Requirements

The following is required to update the Android certificate store:

• A rooted Android device. Without being root on your phone you are doomed to wait for updates provided by either Google or the phone manufacturer.
• keytool, it comes with recent version of the JRE.
• The Bouncy Castle Crypto API.
• Either adb from Android SDK or a Terminal Emulator on the phone. I used the free Android Terminal Emulator from Android Market.

Obtaining the certificate store from the device

Android stores its certificates in /system/etc/security/cacerts.bks. When you mount the SD card, /system will not show up. Thus, copy cacerts.bks to the /sdcard/ before mounting it.

android~$ cp /system/etc/security/cacerts.bks /sdcard

Then, mount your SD card and copy the file on your box.

box~$ pmount /dev/sdb
box~$ cp /media/sdb/cacerts.bks ~

Removing certificates from the store

First, find the certificate of a CA you want to remove. Remember the alias of the certificate (in this example 95).

box~$ keytool -keystore cacerts.bks -storetype BKS\
-provider org.bouncycastle.jce.provider.BouncyCastleProvider\
-storepass changeit -v -list | grep -A 4 -B 8 diginotar

Aliasname: 95
Erstellungsdatum: 03.03.2011
Eintragstyp: trustedCertEntry

Eigentümer: C=NL,O=DigiNotar,CN=DigiNotar Root CA,E=info@diginotar.nl
Aussteller: C=NL,O=DigiNotar,CN=DigiNotar Root CA,E=info@diginotar.nl
Seriennummer: c76da9c910c4e2c9efe15d058933c4c
Gültig von: Wed May 16 19:19:36 CEST 2007 bis: Mon Mar 31 20:19:21 CEST 2025
Zertifikat-Fingerprints:
   MD5:  7A:79:54:4D:07:92:3B:5B:FF:41:F0:0E:C7:39:A2:98
   SHA1: C0:60:ED:44:CB:D8:81:BD:0E:F8:6C:0B:A2:87:DD:CF:81:67:47:8C
   SHA256: 0D:13:6E:43:9F:0A:B6:E9:7F:3A:02:A5:40:DA:9F:06:41:AA:55:4E:1D:66:EA:51:AE:29:20:D5:1B:2F:72:17
   Signaturalgorithmusname: SHA1WithRSAEncryption
Eigentümer: C=NL,O=DigiNotar,CN=DigiNotar Root CA,E=info@diginotar.nl
Aussteller: C=NL,O=DigiNotar,CN=DigiNotar Root CA,E=info@diginotar.nl

Remove it:

box~$ keytool -keystore cacerts.bks -storetype BKS\
-provider org.bouncycastle.jce.provider.BouncyCastleProvider\
-storepass changeit -delete -alias 95

Now, if you list the certificates inside the store again, you should no longer see this particular certificate.

Adding certificates to the store

This is a common task, especially if you are a CAcert user. Just obtain the root certificate and put it in your $HOME.

box~$ #assume you want to add root.crt to the keystore
box~$ keytool -keystore cacerts.bks -storetype BKS\
-provider org.bouncycastle.jce.provider.BouncyCastleProvider\
-storepass changeit -importcert -trustcacerts -alias myalias -file root.crt

Be sure to check the fingerprint of the certificate and use a meaningful alias when importing it.

Pushing the certificate store back on the device

Simply mount your SD card and copy the modified cacerts.bks back on the device.

box~$ cp ~/cacerts.bks /media/sdb/
box~$ pumount /media/sdb

Copy cacerts.bks back to /system/etc/security/. To accomplish this step, you need to remount /system as read/write:

android~$ su  #required to remount /system
android~# mount -o rw,remount /system
android~# cp /sdcard/cacerts.bks /system/etc/security/cacerts.bks
android~# mount -o ro,remount /system

Finally, reboot the device and be happy.

References

• http://blog.mylookout.com/2011/08/for-rooted-android-device-users-open-heart-surgery-on-your-android-ca-store/
• http://wiki.cacert.org/FAQ/ImportRootCert#Android_Phones
• http://silkemeyer.net/root-zertifikate-von-cacert-in-android-importieren

Update

• You can use CACertMan, a free App that allows you to browse, search, backup, restore and delete SSL Root Authority certificates from the Android certificate store directly on a rooted phone.
• I wrote a simple script that automates adding CAcert certificates to the Android certificate store. You can find it here.