How to import CAcert root certificate into Android pre-Ice Cream Sandwich (Gingerbread, Froyo, ...

Before Android 4.0 (dubbed "ICS", "Ice Cream Sandwich"), there was a single read-only file ( /system/etc/security/cacerts.bks ) containing the trust store with all the CA certificates trusted by default on Android. Both system apps and applications developed with the Android SDK use this.

Way 1: on Android 4.0 and higher.

See the main article on how to import CAcert root certificate into Android FAQ/ImportRootCert

Way 2: Android SDK

Prerequisites:

Step 1: Obtain required files

Step 2: Fetch cacerts.bks from phone

$ adb pull /system/etc/security/cacerts.bks cacerts.bks
407 KB/s (51899 bytes in 0.124s)

(File sizes and transfer speeds may vary)

Step 3: Import CAcert into cacerts.bks

$ keytool -keystore cacerts.bks -storetype BKS -provider org.bouncycastle.jce.provider.BouncyCastleProvider -storepass changeit -importcert -trustcacerts -alias CACERT -file root_X0F.crt
Owner: EMAILADDRESS=support@cacert.org, CN=CA Cert Signing Authority, OU=http://www.cacert.org, O=Root CA
Issuer: EMAILADDRESS=support@cacert.org, CN=CA Cert Signing Authority, OU=http://www.cacert.org, O=Root CA
Serial number: 0F
Valid from: Sun Mar 30 09:29:49 GMT-03:00 2003 until: Tue Mar 29 09:29:49 GMT-03:00 2033
Certificate fingerprints:
 /!\     MD5:  A6:1B:37:5E:39:0D:9C:36:54:EE:BD:20:31:46:1F:6B                /!\ REPLACED BY SHA256: & <fingerprint>
         SHA1: dd:fc:da:54:1e:75:77:ad:dc:a8:7e:88:27:a9:8a:50:60:32:52:a5
         Signature algorithm name: SHA256RSA
         Version: 3

Extensions:

#1: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
  CA:true
  PathLen:2147483647
]

#2: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 16 B5 32 1B D4 C7 F3 E0   E6 8E F3 BD D2 B0 3A EE  ..2...........:.
0010: B2 39 18 D1                                        .9..
]
]

#3: ObjectId: 2.16.840.1.113730.1.8 Criticality=false

#4: ObjectId: 2.16.840.1.113730.1.4 Criticality=false

#5: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
  [DistributionPoint:
     [URIName: https://www.cacert.org/revoke.crl]
]]

#6: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 16 B5 32 1B D4 C7 F3 E0   E6 8E F3 BD D2 B0 3A EE  ..2...........:.
0010: B2 39 18 D1                                        .9..
]

[EMAILADDRESS=support@cacert.org, CN=CA Cert Signing Authority, OU=http://www.cacert.org, O=Root CA]
SerialNumber: [    00]
]

#7: ObjectId: 2.16.840.1.113730.1.13 Criticality=false

Trust this certificate? [no]:  yes
Certificate was added to keystore

Verify whether import was successful:

$ keytool -keystore cacerts.bks -storetype BKS -provider org.bouncycastle.jce.provider.BouncyCastleProvider -storepass changeit -v -list| grep -i cacert
Alias name: CACERT
Owner: O=Root CA,OU=http://www.cacert.org,CN=CA Cert Signing Authority,E=support@cacert.org
Issuer: O=Root CA,OU=http://www.cacert.org,CN=CA Cert Signing Authority,E=support@cacert.org

Optional: Repeat this step for class3_x14E228.crt, using -alias CACERT3. Verification should report both certificates available then.

Step 4: Upload cacerts.bks to phone

To write the file back to your /system partition you have to remount it with read-write permissions.

# remount /system read-write
$ adb shell mount -o remount,rw /system

If this command does not work on your phone, use mount to find out how /system is mounted. E.g. on a Samsung Galaxy S you find a rfs file system and the working syntax was

mount -o rw,remount -t rfs /dev/block/stl9 /system

# upload the new certs file
$ adb push cacerts.bks /system/etc/security/
780 KB/s (53788 bytes in 0.067s)

# remount /system read-only
$ adb shell mount -o remount,ro /system
## Samsung Galaxy: mount -o ro,remount -t rfs /dev/block/stl9 /system

Step 6: Reboot your phone

Reboot to ensure the certificate list gets reloaded.

Try https://www.cacert.org (warning should disappear)

Way 3: Android Terminal Emulator

Prerequisites:

Step 1: Obtain required files

Step 2: Fetch cacerts.bks from phone

cp /system/etc/security/cacerts.bks /sdcard/

Copy the file to your computer.

Step 3: Import CAcert into cacerts.bks

Same as in way 1.

Step 4: Upload cacerts.bks to phone

Copy the new cacerts.bks back to the SD card.

Execute the commands given above in Step 4 directly in your Android Terminal Emulator. (As above, find out how your /system partition is mounted.)

mount -o remount,rw /system
## or on Galaxy S with rfs filesystem: mount -o rw,remount -t rfs /dev/block/stl9 /system

## upload the new certs file
cp /sdcard/cacerts.bks /system/etc/security/
780 KB/s (53788 bytes in 0.067s)

# remount /system read-only
mount -o remount,ro /system
## or: mount -o ro,remount -t rfs /dev/block/stl9 /system

Step 6: Reboot your phone

See way 1!

Howto in German language

FAQ/ImportRootCertAndroidPreICS (last edited 2021-07-14 09:51:13 by AlesKastner)