Note: this article has been integrated into the CAcert's 'How can I trust CAcert's root certificate?' page. I will try to keep both this page as well as the CAcert page updated, please contact me at pcprobleemloos.nl (yes, that is an e-mail address) if you find any errors.

The existing method of importing user certificates works fine, but it has the disadvantage that it requires a PIN / password lockscreen whenever user certificates are installed. By installing the CAcert certificates as system certificates, these files are better protected from tampering by malicious apps, and there is no lockscreen requirement (allows 'Slide to unlock' or no lock at all).

These instructions are for Android 4.0 and up (ICS, Jelly Bean, …). If your android device has a file called “/system/etc/security/cacerts.bks”, then this tutorial is not for you; you can use the instructions from cacert.org site to add certificates to this file ('way2' or 'way3').

For obvious security reason I will not host the certificates here. Instead I'll show you how to create these yourself, how to install them on your android device, and how to verify everything is correctly installed.

You will need a rooted phone (or at least temporary root access), and a system with openssl software for creating the new certificates.

Get CAcert root certificates from the cacert.org website https://www.cacert.org/index.php?id=3 Download the root certificate PEM format (root.crt) and the Class 3 PKI key in PEM format (class3.crt)

Get the hash of the root.crt certificate:

      openssl x509 -inform PEM -subject_hash_old -in root.crt | head -1

This shows you the hash, in the case of the CAcert PEM file 'root.crt' it is '5ed36f99' (note the use of '-subject_hash_old' instead of '-subject_hash', to get an openssl 0.9 compatible hash)

We will use this hash value, append '.0' (dot zero) and use this as the filename for the resulting Android certificate:

      cat root.crt > 5ed36f99.0
      openssl x509 -inform PEM -text -in root.crt -out /dev/null >> 5ed36f99.0

Repeat these steps for the Class 3 PEM certificate file 'class3.crt'.

If things go well you will end up with the files 5ed36f99.0 and e5662767.0 (if you get the hash values 590d426f and 99d0fa06, you are not using the '-subject_hash_old' parameter to openssl)

md5sum of the certificate files:

05e5fcd7af6ba52e254d065b734213ab 5ed36f99.0

000e8e995568091e1d411ff6deb4c118 e5662767.0

Copy the files to the /sdcard folder, either with any file manager or with adb push.

Go into adb shell (adb shell from commandline), or open the 'terminal'-application on your android device. You will get a command prompt similar like shell@android:/ $

Gain superuser/root rights, neccessary to perform privileged actions:

      su

Make the /system folder writable (will return to read-only upon reboot):

      mount -o remount,rw /system

Copy the new certificate files to the correct folder on your Android device:

      cp /sdcard/5ed36f99.0 /system/etc/security/cacerts/
      cp /sdcard/e5662767.0 /system/etc/security/cacerts/

Correct the file permissions to u=rw, g=r, o=r:

      cd /system/etc/security/cacerts/
      chmod 644 5ed36f99.0
      chmod 644 e5662767.0

Check if the files are ok:

      ls -al -Z

Omit '-Z' if you are using a version of Android without SElinux, it just shows some extra security settings which might be useful if you run into trouble.

Amongst the other default android certificate files, you will see the two new files: -rw-r–r– root root u:object_r:system_file:s0 5ed36f99.0 and -rw-r–r– root root u:object_r:system_file:s0 e5662767.0

The certificates will be loaded upon the next boot of your device, so reboot your device:

      reboot

After the reboot, go to Settings → Security → Certificates. It should list both “CAcert Inc.” and “Root CA” among the other certificates in the 'System' section. Make sure that these CAcert certificates are not also in the 'User' (user defined) section.

From your android device, visit https://www.cacert.org If you do not see a warning about missing or untrusted certificates, all went well.

Note that some browsers might use their own certificate store instead of the Android one, you might need to import certificate files into those browsers as well.

Error mesage: “disabled by administrator encryption policy or credential storage” (dutch) Foutmelding: “uitgeschakeld door beheerder, coderingsbeleid of opslag aanmeldingsgegevens.”

If you are unable to disable the PIN lockscreen after installing the system certificates, you might need to “Clear/delete credentials” (in Settings → Security)

If you run into problems, check md5 sum of the certificate files, check file permissions on android.

Make sure no user certificates are installed (Settings → Security → Clear certificates), and make sure you are using a browser app that uses the android certificate store and does not implement an own certificate store.

In the future, newer versions of openssl might be used on android, if so, you might need to drop the “_old”-part of the “-subject_hash_old” openssl parameter.

In the case you find errors on my page (whether or not you can correct it), please let me know via sgiebels underscore androidwiki * pcprobleemloos.nl

Yours, Sebastiaan Giebels

Official CAcert instructions regarding importing CAcert as user certificates or into cacerts.bks (Android <4.2): http://wiki.cacert.org/FAQ/ImportRootCert#Android_Phones

StackOverflow: “cacerts.bks does not exist” openssl commands http://stackoverflow.com/a/18390177/3043726

OpenSSL note regarding android certificates: http://patrick.vande-walle.eu/hardware/android/adding-ssl-root-certificates-to-android-ics-and-jellybean/

Adding a CA Without Requiring a PIN: http://oldwiki.cyanogenmod.org/wiki/Add_Manual_CA (they make the mistake of not using the certificate hash as filename)

My own post there: http://forum.cyanogenmod.com/topic/82875-installing-cacert-certificates-on-android-as-system-credentials-without-lockscreen/

http://android.stackexchange.com/questions/28689/install-ca-without-having-to-activate-screen-lock

German CAcert.org site regarding adding a Certificate Authority (CA) on older Android versions (/system/etc/security/cacerts.bks ): http://wiki.cacert.org/CAcertF%C3%BCrAndroid-Import

Slightly related: http://android.stackexchange.com/questions/48122/cant-disable-pattern-screen-lock http://www.transformerforums.com/forum/transformer-prime-help/20284-i-want-slide-unlock-back-but-sys-admin-seems-have-locked-me-out.html http://forums.androidcentral.com/android-4-1-4-2-4-3-jelly-bean/293164-disabled-administrator-encryption-policy-credential-storage.html