Human-Readable File Formats Reference

This section provides details of the fields in the various certificate store human-readable files.

File Certificate Store Field Details

The following table provide details of the file certificate store fields:

Name	Description
`StartEntry`	Specifies the certificate label. This label is in UTF-8 format and limited to 64 characters.
`Deletable`	The value of this field indicates whether the certificate can be deleted. `True` indicates that the certificate can be deleted. `False` indicates that the certificate must be protected from deletion.
`Format`	Specifies the certificate format. This is usually set to `EX509Certificate`.
`CertificateOwnerType`	Indicates the type of certificate owner. This field has the following legal values: `ECACertificate`, `EUserCertificate` and `EPeerCertificate`.
`SubjectKeyId`	Both these fields are used to build certificate chains by looking for certificates with `SubjectKeyId` values that match the `IssuerKeyId` value of the first certificate in the chain. While the `SubjectKeyId` enables identification of certificates containing a public key (in this case, the issuer key), the `IssuerKeyId` is the unique value that identifies the issued certificate. These fields are optional. If omitted, their values are considered equivalent to auto. For x509 certificates, it is recommended that these fields be omitted or set to auto. For other certificate types, specify an octet string value.
`IssuerKeyId`
`StartApplicationList`	Indicates the start and end of the application list. An application list specifies the applications associated with a certificate. Applications can be specified by UID or by name (in which case they are looked up in `certclients.dat`).
`EndApplicationList`
`Trusted`	The value of this field is usually set to `True`. If set to `False`, the certificate does not act as a trust anchor and its capabilities are not used.
`DataFileName`	Specifies the name of the file from which the certificate is to be read. If the certificate format is not x509, the contents are treated as a raw block of data. If the format is x509, the file can be either of the following: A Privacy Enhanced Mail (PEM) encoded certificate in a UTF-8 file with or without a UTF-8 Byte Order Marker (BOM) A binary file containing a Distinguished Encoding Rules (DER) encoded certificate.

SWI Certificate Store Field Details

The following table provides information on the SWI certificate store fields. Because the SWI certificate store is a superset of the file certificate store, the following table lists only fields specific to the SWI certificate store.

Name	Description
`CapabilitySet`	Defines a list of capabilities allowed in applications that have the certificate as their trust anchor. Standard capability names or numeric bit numbers can be specified.
`Mandatory`	The value of this field is usually be set to `False` so that it enables the installation of any package not signed by a certificate that resolves to a SWI certificate. A `True` value prevents normal installation of packages. Note: If the certificate store is deployed in a device that does not support the feature of updating ROM files without using SIS stubs, the certificate gets interpreted as `Mandatory`. This prevents all normal applications from installing.
`SystemUpgrade`	The value of this field must usually be set to `False` to enable normal installation of applications. A `True` value of this field indicates that any application signed by a certificate which resolves to this certificate is treated as a System Upgrade, and consequently, a lot of security checks are disabled for that application. Note: The field is set to `True` only when the certificate store is deployed in a device that supports the feature of updating ROM files without using SIS stubs.

Important: A SWI certificate store does not have a Deletable field because all the SWI certificates are protected from deletion.

Related reference

Certificate Store Human-Readable File Formats