8

I have rooted my Android (4.0.4) phone and installed an app which proxies all HTTP traffic through my computer. This works fine and I can see and modify all HTTP requests. But HTTPS-traffic does not pass through. I have exported the certificate of my proxy but I found out that there is no cacert.bks-file in the /system/etc/security-folder.

So how can I add my custom certificate to the list of trusted certificates using keytool?

1' OR 1 --
  • 1,694
  • 1
  • 16
  • 32

3 Answers3

17

I had the issue with a self signed webserver certificate which I could not install by just open it. I've got a "CertInstaller(28614): didn't find matched private key" in logcat. My solution:

If you want to install new certificates into the android system cacert store when it does not use the bks file anymore:

You have to have root of course.

  1. You have to get the certificate (export from browser) as pem format. PEM is a encoded format like:
-----BEGIN CERTIFICATE-----
MIIDtjCCAp6gAwIBAgIQRJmNPMADJ72cdpW56tustTANBgkqhkiG9w0BAQUFADB1
...
-----END CERTIFICATE-----
  1. You have to get the hash for the subject name.

    openssl x509 -inform PEM -subject_hash -in yourcert.crt

You will get something like 0d188d89 back.

  1. You have to get the text version of the certificate.

    openssl x509 -inform PEM -text -in yourcert.crt > yourcert.txt

  2. You have to switch the text and the pem section within a editor. It should look like this:

-----BEGIN CERTIFICATE-----
MIIDtjCCAp6gAwIBAgIQRJmNPMADJ72cdpW56tustTANBgkqhkiG9w0BAQUFADB1
...
-----END CERTIFICATE----- 
Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number:
...

  1. You rename the file to "0d188d89.0"

  2. Copy the file with adb or something else to /system/etc/security/cacerts/.

You can check by just going into settings / security / trusted credentials / system The certs are sorted by the "Organization" field from the certs.

Information used from: http://nelenkov.blogspot.de/2011/12/ics-trust-store-implementation.html

user2708846
  • 186
  • 1
  • 3
  • 4
    Thanks a lot! Your answer saved my day :) Here a small addendum: if you use openssl version >= 1.0, then you have to use `-subject_hash_old` instead of `-subject_hash` – josch Jan 20 '14 at 19:47
  • 1
    You should add `-noout` to your `openssl` command, which will eliminate the need for step 4. – Ben Stern Dec 27 '18 at 19:15
3

Afaik, you dont have to root your device to install your trusted certificates after ICS. There is setting for that.

http://support.google.com/android/bin/answer.py?hl=en&answer=1649774

Akdeniz
  • 1,260
  • 11
  • 21
  • 2
    Correct, you can simply put it on the SD card and import from Settings. If you are interested in how the trust store works on ICS+, some details here: http://nelenkov.blogspot.jp/2011/12/ics-trust-store-implementation.html. In short, certs you add end up in `/data/misc/keychainca/certs-added`. – Nikolay Elenkov Dec 21 '12 at 08:45
  • That seems to work for a couple of programs, but not the app which I wanted to sniff the traffic of. – 1' OR 1 -- Jan 18 '13 at 18:33
2

Due to the use of an oder openssl (0.9.*) on android, I had to use "-subject_hash_old" instead of -subject_hash" in post https://stackoverflow.com/a/18390177/3043726 of user user2708846 here.

I've summarized the steps I took (including changing file permissions, copying the file to the android device, and help on how to verify that the certificates are installed correctly) at the cyanogenmod forum http://forum.cyanogenmod.com/topic/82875-installing-cacert-certificates-on-android-as-system-credentials-without-lockscreen/ and on my own blog http://wiki.pcprobleemloos.nl/android/

Community
  • 1
  • 1
sgiebels
  • 21
  • 3