cacerts.bks does not exist

Question

I have rooted my Android (4.0.4) phone and installed an app which proxies all HTTP traffic through my computer. This works fine and I can see and modify all HTTP requests. But HTTPS-traffic does not pass through. I have exported the certificate of my proxy but I found out that there is no cacert.bks-file in the /system/etc/security-folder.

So how can I add my custom certificate to the list of trusted certificates using keytool?

Answer 1

I had the issue with a self signed webserver certificate which I could not install by just open it. I've got a "CertInstaller(28614): didn't find matched private key" in logcat. My solution:

If you want to install new certificates into the android system cacert store when it does not use the bks file anymore:

You have to have root of course.

1. You have to get the certificate (export from browser) as pem format. PEM is a encoded format like:

-----BEGIN CERTIFICATE-----
MIIDtjCCAp6gAwIBAgIQRJmNPMADJ72cdpW56tustTANBgkqhkiG9w0BAQUFADB1
...
-----END CERTIFICATE----- 

2. You have to get the hash for the subject name.

   openssl x509 -inform PEM -subject_hash -in yourcert.crt

You will get something like 0d188d89 back.

3. You have to get the text version of the certificate.

   openssl x509 -inform PEM -text -in yourcert.crt > yourcert.txt

4. You have to switch the text and the pem section within a editor. It should look like this:

-----BEGIN CERTIFICATE-----
MIIDtjCCAp6gAwIBAgIQRJmNPMADJ72cdpW56tustTANBgkqhkiG9w0BAQUFADB1
...
-----END CERTIFICATE----- 
Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number:
...

5. You rename the file to "0d188d89.0"

6. Copy the file with adb or something else to /system/etc/security/cacerts/.

You can check by just going into settings / security / trusted credentials / system The certs are sorted by the "Organization" field from the certs.

Information used from: http://nelenkov.blogspot.de/2011/12/ics-trust-store-implementation.html

Answer 2

Afaik, you dont have to root your device to install your trusted certificates after ICS. There is setting for that.

http://support.google.com/android/bin/answer.py?hl=en&answer=1649774

Answer 3

Due to the use of an oder openssl (0.9.*) on android, I had to use "-subject_hash_old" instead of -subject_hash" in post https://stackoverflow.com/a/18390177/3043726 of user user2708846 here.

I've summarized the steps I took (including changing file permissions, copying the file to the android device, and help on how to verify that the certificates are installed correctly) at the cyanogenmod forum http://forum.cyanogenmod.com/topic/82875-installing-cacert-certificates-on-android-as-system-credentials-without-lockscreen/ and on my own blog http://wiki.pcprobleemloos.nl/android/