Android Certificates

Mark Berry December 21, 2010

I’m enjoying my new Samsung Captivate, still running Android 2.1 (c’mon, AT&T, let’s see 2.2!). But I’ve found that Android doesn’t trust the SSL certificate I installed from StartSSL. No problem, I just need to add that to the list of trusted certificates, right? Not so fast.

It seems that Android has gotten to version 2.2. without implementing a user-editable certificate store. Even figuring that out was a challenge:  it’s mostly a matter of wading through Android bug reports. Here are are few references; in the bug reports, click on the star at the bottom, above the comment box, to be notified of updates:

Google Code Star

Here’s a StackOverflow question on how to install a cert manually.

Importing CACert root certificates into Android. Looks like this procedure is for Unix users.

StartCom Root CA trusted as of Android 2.2. Issue 5657; see comment 24.

List of trusted Certification Authorities as of September 9, 2010. Issue 10985; see comment 11. That comment says the current source code should be here, but I get a 500 error on that page It looks like it is here now. There is one file per certificate. A Java script named certimport.sh “recreates the cacerts.bks file from the x509 CA certificates in the cacerts directory.” Somewhere I read that cacerts.bks winds up on the phone as /etc/security/cacerts.bks, but I don’t have access to that . (The fact that the certs are hard-coded in source code is of course the main problem.)

Long bug thread about editing CA certs:  Issue 6207; see comment 48 about why it was closed unsolved. Also a brief note that the Android certificate installer available from the Settings > Location and security > Credential storage user interface only affects the VPN; certificates installed there are not used by the browser, email client, or third-party applications.

Current bug thread, replacing 6207, about managing CA certs:  Issue 11231. Comment 8 has more detail about only VPN and WiFi using the user-modifiable keystore.

Site for creating a cert to use with WiFi:  http://www.realmb.com/droidCert.

Some SSL issues are really issues with intermediate certificates:  Issue 1946. Comment 21 says there may be some improvements (in 2.2?) to handle out-of-order certificates. This site tests certificates:  http://www.ssltest.net.

Conclusion

Android 2.1 and 2.2 allow you to import certificates, but only for use with WiFi and VPN. There is no user interface for updating the list of trusted root certificates, but there is discussion about adding that feature. It’s unclear whether there is a reliable workaround for manually updating and replacing the cacerts.bks file.



7 Comments

  1. Sole Viktor   |  January 01, 2011 at 1:35 pm

    Android 1.6 and 2.1-update1 does not support StartSSL, however 2.2 and 2.2.1 seems to support it fine. You might be interested in looking at http://www.ssltest.net/compare/ it is our newest project in the line of SSL testing, working on mapping what clients work with different SSL certificates.

    We are a lot of people needing to know what SSL certificates work with different mobile phones, this tool and the resulting comparison chart should help us with this in the future.

    And thanks for the link to the server SSL testing tool http://www.ssltest.net

    Regards, Sole

  2. Good-Bye Android | MCB Systems   |  February 11, 2011 at 2:18 pm

    [...] Android 2.1 doesn’t support the StartSSL certificate used by my Exchange server. And as I blogged here, Android does not allow trusting new certificates unless you root (hack) the phone and start [...]

  3. Why Apple (and Sony, Amazon, Microsoft etc.) Should Support Jailbreaking | Electronic Frontier Foundation   |  December 05, 2011 at 9:56 am

    [...] allowing malicious users to compromise devices and services. Early versions of Android didn’t update automatically, leaving users with older operating systems no recourse except to jailbreak their [...]

  4. Why Apple (and Sony, Amazon, Microsoft etc.) Should Support Jailbreaking | GrassrootsHeadlines.com   |  December 10, 2011 at 3:03 am

    [...] allowing malicious users to compromise devices and services. Early versions of Android didn’t update automatically, leaving users with older operating systems no recourse except to jailbreak their [...]

  5. Natanael L   |  December 13, 2011 at 1:15 am

    Take a look at CACertMan:
    https://market.android.com/details?id=info.guardianproject.cacert

  6. How to install trusted CA certificate on Android device? - Android Questions - Developers Q & A   |  July 21, 2013 at 1:25 am

    [...] and links: http://www.mcbsys.com/techblog/2010/12/android-certificates/. In that post, see the link to Android bug 11231–you might want to add your vote and query to [...]

  7. neaty   |  January 12, 2014 at 1:38 pm

    there is a certificate error which does not allow me to download or install games or applications. any idea on how to fix this? android 2.2

Leave a Reply





Notify me of followup comments via e-mail. You can also subscribe without commenting.