User Tools

Site Tools


Installing CAcert certificates on Android as 'system' credentials without lockscreen - instructions

Note: this article has been integrated into the CAcert's 'How can I trust CAcert's root certificate?' page. I will try to keep both this page as well as the CAcert page updated, please contact me at (yes, that is an e-mail address) if you find any errors.

The existing method of importing user certificates works fine, but it has the disadvantage that it requires a PIN / password lockscreen whenever user certificates are installed. By installing the CAcert certificates as system certificates, these files are better protected from tampering by malicious apps, and there is no lockscreen requirement (allows 'Slide to unlock' or no lock at all).

These instructions are for Android 4.0 and up (ICS, Jelly Bean, …). If your android device has a file called “/system/etc/security/cacerts.bks”, then this tutorial is not for you; you can use the instructions from site to add certificates to this file ('way2' or 'way3').

Instructions for Android 4.0 and up

For obvious security reason I will not host the certificates here. Instead I'll show you how to create these yourself, how to install them on your android device, and how to verify everything is correctly installed.

Creating the certificates for use in Android

You will need a rooted phone (or at least temporary root access), and a system with openssl software for creating the new certificates.

Get CAcert root certificates from the website Download the root certificate PEM format (root.crt) and the Class 3 PKI key in PEM format (class3.crt)

Get the hash of the root.crt certificate:

      openssl x509 -inform PEM -subject_hash_old -in root.crt | head -1

This shows you the hash, in the case of the CAcert PEM file 'root.crt' it is '5ed36f99' (note the use of '-subject_hash_old' instead of '-subject_hash', to get an openssl 0.9 compatible hash)

We will use this hash value, append '.0' (dot zero) and use this as the filename for the resulting Android certificate:

      cat root.crt > 5ed36f99.0
      openssl x509 -inform PEM -text -in root.crt -out /dev/null >> 5ed36f99.0

Repeat these steps for the Class 3 PEM certificate file 'class3.crt'.

If things go well you will end up with the files 5ed36f99.0 and e5662767.0 (if you get the hash values 590d426f and 99d0fa06, you are not using the '-subject_hash_old' parameter to openssl)

md5sum of the certificate files:

05e5fcd7af6ba52e254d065b734213ab 5ed36f99.0

000e8e995568091e1d411ff6deb4c118 e5662767.0

Importing certificates into Android

Copy the files to the /sdcard folder, either with any file manager or with adb push.

Go into adb shell (adb shell from commandline), or open the 'terminal'-application on your android device. You will get a command prompt similar like shell@android:/ $

Gain superuser/root rights, neccessary to perform privileged actions:


Make the /system folder writable (will return to read-only upon reboot):

      mount -o remount,rw /system

Copy the new certificate files to the correct folder on your Android device:

      cp /sdcard/5ed36f99.0 /system/etc/security/cacerts/
      cp /sdcard/e5662767.0 /system/etc/security/cacerts/

Correct the file permissions to u=rw, g=r, o=r:

      cd /system/etc/security/cacerts/
      chmod 644 5ed36f99.0
      chmod 644 e5662767.0

Check if the files are ok:

      ls -al -Z

Omit '-Z' if you are using a version of Android without SElinux, it just shows some extra security settings which might be useful if you run into trouble.

Amongst the other default android certificate files, you will see the two new files: -rw-r–r– root root u:object_r:system_file:s0 5ed36f99.0 and -rw-r–r– root root u:object_r:system_file:s0 e5662767.0

The certificates will be loaded upon the next boot of your device, so reboot your device:


Verify certificates are installed

After the reboot, go to Settings → Security → Certificates. It should list both “CAcert Inc.” and “Root CA” among the other certificates in the 'System' section. Make sure that these CAcert certificates are not also in the 'User' (user defined) section.

From your android device, visit If you do not see a warning about missing or untrusted certificates, all went well.

Note that some browsers might use their own certificate store instead of the Android one, you might need to import certificate files into those browsers as well.

Disabling Android PIN/Pattern lock screen

Error mesage: “disabled by administrator encryption policy or credential storage” (dutch) Foutmelding: “uitgeschakeld door beheerder, coderingsbeleid of opslag aanmeldingsgegevens.”

If you are unable to disable the PIN lockscreen after installing the system certificates, you might need to “Clear/delete credentials” (in Settings → Security)


If you run into problems, check md5 sum of the certificate files, check file permissions on android.

Make sure no user certificates are installed (Settings → Security → Clear certificates), and make sure you are using a browser app that uses the android certificate store and does not implement an own certificate store.

In the future, newer versions of openssl might be used on android, if so, you might need to drop the “_old”-part of the “-subject_hash_old” openssl parameter.

In the case you find errors on my page (whether or not you can correct it), please let me know via sgiebels underscore androidwiki *

Yours, Sebastiaan Giebels


cacert.txt · Last modified: 2023-02-28 19:34 by