Sometimes it is necessary to update the certificate store on a rooted Android device. Here are just a few reasons for doing it:
- Just another CA got compromised.
- You want to add a CA that is not included in the official certificate store (e.g CAcert).
- You operate your own CA and want your device to trust it (companies come to mind).
This blog post focuses on a rooted Samsung Galaxy S GT-I9000, running a recent version of Android (Version: 2.3.4, DarkyROM). Some paths and the file system type may differ on other devices.
Requirements
The following is required to update the Android certificate store:
- A rooted Android device. Without being root on your phone you are doomed to wait for updates provided by either Google or the phone manufacturer.
keytool, it comes with recent version of the JRE.- The Bouncy Castle Crypto API.
- Either
adbfrom Android SDK or a Terminal Emulator on the phone. I used the free Android Terminal Emulator from Android Market.
Obtaining the certificate store from the device
Android stores its certificates in /system/etc/security/cacerts.bks.
When you mount the SD card, /system will not show up. Thus, copy
cacerts.bks to the /sdcard/ before mounting it.
android~$ cp /system/etc/security/cacerts.bks /sdcard
Then, mount your SD card and copy the file on your box.
box~$ pmount /dev/sdb
box~$ cp /media/sdb/cacerts.bks ~
Removing certificates from the store
First, find the certificate of a CA you want to remove. Remember the alias of the certificate (in this example 95).
box~$ keytool -keystore cacerts.bks -storetype BKS\
-provider org.bouncycastle.jce.provider.BouncyCastleProvider\
-storepass changeit -v -list | grep -A 4 -B 8 diginotar
Aliasname: 95
Erstellungsdatum: 03.03.2011
Eintragstyp: trustedCertEntry
Eigentümer: C=NL,O=DigiNotar,CN=DigiNotar Root CA,E=info@diginotar.nl
Aussteller: C=NL,O=DigiNotar,CN=DigiNotar Root CA,E=info@diginotar.nl
Seriennummer: c76da9c910c4e2c9efe15d058933c4c
Gültig von: Wed May 16 19:19:36 CEST 2007 bis: Mon Mar 31 20:19:21 CEST 2025
Zertifikat-Fingerprints:
MD5: 7A:79:54:4D:07:92:3B:5B:FF:41:F0:0E:C7:39:A2:98
SHA1: C0:60:ED:44:CB:D8:81:BD:0E:F8:6C:0B:A2:87:DD:CF:81:67:47:8C
SHA256: 0D:13:6E:43:9F:0A:B6:E9:7F:3A:02:A5:40:DA:9F:06:41:AA:55:4E:1D:66:EA:51:AE:29:20:D5:1B:2F:72:17
Signaturalgorithmusname: SHA1WithRSAEncryption
Eigentümer: C=NL,O=DigiNotar,CN=DigiNotar Root CA,E=info@diginotar.nl
Aussteller: C=NL,O=DigiNotar,CN=DigiNotar Root CA,E=info@diginotar.nl
Remove it:
box~$ keytool -keystore cacerts.bks -storetype BKS\
-provider org.bouncycastle.jce.provider.BouncyCastleProvider\
-storepass changeit -delete -alias 95
Now, if you list the certificates inside the store again, you should no longer see this particular certificate.
Adding certificates to the store
This is a common task, especially if you are a
CAcert user. Just obtain the root certificate and
put it in your $HOME.
box~$ #assume you want to add root.crt to the keystore
box~$ keytool -keystore cacerts.bks -storetype BKS\
-provider org.bouncycastle.jce.provider.BouncyCastleProvider\
-storepass changeit -importcert -trustcacerts -alias myalias -file root.crt
Be sure to check the fingerprint of the certificate and use a meaningful alias when importing it.
Pushing the certificate store back on the device
Simply mount your SD card and copy the modified cacerts.bks back on
the device.
box~$ cp ~/cacerts.bks /media/sdb/
box~$ pumount /media/sdb
Copy cacerts.bks back to /system/etc/security/. To accomplish this
step, you need to remount /system as read/write:
android~$ su #required to remount /system
android~# mount -o rw,remount /system
android~# cp /sdcard/cacerts.bks /system/etc/security/cacerts.bks
android~# mount -o ro,remount /system
Finally, reboot the device and be happy.
References
- http://blog.mylookout.com/2011/08/for-rooted-android-device-users-open-heart-surgery-on-your-android-ca-store/
- http://wiki.cacert.org/FAQ/ImportRootCert#Android_Phones
- http://silkemeyer.net/root-zertifikate-von-cacert-in-android-importieren
Update
- You can use CACertMan, a free App that allows you to browse, search, backup, restore and delete SSL Root Authority certificates from the Android certificate store directly on a rooted phone.
- I wrote a simple script that automates adding CAcert certificates to the Android certificate store. You can find it here.