Originally Posted by xswistaqx
I need to push a certificate my university requires to connect to it's wi-fi in a way that it would be considered a system one so I won't need to set a security lock (something android requires for login storage).
I've done it before on my LG O2X but it was running ICS and in JB the method I used doesn't work (at one point I managed to wipe ALL certificates :P). It used to be as simple as installing it, copying a folder, wiping storage login data and then pasting that folder back and rebooting. Now I've found at least 4 possible locations in which the certificate file can be stored :P.
So, anyone have an idea how to do it? And also which exact files should I copy (so I can create a zip to automate the process).
I just figured this out yesterday with my 4.3 JB android phone. I have my own root CA that I use to secure my personal server that I wish to access from my phone, and some of the apps I use require a trusted (shows up green in your browser) SSL cert. Being a cheap b*@$ard, I decided to make my own instead of buying one - also, I can be fairly sure the FBI / NSA haven't messed with my own.
Anyway, here's what I did:
You need first to create the file in the format that android wants. In my case, the certificate file is simply named "ca.crt," so I'll use that in my examples. You'll need openssl installed on whatever computer you're using for this.
First, we need to create the file that's formatted right for the phone:
$ cp ca.crt ca_phone.crt
$ openssl x509 -in ca.crt -text -fingerprint -noout >> ca_phone.crt
This gives you a file that looks kind of like this:
(bunch of gobbledegook)
(bunch of info about your certificate)
SHA1 Fingerprint=(SHA1 fingerprint of your cert)
Now, the hard part. If you take a look at your phone, under /system/etc/security/cacerts, you will see there are a bunch of files in there that have weird-looking names like 216caf34.0 and such - basically an 8 byte hex name with a .0 extension. Each one of those is a factory-installed trusted certificate! In order for them to be recognized by your phone, they have to be:
1. located in /system/etc/security/cacerts
2. have the proper permissions
3. have the proper file name
I'll show you how to do all that, assuming you have a rooted phone and adb working.
First, the name has to be a "hash" of the certificate contents itself. I found this out from reading this page: http://blog.kylemanna.com/android/20...-certificates/
The article is slightly wrong, though, because at least in the openssl install I have, there is no option called -subject_hash_old:
$ openssl x509 -in ca.crt -subject_hash -noout
(8 hexidecimal characters, i/e: deadbeef)
The (8 hexidecimal characters) that command spits out is to be your file name. Yours should be unique. For my example, I'll use deadbeef.
$ mv ca_phone.crt deadbeef.0
Now, lets look in your phone to make sure there isn't already a deadbeef.0 in /system/etc/security/cacerts. There shouldn't be, but if there is, we can do something about it.
## First, make sure you're running adb as root:
$ adb root
## Next, remount /system as read-write:
$ adb remount
## Now, go in:
$ adb shell
## You're now in your phone's file system. Check to see
## if there's already a cert there with your filename:
~> ls -la /system/etc/security/cacerts/dead*
If there is, you'll have to rename your file to deadbeef.1 .. the extension is there for the unlikely event that 2 different certs have the same subject_hash. Increment the extension until you have a file that doesn't exist in the phone's folder.
Now, get out of adb shell:
Now that you're back in your certificate folder, you can push your cert to the phone:
$ adb push deadbeef.0 /system/etc/security/cacerts/deadbeef.0
## Now, lastly, we need to go back into the phone and make
## sure the permissions are right on that file:
## First, go into your phone:
$ adb shell
Now fix the perms:
~> chmod 644 /system/etc/security/cacerts/deadbeef.0
## Note that the file should also be owned by root and root. If it's not, do this:
~> chown root:root /system/etc/security/cacerts/deadbeef.0
And now you should be done. All that's left is to disconnect the USB cable and reboot your phone. Now your cert should be installed and recognized without having to lock your screen.
Hopefully I've given you enough information that you can create a flashable ZIP file with your cert in the right place so you can just flash that after flashing a new ROM and have everything work great.