.

1) Download and install Thunderbird. Set it up to point at the imap mail server.

2) The connection failed in our case since our imap server only accepts SSL. Now click settings for the connection and change it to use SSL. The port number will change to 993.

3) Connect to imap from Thunderbird. It shows a dialog about a certificate - accept a permanent exception.

4) Fire up Thunderbirds certificate manager by clicking on preferences, and advanced, and certificates.

5) Confirm that you have the certificate stored by Thunderbird. Note that Thunderbird has no export facility, but Firefox does. For iPhone we want the certificate in .der format.

6) Close Thunderbird. Close any running instance of Firefox.

7) Save your current Firefox settings directory - on Linux this is the directory .mozilla - do this in a command prompt, in your home/settings directory:
mv .mozilla save-mozilla

8) Run firefox. It will start up in a freshly initialized state because you have moved your settings out of the way. This will cause it to create a fresh, disposable .mozilla data directory that you can do what you like with.

9) Close firefox.

10) Look under your .thunderbird and .mozilla directory for the certificate databases: in my case the files were in a directory .mozilla/xevjor02.default. Thunderbird had a similarly named directory.

11) Copy them from .thunderbird over the top of the ones in your fresh, disposable .mozilla directory (don't use your real one, now saved in save-mozilla) by typing this in a command prompt:
cp ~/.thunderbird/xevjor02.default/*.db .mozilla/firefox/qo6x6lxa.default/.

12) Launch firefox. Run the certificate manager by preferences -> advanced -> certificates.

13) Confirm that the certificate you accepted in thunderbird is now visible in firefox's more full-featured certificate manager.

14) Use the firefox cert managers export feature to save the imap ssl cert as a file "my-server.der" on your desktop. Close firefox. Restore your profile directory, by doing this in command prompt:
mv save-mozilla .mozilla
15) Create an email to an account that you can already read on the iphone, such as your gmail account. Attach the cert to the email and send it.

16) On the iphone, read the email and tap the certificate attached.

17) Accept the install certificate prompts.

18) Reboot the iPhone.

19) The iphone mail program should now connect to the imap ssl server using that certificate.



  1. You can also:
    * Take your CA cert (you are running your own CA right?)
    * email it to a webmail provider
    * open email and accept cert

    I'm pretty sure I just mailed myself a PEM of my CA public cert and it worked.

    If you really need DER, you can also use:
    openssl x509 –in cert.pem –inform PEM –out cert.der –outform DER


  2. Yes - the openssl command line tool is very nice for this. I was helping someone on-line when this problem came up and didn't have openssl installed.

    Also there is the problem of actually getting the cert from the mail server - and it was one that I did not have root on, only an unprivileged account, that I ssh'ed into and used mutt.

    But seeing openssl can actually fetch certs as well, this would have done everything:

    openssl s_client -connect 2>&1 |\
    openssl x509 -out cert.der -outform DER

    For complete one liner glory, add a pipe to the mail command and you're done. :-)


Hi, thanks for leaving your thoughtful on-topic comment!