Importing CAcert Certificates in Android.

By Sphoorti Joglekar

Installing CAcert certificates as

  • ‘user-trusted’ certificates is very easy, however, it has one limitation. Use of ‘User-trusted’ certificates forces the user to implement additional safety measures like using a PIN-code or pattern lock or a password to unlock the device.

  • ‘system-trusted ‘ certificates is slightly tedious. The user needs to have root access to the android device. But with this approach, the user can get rid of the lockscreen requirement.

On the Android device

  • ‘user-trusted’ certificates - are found in Settings -> Security -> Certificates -> ‘User’ section. Using a file manager, you can find them at ‘/data/misc/keychain/certs-added’ as read-only files.

  • ‘system-trusted ‘ certificates - are found in Settings -> Security -> Certificates -> ‘System’ section. Using a file manager, you can find them at ‘/system/etc/security/’ as files with read-only format.

‘user-trusted’ certificate:

  1. root.crt and class3.crt. Download them onto the internal flash storage ( /sdcard/ folder ).
  2. Browse to the directory using a file manager and click on the root.crt.The file will be opened by the Certificate Manager and prompt you for the name of the newly imported certificate.
  3. At this juncture, the Android Security Model will propmt you to use a lock-screen mechanism if it is the first time that you are using a’user-trusted’ certificate.
  4. Once the root.crt is installed, follow the same steps for class3.crt.
  5. Confirm that both the certicates are successfully installed on your device.
  6. Reboot your device.

‘system-trusted’ certificate:

  1. Apart from overcoming the limitation of a lock-screen, ‘system-trusted’ certificates help you protect your device from tampering by malicious applications.
  2. A rooted android device or temporary root access to your device and a system with openssl software installed on it.
  3. Get the CAcert root certificates from the cacert.org website. Download the root certificate PEM format (root.crt) and the Class 3 PKI key in PEM format (class3.crt)

  4. Get the hash of the root.crt certificate:

     openssl x509 -inform PEM -subject_ hash_ old -in root.crt | head -1  
 cat root.crt > <i>hashValue</i>.0   
 openssl x509 -inform PEM -text -in root.crt -out /dev/null >> <i>hashValue</i>.0
  5. Follow the same steps for class3.crt.
  6. Check the md5sum of the newly created Android compatible certificate files using the md5sum command.

  7. Once done, use adb shell to create the ‘system-trusted’ certificates.

     su  
 mount -o remount,rw /system  
 cp /sdcard/<i>hashValue</i>.0 /system/etc/security/cacerts/  
 cp /sdcard/<i>hashValue</i>.0 /system/etc/security/cacerts/  
 cd /system/etc/security/cacerts/  
 chmod 644 5ed36f99.0  
 chmod 644 e5662767.0  
 reboot
  8. After reboot, verify that the certificates are successfully installed on your device.

If things dont go well in this approach, make sure no user certificates are installed (Settings -> Security -> Clear certificates) and also "Clear/delete credentials" (in Settings -> Security).

Note that the -subject_ hash_ old parameter will depend on the openssl software version.

For Android GingerBread and Froyo follow this comprehensive guide Import CAcert root certificate into Android pre-Ice Cream Sandwich.