How to update the Android certificate store
written on Saturday, September 3, 2011
Sometimes it is necessary to update the certificate store on a rooted Android device. Here are just a few reasons for doing it:
- Just another CA got compromised.
- You want to add a CA that is not included in the official certificate store (e.g CAcert).
- You operate your own CA and want your device to trust it (companies come to mind).
This blog post focuses on a rooted Samsung Galaxy S GT-I9000, running a recent version of Android (Version: 2.3.4, DarkyROM). Some paths and the file system type may differ on other devices.
The following is required to update the Android certificate store:
- A rooted Android device. Without being root on your phone you are doomed to wait for updates provided by either Google or the phone manufacturer.
- keytool, it comes with recent version of the JRE.
- The Bouncy Castle Crypto API.
- Either adb from Android SDK or a Terminal Emulator on the phone. I used the free Android Terminal Emulator from Android Market.
Obtaining the certificate store from the device
Android stores its certificates in /system/etc/security/cacerts.bks. When you mount the SD card, /system will not show up. Thus, copy cacerts.bks to the /sdcard/ before mounting it.
android~$ cp /system/etc/security/cacerts.bks /sdcard
Then, mount your SD card and copy the file on your box.
box~$ pmount /dev/sdb box~$ cp /media/sdb/cacerts.bks ~
Removing certificates from the store
First, find the certificate of a CA you want to remove. Remember the alias of the certificate (in this example 95).
box~$ keytool -keystore cacerts.bks -storetype BKS\ -provider org.bouncycastle.jce.provider.BouncyCastleProvider\ -storepass changeit -v -list | grep -A 4 -B 8 diginotar Aliasname: 95 Erstellungsdatum: 03.03.2011 Eintragstyp: trustedCertEntry Eigentümer: C=NL,O=DigiNotar,CN=DigiNotar Root CA,Efirstname.lastname@example.org Aussteller: C=NL,O=DigiNotar,CN=DigiNotar Root CA,Eemail@example.com Seriennummer: c76da9c910c4e2c9efe15d058933c4c Gültig von: Wed May 16 19:19:36 CEST 2007 bis: Mon Mar 31 20:19:21 CEST 2025 Zertifikat-Fingerprints: MD5: 7A:79:54:4D:07:92:3B:5B:FF:41:F0:0E:C7:39:A2:98 SHA1: C0:60:ED:44:CB:D8:81:BD:0E:F8:6C:0B:A2:87:DD:CF:81:67:47:8C SHA256: 0D:13:6E:43:9F:0A:B6:E9:7F:3A:02:A5:40:DA:9F:06:41:AA:55:4E:1D:66:EA:51:AE:29:20:D5:1B:2F:72:17 Signaturalgorithmusname: SHA1WithRSAEncryption Eigentümer: C=NL,O=DigiNotar,CN=DigiNotar Root CA,Efirstname.lastname@example.org Aussteller: C=NL,O=DigiNotar,CN=DigiNotar Root CA,Eemail@example.com
box~$ keytool -keystore cacerts.bks -storetype BKS\ -provider org.bouncycastle.jce.provider.BouncyCastleProvider\ -storepass changeit -delete -alias 95
Now, if you list the certificates inside the store again, you should no longer see this particular certificate.
Adding certificates to the store
This is a common task, especially if you are a CAcert user. Just obtain the root certificate and put it in your $HOME.
box~$ #assume you want to add root.crt to the keystore box~$ keytool -keystore cacerts.bks -storetype BKS\ -provider org.bouncycastle.jce.provider.BouncyCastleProvider\ -storepass changeit -importcert -trustcacerts -alias myalias -file root.crt
Be sure to check the fingerprint of the certificate and use a meaningful alias when importing it.
Pushing the certificate store back on the device
Simply mount your SD card and copy the modified cacerts.bks back on the device.
box~$ cp ~/cacerts.bks /media/sdb/ box~$ pumount /media/sdb
Copy cacerts.bks back to /system/etc/security/. To accomplish this step, you need to remount /system as read/write:
android~$ su #required to remount /system android~# mount -o rw,remount /system android~# cp /sdcard/cacerts.bks /system/etc/security/cacerts.bks android~# mount -o ro,remount /system
Finally, reboot the device and be happy.
- You can use CACertMan, a free App that allows you to browse, search, backup, restore and delete SSL Root Authority certificates from the Android certificate store directly on a rooted phone.
- I wrote a simple script that automates adding CAcert certificates to the Android certificate store. You can find it here.