Table of Contents
Installing CAcert certificates on Android as 'system' credentials without lockscreen - instructions
Note: this article has been integrated into the CAcert's 'How can I trust CAcert's root certificate?' page. I will try to keep both this page as well as the CAcert page updated, please contact me at pcprobleemloos.nl (yes, that is an e-mail address) if you find any errors.
The existing method of importing user certificates works fine, but it has the disadvantage that it requires a PIN / password lockscreen whenever user certificates are installed. By installing the CAcert certificates as system certificates, these files are better protected from tampering by malicious apps, and there is no lockscreen requirement (allows 'Slide to unlock' or no lock at all).
These instructions are for Android 4.0 and up (ICS, Jelly Bean, …). If your android device has a file called “/system/etc/security/cacerts.bks”, then this tutorial is not for you; you can use the instructions from cacert.org site to add certificates to this file ('way2' or 'way3').
Instructions for Android 4.0 and up
For obvious security reason I will not host the certificates here. Instead I'll show you how to create these yourself, how to install them on your android device, and how to verify everything is correctly installed.
Creating the certificates for use in Android
You will need a rooted phone (or at least temporary root access), and a system with openssl software for creating the new certificates.
Get CAcert root certificates from the cacert.org website https://www.cacert.org/index.php?id=3 Download the root certificate PEM format (root.crt) and the Class 3 PKI key in PEM format (class3.crt)
Get the hash of the root.crt certificate:
openssl x509 -inform PEM -subject_hash_old -in root.crt | head -1
This shows you the hash, in the case of the CAcert PEM file 'root.crt' it is '5ed36f99' (note the use of '-subject_hash_old' instead of '-subject_hash', to get an openssl 0.9 compatible hash)
We will use this hash value, append '.0' (dot zero) and use this as the filename for the resulting Android certificate:
cat root.crt > 5ed36f99.0 openssl x509 -inform PEM -text -in root.crt -out /dev/null >> 5ed36f99.0
Repeat these steps for the Class 3 PEM certificate file 'class3.crt'.
If things go well you will end up with the files 5ed36f99.0 and e5662767.0 (if you get the hash values 590d426f and 99d0fa06, you are not using the '-subject_hash_old' parameter to openssl)
md5sum of the certificate files:
Importing certificates into Android
Copy the files to the /sdcard folder, either with any file manager or with
Go into adb shell (
adb shell from commandline), or open the 'terminal'-application on your
You will get a command prompt similar like
Gain superuser/root rights, neccessary to perform privileged actions:
Make the /system folder writable (will return to read-only upon reboot):
mount -o remount,rw /system
Copy the new certificate files to the correct folder on your Android device:
cp /sdcard/5ed36f99.0 /system/etc/security/cacerts/ cp /sdcard/e5662767.0 /system/etc/security/cacerts/
Correct the file permissions to u=rw, g=r, o=r:
cd /system/etc/security/cacerts/ chmod 644 5ed36f99.0 chmod 644 e5662767.0
Check if the files are ok:
ls -al -Z
Omit '-Z' if you are using a version of Android without SElinux, it just shows some extra security settings which might be useful if you run into trouble.
Amongst the other default android certificate files, you will see the two new
-rw-r–r– root root u:object_r:system_file:s0 5ed36f99.0
-rw-r–r– root root u:object_r:system_file:s0 e5662767.0
The certificates will be loaded upon the next boot of your device, so reboot your device:
Verify certificates are installed
After the reboot, go to Settings → Security → Certificates. It should list both “CAcert Inc.” and “Root CA” among the other certificates in the 'System' section. Make sure that these CAcert certificates are not also in the 'User' (user defined) section.
From your android device, visit https://www.cacert.org If you do not see a warning about missing or untrusted certificates, all went well.
Note that some browsers might use their own certificate store instead of the Android one, you might need to import certificate files into those browsers as well.
Disabling Android PIN/Pattern lock screen
Error mesage: “disabled by administrator encryption policy or credential storage” (dutch) Foutmelding: “uitgeschakeld door beheerder, coderingsbeleid of opslag aanmeldingsgegevens.”
If you are unable to disable the PIN lockscreen after installing the system certificates, you might need to “Clear/delete credentials” (in Settings → Security)
If you run into problems, check md5 sum of the certificate files, check file permissions on android.
Make sure no user certificates are installed (Settings → Security → Clear certificates), and make sure you are using a browser app that uses the android certificate store and does not implement an own certificate store.
In the future, newer versions of openssl might be used on android, if so, you might need to drop the “_old”-part of the “-subject_hash_old” openssl parameter.
In the case you find errors on my page (whether or not you can correct it), please let me know via sgiebels underscore androidwiki * pcprobleemloos.nl
Yours, Sebastiaan Giebels
Official CAcert instructions regarding importing CAcert as user certificates or into cacerts.bks (Android <4.2): http://wiki.cacert.org/FAQ/ImportRootCert#Android_Phones
StackOverflow: “cacerts.bks does not exist” openssl commands http://stackoverflow.com/a/18390177/3043726
OpenSSL note regarding android certificates: http://patrick.vande-walle.eu/hardware/android/adding-ssl-root-certificates-to-android-ics-and-jellybean/
Adding a CA Without Requiring a PIN: http://oldwiki.cyanogenmod.org/wiki/Add_Manual_CA (they make the mistake of not using the certificate hash as filename)
My own post there: http://forum.cyanogenmod.com/topic/82875-installing-cacert-certificates-on-android-as-system-credentials-without-lockscreen/
German CAcert.org site regarding adding a Certificate Authority (CA) on older Android versions (/system/etc/security/cacerts.bks ): http://wiki.cacert.org/CAcertF%C3%BCrAndroid-Import
Slightly related: http://android.stackexchange.com/questions/48122/cant-disable-pattern-screen-lock http://www.transformerforums.com/forum/transformer-prime-help/20284-i-want-slide-unlock-back-but-sys-admin-seems-have-locked-me-out.html http://forums.androidcentral.com/android-4-1-4-2-4-3-jelly-bean/293164-disabled-administrator-encryption-policy-credential-storage.html