5,604,443 Members 48,274 Now Online
XDA Developers Android and Mobile Development Forum

HOWTO Install a custom cert without "Your network could be monitored" message

Tip us?
 
forceu
Old
(Last edited by forceu; 21st November 2013 at 08:35 AM.)
#1  
forceu's Avatar
Member - OP
Thanks Meter 63
Posts: 91
Join Date: Jun 2010
Post HOWTO Install a custom cert without "Your network could be monitored" message

As an app developer, I have various servers to process my orders / act as backups etc - to enable secure connections, I am using SSL, but it would be a waste of money to buy a certificate just for internal communication.

The same problem applies to companies / individuals who need certificates for accessing wifi - since KitKat you are always greeted with a big message telling you, that your network might be monitored.

The solution to this problem is to install the certificate on your rooted phone's internal storage; this also has the side effect that a secure lockscreen is not needed (but I still recommend it for rooted phones!).

How-To:

This is a guide written for Nexus 5 devices. If the file /system/etc/security/cacerts.bks exists on your device, refer to this tutorial.

Method 1:
  1. Add the certificate to your custom certificates in Android Settings
  2. Move the new file from /data/misc/keychain/cacerts-added/ to /system/etc/security/cacerts/

Method 2:
  1. Save your certificate in the PEM format
  2. Get the subject of the certificate with "openssl x509 -inform PEM -subject_hash -in CERTIFICATE.FILE" It should be in a format similar to eg "0b112a89"
  3. Save the certificate into a text file with "openssl x509 -inform PEM -text -in CERTIFICATE.FILE > yourcert.txt"
  4. Switch the PEM section and the text, "-----BEGIN CERTIFICATE-----[...]" has to be at the beginning of the file
  5. Rename the file to 0b112a89.0 (replace with the subject you got in step 2)
  6. Copy the file into /system/etc/security/cacerts/ and make sure chmod permissions are set to 0644 (rw,r,r)
  7. Your certificate should now show up in the trusted certificate list
  8. If that doesn't work, disable and enable the certificate in Android Settings, which creates a file in /data/misc/keychain/cacerts-added/. Move that file to /system/etc/security/cacerts/ and delete your original file from step 6



I hope that helps some people out there solving this annoyance.

Source: http://stackoverflow.com/a/18390177/819367
The Following 13 Users Say Thank You to forceu For This Useful Post: [ Click to Expand ]
 
King ov Hell
Old
#2  
King ov Hell's Avatar
Senior Member
Thanks Meter 458
Posts: 812
Join Date: Dec 2012
It's public.Congratulations
 
Maurice5813
Old
#3  
Guest
Thanks Meter 848
Posts: 0
Join Date: Jan 1970
will this work on other devices?
 
SubZero5
Old
(Last edited by SubZero5; 21st November 2013 at 02:22 AM.)
#4  
SubZero5's Avatar
Senior Member
Thanks Meter 3
Posts: 167
Join Date: Jun 2005
Location: Istanbul, TR
Worked on my i9300 on 4.3

Got CaCert.org Root Certificate (PEM Format) at http://www.cacert.org/certs/root.crt renamed to 5ed36f99.0 and dropped in /system/etc/security/cacerts/ with chmod 644 and chown root:root
Device: Asus Google Nexus 7 16Gb (Stock)
Device: Samsung Galaxy SIII i9300 32Gb (Stock)
 
forceu
Old
#5  
forceu's Avatar
Member - OP
Thanks Meter 63
Posts: 91
Join Date: Jun 2010
Quote:
Originally Posted by arDroid.99 View Post
will this work on other devices?
Yes, it should work on almost all Android Devices.
 
jeekajoo
Old
(Last edited by jeekajoo; 8th December 2013 at 08:46 PM.)
#6  
Junior Member
Thanks Meter 3
Posts: 18
Join Date: Oct 2012
Default procedure for cacert.org certificates installation

Here is my proc using linux. Adapt it to your environment:
Code:
$ wget https://www.cacert.org/certs/root.crt
$ wget https://www.cacert.org/certs/class3.crt
$ cat root.crt > 5ed36f99.0
$ cat class3.crt > e5662767.0
$ openssl x509 -inform PEM -text -in root.crt -out /dev/null >> 5ed36f99.0
$ openssl x509 -inform PEM -text -in class3.crt -out /dev/null >> e5662767.0
$ ~/bin/android-sdk-linux/platform-tools/adb push e5662767.0 /sdcard/
$ ~/bin/android-sdk-linux/platform-tools/adb push 5ed36f99.0 /sdcard/
$ ~/bin/android-sdk-linux/platform-tools/adb shell
su
mount -o remount,rw /system
cp /sdcard/5ed36f99.0 /system/etc/security/cacerts/
cp /sdcard/e5662767.0 /system/etc/security/cacerts/
cd /system/etc/security/cacerts/
chmod 644 5ed36f99.0
chmod 644 e5662767.0
reboot
Enjoy

origin: https://fralef.me/links/?EZ9QtA
 
mase76
Old
#7  
mase76's Avatar
Junior Member
Thanks Meter 0
Posts: 17
Join Date: Aug 2011
Tried it and works on Cyanogenmod 11. But it does not seem to survive a rom
update.
 
bmg002
Old
#8  
bmg002's Avatar
Senior Member
Thanks Meter 180
Posts: 425
Join Date: Aug 2012
Quote:
Originally Posted by mase76 View Post
Tried it and works on Cyanogenmod 11. But it does not seem to survive a rom
update.
if I am not mistaken, that is expected behavior. /system gets blown away when you do a rom update.
-----------------------------------------------------------------------------------------------------------------------------
Three hams will fill him, three hams will thrill him, Why don't you feed him, three hams!
- Thundercleese (in Brak's head)
-----------------------------------------------------------------------------------------------------------------------------
 
mase76
Old
#9  
mase76's Avatar
Junior Member
Thanks Meter 0
Posts: 17
Join Date: Aug 2011
Quote:
Originally Posted by bmg002 View Post
if I am not mistaken, that is expected behavior. /system gets blown away when you do a rom update.
Yes, it is. So I have to remember to copy it back after flashing.
 
Trueglich
Old
#10  
Junior Member
Thanks Meter 1
Posts: 13
Join Date: May 2013
ok stupid question what program are you using to move the certs. i am kinda new at this and i have tired 3 diffrent root exploers and i still get access denied when i tired to move cert files. and yes i am rooted.

Tags
kitkat certificate
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes