How to update the Android certificate store
written on Saturday, September 3, 2011
Sometimes it is necessary to update the certificate store on a rooted Android device. Here are just a few reasons for doing it:
- Just another CA got compromised.
- You want to add a CA that is not included in the official certificate store (e.g CAcert).
- You operate your own CA and want your device to trust it (companies come to mind).
This blog post focuses on a rooted Samsung Galaxy S GT-I9000, running a recent version of Android (Version: 2.3.4, DarkyROM). Some paths and the file system type may differ on other devices.
Requirements
The following is required to update the Android certificate store:
- A rooted Android device. Without being root on your phone you are doomed to wait for updates provided by either Google or the phone manufacturer.
- keytool, it comes with recent version of the JRE.
- The Bouncy Castle Crypto API.
- Either adb from Android SDK or a Terminal Emulator on the phone. I used the free Android Terminal Emulator from Android Market.
Obtaining the certificate store from the device
Android stores its certificates in /system/etc/security/cacerts.bks. When you mount the SD card, /system will not show up. Thus, copy cacerts.bks to the /sdcard/ before mounting it.
Then, mount your SD card and copy the file on your box.
Removing certificates from the store
First, find the certificate of a CA you want to remove. Remember the alias of the certificate (in this example 95).
Remove it:
Now, if you list the certificates inside the store again, you should no longer see this particular certificate.
Adding certificates to the store
This is a common task, especially if you are a CAcert user. Just obtain the root certificate and put it in your $HOME.
Be sure to check the fingerprint of the certificate and use a meaningful alias when importing it.
Pushing the certificate store back on the device
Simply mount your SD card and copy the modified cacerts.bks back on the device.
Copy cacerts.bks back to /system/etc/security/. To accomplish this step, you need to remount /system as read/write:
Finally, reboot the device and be happy.
References
Update
- You can use CACertMan, a free App that allows you to browse, search, backup, restore and delete SSL Root Authority certificates from the Android certificate store directly on a rooted phone.
- I wrote a simple script that automates adding CAcert certificates to the Android certificate store. You can find it here.