nblock's ~

How to update the Android certificate store

Sometimes it is necessary to update the certificate store on a rooted Android device. Here are just a few reasons for doing it:

  • Just another CA got compromised.
  • You want to add a CA that is not included in the official certificate store (e.g CAcert).
  • You operate your own CA and want your device to trust it (companies come to mind).

This blog post focuses on a rooted Samsung Galaxy S GT-I9000, running a recent version of Android (Version: 2.3.4, DarkyROM). Some paths and the file system type may differ on other devices.

Requirements

The following is required to update the Android certificate store:

  • A rooted Android device. Without being root on your phone you are doomed to wait for updates provided by either Google or the phone manufacturer.
  • keytool, it comes with recent version of the JRE.
  • The Bouncy Castle Crypto API.
  • Either adb from Android SDK or a Terminal Emulator on the phone. I used the free Android Terminal Emulator from Android Market.

Obtaining the certificate store from the device

Android stores its certificates in /system/etc/security/cacerts.bks. When you mount the SD card, /system will not show up. Thus, copy cacerts.bks to the /sdcard/ before mounting it.

android~$ cp /system/etc/security/cacerts.bks /sdcard

Then, mount your SD card and copy the file on your box.

box~$ pmount /dev/sdb
box~$ cp /media/sdb/cacerts.bks ~

Removing certificates from the store

First, find the certificate of a CA you want to remove. Remember the alias of the certificate (in this example 95).

box~$ keytool -keystore cacerts.bks -storetype BKS\
-provider org.bouncycastle.jce.provider.BouncyCastleProvider\
-storepass changeit -v -list | grep -A 4 -B 8 diginotar

Aliasname: 95
Erstellungsdatum: 03.03.2011
Eintragstyp: trustedCertEntry

Eigentümer: C=NL,O=DigiNotar,CN=DigiNotar Root CA,E=info@diginotar.nl
Aussteller: C=NL,O=DigiNotar,CN=DigiNotar Root CA,E=info@diginotar.nl
Seriennummer: c76da9c910c4e2c9efe15d058933c4c
Gültig von: Wed May 16 19:19:36 CEST 2007 bis: Mon Mar 31 20:19:21 CEST 2025
Zertifikat-Fingerprints:
   MD5:  7A:79:54:4D:07:92:3B:5B:FF:41:F0:0E:C7:39:A2:98
   SHA1: C0:60:ED:44:CB:D8:81:BD:0E:F8:6C:0B:A2:87:DD:CF:81:67:47:8C
   SHA256: 0D:13:6E:43:9F:0A:B6:E9:7F:3A:02:A5:40:DA:9F:06:41:AA:55:4E:1D:66:EA:51:AE:29:20:D5:1B:2F:72:17
   Signaturalgorithmusname: SHA1WithRSAEncryption
Eigentümer: C=NL,O=DigiNotar,CN=DigiNotar Root CA,E=info@diginotar.nl
Aussteller: C=NL,O=DigiNotar,CN=DigiNotar Root CA,E=info@diginotar.nl

Remove it:

box~$ keytool -keystore cacerts.bks -storetype BKS\
-provider org.bouncycastle.jce.provider.BouncyCastleProvider\
-storepass changeit -delete -alias 95

Now, if you list the certificates inside the store again, you should no longer see this particular certificate.

Adding certificates to the store

This is a common task, especially if you are a CAcert user. Just obtain the root certificate and put it in your $HOME.

box~$ #assume you want to add root.crt to the keystore
box~$ keytool -keystore cacerts.bks -storetype BKS\
-provider org.bouncycastle.jce.provider.BouncyCastleProvider\
-storepass changeit -importcert -trustcacerts -alias myalias -file root.crt

Be sure to check the fingerprint of the certificate and use a meaningful alias when importing it.

Pushing the certificate store back on the device

Simply mount your SD card and copy the modified cacerts.bks back on the device.

box~$ cp ~/cacerts.bks /media/sdb/
box~$ pumount /media/sdb

Copy cacerts.bks back to /system/etc/security/. To accomplish this step, you need to remount /system as read/write:

android~$ su  #required to remount /system
android~# mount -o rw,remount /system
android~# cp /sdcard/cacerts.bks /system/etc/security/cacerts.bks
android~# mount -o ro,remount /system

Finally, reboot the device and be happy.

Update

  • You can use CACertMan, a free App that allows you to browse, search, backup, restore and delete SSL Root Authority certificates from the Android certificate store directly on a rooted phone.
  • I wrote a simple script that automates adding CAcert certificates to the Android certificate store. You can find it here.

permalink | tweet this

tagged android, cacert, security and x509