I have created my own CA certificate and now I want to install it on my Android Froyo device (HTC Desire Z), so that the device trusts my certificate.
Android stores CA certificates in its Java keystore in /system/etc/security/cacerts.bks
. I copied the file to my computer, added my certificate using portecle 1.5 and pushed it back to the device.
Now, Android does not seem to reload the file automatically. I have read in several blog posts that I need to restart the device. Doing so results in the file being overwritten with the original one again.
My next try was to install the certificate from SD card by copying it and using the according option from the settings menu. The device tells me that the certificate has been installed, but apparently it does not trust the certificate. Moreover, when I try to copy the keystore to my computer, I still find the original stock cacerts.bks
.
So, what is the right way to install my own root CA certificate on an Android 2.2 device as a trusted certificate? Is there a way to do it programmatically?
This question is related to
android
ssl
installation
certificate
If you have a rooted device, you can use a Magisk Module to move User Certs to System so it will be Trusted Certificate
These steps worked for me:
Alternatively, I found these options which I had no need to try myself but looked easy to follow:
Finally, it may not be relevant but, if you are looking to create and setup a self-signed certificate (with mkcert) for your PWA app (website) hosted on a local IIS Web server, I followed this page:
Thanks and hope it helps!! :)
What I did to beable to use startssl certificates was quite easy. (on my rooted phone)
I copied /system/etc/security/cacerts.bks to my sdcard
Downloaded http://www.startssl.com/certs/ca.crt and http://www.startssl.com/certs/sub.class1.server.ca.crt
Went to portecle.sourceforge.net and ran portecle directly from the webpage.
Opened my cacerts.bks file from my sdcard (entered nothing when asked for a password)
Choose import in portacle and opened sub.class1.server.ca.crt, im my case it allready had the ca.crt but maybe you need to install that too.
Saved the keystore and copied it baxck to /system/etc/security/cacerts.bks (I made a backup of that file first just in case)
Rebooted my phone and now I can vist my site thats using a startssl certificate without errors.
Here's an alternate solution that actually adds your certificate to the built in list of default certificates: Trusting all certificates using HttpClient over HTTPS
However, it will only work for your application. There's no way to programmatically do it for all applications on a user's device, since that would be a security risk.
There is a MUCH easier solution to this than posted here, or in related threads. If you are using a webview (as I am), you can achieve this by executing a JAVASCRIPT function within it. If you are not using a webview, you might want to create a hidden one for this purpose. Here's a function that works in just about any browser (or webview) to kickoff ca installation (generally through the shared os cert repository, including on a Droid). It uses a nice trick with iFrames. Just pass the url to a .crt file to this function:
function installTrustedRootCert( rootCertUrl ){
id = "rootCertInstaller";
iframe = document.getElementById( id );
if( iframe != null ) document.body.removeChild( iframe );
iframe = document.createElement( "iframe" );
iframe.id = id;
iframe.style.display = "none";
document.body.appendChild( iframe );
iframe.src = rootCertUrl;
}
UPDATE:
The iframe trick works on Droids with API 19 and up, but older versions of the webview won't work like this. The general idea still works though - just download/open the file with a webview and then let the os take over. This may be an easier and more universal solution (in the actual java now):
public static void installTrustedRootCert( final String certAddress ){
WebView certWebView = new WebView( instance_ );
certWebView.loadUrl( certAddress );
}
Note that instance_ is a reference to the Activity. This works perfectly if you know the url to the cert. In my case, however, I resolve that dynamically with the server side software. I had to add a fair amount of additional code to intercept a redirection url and call this in a manner which did not cause a crash based on a threading complication, but I won't add all that confusion here...
The guide linked here will probably answer the original question without the need for programming a custom SSL connector.
Found a very detailed how-to guide on importing root certificates that actually steps you through installing trusted CA certificates on different versions of Android devices (among other devices).
Basically you'll need to:
Download: the cacerts.bks file from your phone.
adb pull /system/etc/security/cacerts.bks cacerts.bks
Download the .crt file from the certifying authority you want to allow.
Modify the cacerts.bks file on your computer using the BouncyCastle Provider
Upload the cacerts.bks file back to your phone and reboot.
Here is a more detailed step by step to update earlier android phones: How to update HTTPS security certificate authority keystore on pre-android-4.0 device
Did you try: Settings -> Security -> Install from SD Card? – Alexander Egger Dec 20 '10 at 20:11
I'm not sure why is this not an answer already, but I just followed this advice and it worked.
I spent a lot of time trying to find an answer to this (I need Android to see StartSSL certificates). Conclusion: Android 2.1 and 2.2 allow you to import certificates, but only for use with WiFi and VPN. There is no user interface for updating the list of trusted root certificates, but there is discussion about adding that feature. It’s unclear whether there is a reliable workaround for manually updating and replacing the cacerts.bks file.
Details and links: http://www.mcbsys.com/techblog/2010/12/android-certificates/. In that post, see the link to Android bug 11231--you might want to add your vote and query to that bug.
If you need your certificate for HTTPS connections you can add the .bks file as a raw resource to your application and extend DefaultHttpConnection so your certificates are used for HTTPS connections.
public class MyHttpClient extends DefaultHttpClient {
private Resources _resources;
public MyHttpClient(Resources resources) {
_resources = resources;
}
@Override
protected ClientConnectionManager createClientConnectionManager() {
SchemeRegistry registry = new SchemeRegistry();
registry.register(new Scheme("http", PlainSocketFactory
.getSocketFactory(), 80));
if (_resources != null) {
registry.register(new Scheme("https", newSslSocketFactory(), 443));
} else {
registry.register(new Scheme("https", SSLSocketFactory
.getSocketFactory(), 443));
}
return new SingleClientConnManager(getParams(), registry);
}
private SSLSocketFactory newSslSocketFactory() {
try {
KeyStore trusted = KeyStore.getInstance("BKS");
InputStream in = _resources.openRawResource(R.raw.mystore);
try {
trusted.load(in, "pwd".toCharArray());
} finally {
in.close();
}
return new SSLSocketFactory(trusted);
} catch (Exception e) {
throw new AssertionError(e);
}
}
}
Source: Stackoverflow.com