Motorola doesn't provide any way to install new root certificates for Java (despite there being an interface to install them for SSL) and the only root certificates installed other than their own is the lucrative "Java Verified" monopoly certificate.
Fortunately it is possible to insert your own root certificates, such as the one provided by CAcert who issue free code signing certificates.
- Add the certificate to /ezxlocal/download/appwritecmsec/.policy/._policy.txt:
CA Cert Signing Authority (anything) 2 1 MIIHPTCCBS... (root certificate) 0 0 0 0
This will make it appear in the list of Java Root Certificates under Security Settings. That's all it does. The following two files are actually used by the JVM. - Add the certificate to /ezxlocal/download/java/.policy/._policy.txt:
domain: C=;L=;O=Root CA;OU=http://www.cacert.org;CN=CA Cert Signing Authority 2 1 AAAcHBwcHB... (copy this from the UTI certificate) MIIHPTCCBS... (root certificate) FrUyG9TH8+DmjvO90rA67rI5GNE= (unknown) 1049027389 (start date) 1995712189 (end date)
- Add the certificate to /usr/securesetup/.policy/_devdomain.txt:
domain: CA Cert root certificate (anything) type: 2 rootcert: MIIHPTCCBS... (root certificate) allowchangestatus: 0
- Where the root certificate is specified, it's in DER format and Base64 encoded all on one line.
- I copied the unknown part in the second policy file from the UTI certificate and it was automatically updated for me (including the domain DN).
- Somehow /ezxlocal/download/java/.policy/._hmac.txt was not world readable, which is required to run the MIDlet from the menu.
Using signed MIDlets, I can finally set some of the permissions to "Never Ask" and avoid irritating prompts.