## 20210714 AK ---- [[FAQ/ImportRootCertAndroidPreICS/CZ|česky]] | '''english''' ---- = How to import CAcert root certificate into Android pre-Ice Cream Sandwich (Gingerbread, Froyo, ... = Before Android 4.0 (dubbed "ICS", "Ice Cream Sandwich"), there was a single read-only file ( /system/etc/security/cacerts.bks ) containing the trust store with all the CA certificates trusted by default on Android. Both system apps and applications developed with the Android SDK use this. ==== Way 1: on Android 4.0 and higher. ==== See the main article on how to import CAcert root certificate into Android [[FAQ/ImportRootCert]] ==== Way 2: Android SDK ==== Prerequisites: * On Phone * Root access * On Computer * Java 1.6 * Android SDK * Root/Administrator access, or CLASSPATH editing skills ===== Step 1: Obtain required files ===== * Download http://bouncycastle.org/download/bcprov-jdk16-141.jar and place it on $JAVA_HOME/jre/lib/ext/ * Download http://www.cacert.org/certs/root_X0F.crt to your work directory * Optional: Download http://www.cacert.org/certs/class3_x14E228.crt to your work directory ===== Step 2: Fetch cacerts.bks from phone ===== {{{ $ adb pull /system/etc/security/cacerts.bks cacerts.bks 407 KB/s (51899 bytes in 0.124s) }}} (File sizes and transfer speeds may vary) ===== Step 3: Import CAcert into cacerts.bks ===== {{{ $ keytool -keystore cacerts.bks -storetype BKS -provider org.bouncycastle.jce.provider.BouncyCastleProvider -storepass changeit -importcert -trustcacerts -alias CACERT -file root_X0F.crt Owner: EMAILADDRESS=support@cacert.org, CN=CA Cert Signing Authority, OU=http://www.cacert.org, O=Root CA Issuer: EMAILADDRESS=support@cacert.org, CN=CA Cert Signing Authority, OU=http://www.cacert.org, O=Root CA Serial number: 0F Valid from: Sun Mar 30 09:29:49 GMT-03:00 2003 until: Tue Mar 29 09:29:49 GMT-03:00 2033 Certificate fingerprints: /!\ MD5: A6:1B:37:5E:39:0D:9C:36:54:EE:BD:20:31:46:1F:6B /!\ REPLACED BY SHA256: & SHA1: dd:fc:da:54:1e:75:77:ad:dc:a8:7e:88:27:a9:8a:50:60:32:52:a5 Signature algorithm name: SHA256RSA Version: 3 Extensions: #1: ObjectId: 2.5.29.19 Criticality=true BasicConstraints:[ CA:true PathLen:2147483647 ] #2: ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [ 0000: 16 B5 32 1B D4 C7 F3 E0 E6 8E F3 BD D2 B0 3A EE ..2...........:. 0010: B2 39 18 D1 .9.. ] ] #3: ObjectId: 2.16.840.1.113730.1.8 Criticality=false #4: ObjectId: 2.16.840.1.113730.1.4 Criticality=false #5: ObjectId: 2.5.29.31 Criticality=false CRLDistributionPoints [ [DistributionPoint: [URIName: https://www.cacert.org/revoke.crl] ]] #6: ObjectId: 2.5.29.35 Criticality=false AuthorityKeyIdentifier [ KeyIdentifier [ 0000: 16 B5 32 1B D4 C7 F3 E0 E6 8E F3 BD D2 B0 3A EE ..2...........:. 0010: B2 39 18 D1 .9.. ] [EMAILADDRESS=support@cacert.org, CN=CA Cert Signing Authority, OU=http://www.cacert.org, O=Root CA] SerialNumber: [ 00] ] #7: ObjectId: 2.16.840.1.113730.1.13 Criticality=false Trust this certificate? [no]: yes Certificate was added to keystore }}} Verify whether import was successful: {{{ $ keytool -keystore cacerts.bks -storetype BKS -provider org.bouncycastle.jce.provider.BouncyCastleProvider -storepass changeit -v -list| grep -i cacert Alias name: CACERT Owner: O=Root CA,OU=http://www.cacert.org,CN=CA Cert Signing Authority,E=support@cacert.org Issuer: O=Root CA,OU=http://www.cacert.org,CN=CA Cert Signing Authority,E=support@cacert.org }}} Optional: Repeat this step for class3_x14E228.crt, using -alias CACERT3. Verification should report both certificates available then. ===== Step 4: Upload cacerts.bks to phone ===== To write the file back to your /system partition you have to remount it with read-write permissions. {{{ # remount /system read-write $ adb shell mount -o remount,rw /system }}} If this command does not work on your phone, use mount to find out how /system is mounted. E.g. on a Samsung Galaxy S you find a rfs file system and the working syntax was {{{ mount -o rw,remount -t rfs /dev/block/stl9 /system }}} {{{ # upload the new certs file $ adb push cacerts.bks /system/etc/security/ 780 KB/s (53788 bytes in 0.067s) # remount /system read-only $ adb shell mount -o remount,ro /system ## Samsung Galaxy: mount -o ro,remount -t rfs /dev/block/stl9 /system }}} ===== Step 6: Reboot your phone ===== Reboot to ensure the certificate list gets reloaded. Try https://www.cacert.org (warning should disappear) ==== Way 3: Android Terminal Emulator ==== Prerequisites: * On Phone * Root access + any possibility to copy a file from SD card to computer ===== Step 1: Obtain required files ===== * Download http://bouncycastle.org/download/bcprov-jdk16-141.jar and place it on $JAVA_HOME/jre/lib/ext/ * Download http://www.cacert.org/certs/root_X0F.crt to your work directory * Optional: Download http://www.cacert.org/certs/class3_x14E228.crt to your work directory ===== Step 2: Fetch cacerts.bks from phone ===== {{{ cp /system/etc/security/cacerts.bks /sdcard/ }}} Copy the file to your computer. ===== Step 3: Import CAcert into cacerts.bks ===== Same as in way 1. ===== Step 4: Upload cacerts.bks to phone ===== Copy the new cacerts.bks back to the SD card. Execute the commands given above in Step 4 directly in your Android Terminal Emulator. (As above, find out how your /system partition is mounted.) {{{ mount -o remount,rw /system ## or on Galaxy S with rfs filesystem: mount -o rw,remount -t rfs /dev/block/stl9 /system ## upload the new certs file cp /sdcard/cacerts.bks /system/etc/security/ 780 KB/s (53788 bytes in 0.067s) # remount /system read-only mount -o remount,ro /system ## or: mount -o ro,remount -t rfs /dev/block/stl9 /system }}} ===== Step 6: Reboot your phone ===== See way 1! ==== Howto in German language ==== * another way is published in German [[CAcertImportFürAndroidImport]] * [[http://silkemeyer.net/root-zertifikate-von-cacert-in-android-importieren|silkemeyer blog]]