Question

I have rooted my Android (4.0.4) phone and installed an app which proxies all HTTP traffic through my computer. This works fine and I can see and modify all HTTP requests. But HTTPS-traffic does not pass through. I have exported the certificate of my proxy but I found out that there is no cacert.bks-file in the /system/etc/security-folder.

So how can I add my custom certificate to the list of trusted certificates using keytool?

Was it helpful?

Solution

I had the issue with a self signed webserver certificate which I could not install by just open it. I've got a "CertInstaller(28614): didn't find matched private key" in logcat. My solution:

If you want to install new certificates into the android system cacert store when it does not use the bks file anymore:

You have to have root of course.

  1. You have to get the certificate (export from browser) as pem format. PEM is a encoded format like:
-----BEGIN CERTIFICATE-----
MIIDtjCCAp6gAwIBAgIQRJmNPMADJ72cdpW56tustTANBgkqhkiG9w0BAQUFADB1
...
-----END CERTIFICATE-----
  1. You have to get the hash for the subject name.

    openssl x509 -inform PEM -subject_hash -in yourcert.crt

You will get something like 0d188d89 back.

  1. You have to get the text version of the certificate.

    openssl x509 -inform PEM -text -in yourcert.crt > yourcert.txt

  2. You have to switch the text and the pem section within a editor. It should look like this:

-----BEGIN CERTIFICATE-----
MIIDtjCCAp6gAwIBAgIQRJmNPMADJ72cdpW56tustTANBgkqhkiG9w0BAQUFADB1
...
-----END CERTIFICATE----- 
Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number:
...

  1. You rename the file to "0d188d89.0"

  2. Copy the file with adb or something else to /system/etc/security/cacerts/.

You can check by just going into settings / security / trusted credentials / system The certs are sorted by the "Organization" field from the certs.

Information used from: http://nelenkov.blogspot.de/2011/12/ics-trust-store-implementation.html

OTHER TIPS

Afaik, you dont have to root your device to install your trusted certificates after ICS. There is setting for that.

http://support.google.com/android/bin/answer.py?hl=en&answer=1649774

Due to the use of an oder openssl (0.9.*) on android, I had to use "-subject_hash_old" instead of -subject_hash" in post https://stackoverflow.com/a/18390177/3043726 of user user2708846 here.

I've summarized the steps I took (including changing file permissions, copying the file to the android device, and help on how to verify that the certificates are installed correctly) at the cyanogenmod forum http://forum.cyanogenmod.com/topic/82875-installing-cacert-certificates-on-android-as-system-credentials-without-lockscreen/ and on my own blog http://wiki.pcprobleemloos.nl/android/

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top