The goal is to add the CACert root certificates to my Android phone running Ice Cream sandwich. I use CACert certificates on my personal host for everything like IMAP4, SMTP submission, CalDAV and CardDAV. We will use Cacert as an example, but the same method could be applied to any root certificate.
In previous Android versions, the SSL certificates were stored in a Bouncycastle container. The CaCert wiki has a step-by-step guide on how to add certificates for those versions. With Ice Cream Sandwich onwards, Android uses the openssl libraries and stores SSL certificates in more familiar way. All included root certificates are placed in the “/etc/security/cacerts/” directory.
If you want to add others, the kosher way is to add them to the personal keystore through the phone GUI, which makes no difference between personal certificates and root certificates. Consequently, Android expects you to set a password or PIN code on the keystore, which can be quite annoying and actually a stupid design from Google in the case of root certificates.
I followed the following path to install the CACert root certificate. There are at least two ways to reach the same goal. It can be done using the “adb” tool from the Android SDK. I chose to use tools most users will understand.
Prerequisite: a rooted phone. How to root your phone is beyond the scope of this post. It can vary quite much according to manufacturers and models. Google is your friend.
Step 1: Get the certificate(s) you want included. They should be in PEM format. For CaCert, it is here.
Step 2: Openssl uses a hash key to find the certificate. The original certificate should be renamed according to that hash key. The Openssl binary can generate this name. If you use a *nix-based operating system, openssl is part of the standard installation. On MS-Windows, there is a port. Notice that Android uses the 0.9x series of openssl. Most up to date *nix versions (and the windows port) use the 1.0x version. This matters because the hash keys generated are different. To generate the hash, use:
- for the 0.9x openssl: openssl x509 -noout -subject_hash -in your-root-cert
- for the 1.0x openssl: openssl x509 -noout -subject_hash_old -in your-root-cert
Step 3: The above command will display the hash value. Rename the certificate to its hashed name: mv your-root-cert.pem hashed_name.0 (e.g “mv root.crt 5ed36f99.0” for the CACert root)
Update 27 Nov 2013: it seems some implementations cannot use the plain certificate as published on the CaCert web site. Some information needs to be appended to it. Sebastiaan, in a comment below pointing to his blog, suggests using:
cat root.crt > 5ed36f99.0 openssl x509 -inform PEM -text -in root.crt -out /dev/null >> 5ed36f99.0
Step 4: Copy the file to your phone SD Card. You should know how to do that
Step 5: Launch a terminal emulator window on your phone (I used this one) and run the following commands. replace “5ed36f99.0” with the actual name of your certificate :
su cp /mnt/sdcard/5ed36f99.0 /etc/security/cacerts/ chown root.root /etc/security/cacerts/5ed36f99.0 chmod 644 /etc/security/cacerts/5ed36f99.0 ls -l /etc/security/cacerts/5ed36f99.0 exit exit
All done ! Go ahead and test it. You may need to reboot your phone for this work.
Usual disclaimer: the above might brick your phone, but should be without danger to your health.