HOWTO Install a custom cert without "Your network could be monitored" message

Search This thread

forceu

Senior Member
Jun 23, 2010
100
78
HOWTO Install a custom cert without "Your network could be monitored" message

As an app developer, I have various servers to process my orders / act as backups etc - to enable secure connections, I am using SSL, but it would be a waste of money to buy a certificate just for internal communication.

The same problem applies to companies / individuals who need certificates for accessing wifi - since KitKat you are always greeted with a big message telling you, that your network might be monitored.

The solution to this problem is to install the certificate on your rooted phone's internal storage; this also has the side effect that a secure lockscreen is not needed (but I still recommend it for rooted phones!).

How-To:

This is a guide written for Nexus 5 devices. If the file /system/etc/security/cacerts.bks exists on your device, refer to this tutorial.

Method 1:
  1. Add the certificate to your custom certificates in Android Settings
  2. Move the new file from /data/misc/keychain/cacerts-added/ to /system/etc/security/cacerts/

Method 2:
  1. Save your certificate in the PEM format
  2. Get the subject of the certificate with "openssl x509 -inform PEM -subject_hash -in CERTIFICATE.FILE" It should be in a format similar to eg "0b112a89"
  3. Save the certificate into a text file with "openssl x509 -inform PEM -text -in CERTIFICATE.FILE > yourcert.txt"
  4. Switch the PEM section and the text, "-----BEGIN CERTIFICATE-----[...]" has to be at the beginning of the file
  5. Rename the file to 0b112a89.0 (replace with the subject you got in step 2)
  6. Copy the file into /system/etc/security/cacerts/ and make sure chmod permissions are set to 0644 (rw,r,r)
  7. Your certificate should now show up in the trusted certificate list
  8. If that doesn't work, disable and enable the certificate in Android Settings, which creates a file in /data/misc/keychain/cacerts-added/. Move that file to /system/etc/security/cacerts/ and delete your original file from step 6



I hope that helps some people out there solving this annoyance.

Source: http://stackoverflow.com/a/18390177/819367
 
Last edited:

jeekajoo

Senior Member
Oct 12, 2012
65
9
fralef.me
procedure for cacert.org certificates installation

Here is my proc using linux. Adapt it to your environment:
Code:
$ wget https://www.cacert.org/certs/root.crt
$ wget https://www.cacert.org/certs/class3.crt
$ cat root.crt > 5ed36f99.0
$ cat class3.crt > e5662767.0
$ openssl x509 -inform PEM -text -in root.crt -out /dev/null >> 5ed36f99.0
$ openssl x509 -inform PEM -text -in class3.crt -out /dev/null >> e5662767.0
$ ~/bin/android-sdk-linux/platform-tools/adb push e5662767.0 /sdcard/
$ ~/bin/android-sdk-linux/platform-tools/adb push 5ed36f99.0 /sdcard/
$ ~/bin/android-sdk-linux/platform-tools/adb shell
su
mount -o remount,rw /system
cp /sdcard/5ed36f99.0 /system/etc/security/cacerts/
cp /sdcard/e5662767.0 /system/etc/security/cacerts/
cd /system/etc/security/cacerts/
chmod 644 5ed36f99.0
chmod 644 e5662767.0
reboot
Enjoy

origin: https://fralef.me/links/?EZ9QtA
 
Last edited:

Trueglich

Member
May 30, 2013
27
5
ok stupid question what program are you using to move the certs. i am kinda new at this and i have tired 3 diffrent root exploers and i still get access denied when i tired to move cert files. and yes i am rooted.
 

Trueglich

Member
May 30, 2013
27
5
You need one that will remount system as rw. I like root explorer myself

Sent from my SAMSUNG-SGH-T989 using xda app-developers app

ok... I used root explorer to move the certs now when I open wifi and try to set up a profile the wifi cert is't an option. did i need to connect to the Wifi before moving the cert?

if i re add them as a user cert connect then remove will the copies in system take over? have a screwed myself and spend $4 bucks in process?
 

bmg002

Senior Member
Aug 21, 2012
611
213
Xiaomi Mi 5s Plus
ok... I used root explorer to move the certs now when I open wifi and try to set up a profile the wifi cert is't an option. did i need to connect to the Wifi before moving the cert?

if i re add them as a user cert connect then remove will the copies in system take over? have a screwed myself and spend $4 bucks in process?

I would just repeat method one from the op using root explorer after you connect art least one time
If you are rooted and like tweaking, root explorer is not a waste of money :) I use it and adb a lot

Sent from my SAMSUNG-SGH-T989 using xda app-developers app
 

Trueglich

Member
May 30, 2013
27
5
I would just repeat method one from the op using root explorer after you connect art least one time
If you are rooted and like tweaking, root explorer is not a waste of money :) I use it and adb a lot

Sent from my SAMSUNG-SGH-T989 using xda app-developers app

ok well partial successes.

Removed certs from system
Reinstalled them as user certs
resetup wifi and it worked.
Moved certs back to system turn off wifi and back on still works
reboot phone still works no error message
turned off lock screen still works
rebooted phone with lock screen off. Wifi no working
turn lock screen on still not working
reboot phone with lock screen on still not working

Well so looks like i can get rid of message but i still need to use google lock screen (was hoping to replace with a smarter one)

if anyone has more ideas let me know
 

bmg002

Senior Member
Aug 21, 2012
611
213
Xiaomi Mi 5s Plus
ok well partial successes.

Removed certs from system
Reinstalled them as user certs
resetup wifi and it worked.
Moved certs back to system turn off wifi and back on still works
reboot phone still works no error message
turned off lock screen still works
rebooted phone with lock screen off. Wifi no working
turn lock screen on still not working
reboot phone with lock screen on still not working

Well so looks like i can get rid of message but i still need to use google lock screen (was hoping to replace with a smarter one)

if anyone has more ideas let me know

I could be wrong on this (and feel free to correct me if I am), but I think the idea behind the certs is that you only need them with the lock screen stuff setup. so if you turn off the lock screen and reboot, I think you need to manually delete any certs you put in /system... I could be wrong on this (and likely am), but that is my understanding on how they work.

Also, I've had goofy issues with my wifi where it won't connect to a network while being turned on. It shows it is on and that my preferred network is available, but won't actually connect. I need to turn off my wifi, wait about 30-60 seconds then turn it back on. Likely due to my cheap router more than anything else, but may be your issue too?
 
  • Like
Reactions: Tye:P

kiranreddi

Member
Aug 22, 2014
19
2
Bengaluru
Any process for non rooted phones ??

Hi

i am using my office certificates in my mobile , those certificates wont install in Rooted phone . Is it possible to get rid of this notification in Non rooted phones .
Please help me with this issues .

Thanks
Kiran
 
  • Like
Reactions: Tye:P

TheChaves

New member
Oct 13, 2014
1
0
Thanks!

Thank you for this post. I was trying to perform Method 2 from other posts on the web but it wasn't working for me. I found that Method 1 worked for me and was the path of least resistance. Didn't get a change to try Method 2 but your steps appear to be updated and much clearer.

How-To:

Method 1:
  1. Add the certificate to your custom certificates in Android Settings
  2. Move the new file from /data/misc/keychain/cacerts-added/ to /system/etc/security/cacerts/

Method 2:
  1. Save your certificate in the PEM format
  2. Get the subject of the certificate with "openssl x509 -inform PEM -subject_hash -in CERTIFICATE.FILE" It should be in a format similar to eg "0b112a89"
  3. Save the certificate into a text file with "openssl x509 -inform PEM -text -in CERTIFICATE.FILE > yourcert.txt"
  4. Switch the PEM section and the text, "-----BEGIN CERTIFICATE-----[...]" has to be at the beginning of the file
  5. Rename the file to 0b112a89.0 (replace with the subject you got in step 2)
  6. Copy the file into /system/etc/security/cacerts/ and make sure chmod permissions are set to 0644 (rw,r,r)
  7. Your certificate should now show up in the trusted certificate list
  8. If that doesn't work, disable and enable the certificate in Android Settings, which creates a file in /data/misc/keychain/cacerts-added/. Move that file to /system/etc/security/cacerts/ and delete your original file from step 6
 

[email protected]

New member
May 25, 2015
4
0
Hi I'm on a rooted Sony Xperia Z2 with Stock Lollipop ROM.
I have setup my own CA with Intermediate certificate to sign my own certificates for internal use (NAS, Homeserver etc).
I followed the instructions in post #1 and I can see my CA and Intermediate listed in Settings -> Security -> Trusted Credentials, but Chrome still shows an error:
NET::ERR_CERT_AUTHORITY_INVALID
Details say it can't load the website because it's using HSTS.

Even copying the certs to /data/misc/user/0/cacerts-added too doesn't help.

Any idea what i'm missing?
 
Last edited:

Top Liked Posts

  • There are no posts matching your filters.
  • 26
    HOWTO Install a custom cert without "Your network could be monitored" message

    As an app developer, I have various servers to process my orders / act as backups etc - to enable secure connections, I am using SSL, but it would be a waste of money to buy a certificate just for internal communication.

    The same problem applies to companies / individuals who need certificates for accessing wifi - since KitKat you are always greeted with a big message telling you, that your network might be monitored.

    The solution to this problem is to install the certificate on your rooted phone's internal storage; this also has the side effect that a secure lockscreen is not needed (but I still recommend it for rooted phones!).

    How-To:

    This is a guide written for Nexus 5 devices. If the file /system/etc/security/cacerts.bks exists on your device, refer to this tutorial.

    Method 1:
    1. Add the certificate to your custom certificates in Android Settings
    2. Move the new file from /data/misc/keychain/cacerts-added/ to /system/etc/security/cacerts/

    Method 2:
    1. Save your certificate in the PEM format
    2. Get the subject of the certificate with "openssl x509 -inform PEM -subject_hash -in CERTIFICATE.FILE" It should be in a format similar to eg "0b112a89"
    3. Save the certificate into a text file with "openssl x509 -inform PEM -text -in CERTIFICATE.FILE > yourcert.txt"
    4. Switch the PEM section and the text, "-----BEGIN CERTIFICATE-----[...]" has to be at the beginning of the file
    5. Rename the file to 0b112a89.0 (replace with the subject you got in step 2)
    6. Copy the file into /system/etc/security/cacerts/ and make sure chmod permissions are set to 0644 (rw,r,r)
    7. Your certificate should now show up in the trusted certificate list
    8. If that doesn't work, disable and enable the certificate in Android Settings, which creates a file in /data/misc/keychain/cacerts-added/. Move that file to /system/etc/security/cacerts/ and delete your original file from step 6



    I hope that helps some people out there solving this annoyance.

    Source: http://stackoverflow.com/a/18390177/819367
    5
    For Lollipop, the user certificates path changed to "/data/misc/user/0/cacerts-added". System certificates are in the same directory.

    Edit: I've also updated my app Move Certs for Lollipop support:
    Google Play Download
    F-Droid Download
    4
    While an old thread, it's still a relevant one...

    As @Nutomic mentioned in Post #17:

    For Android 5.0 and later:
    1. Add the certificate to your custom certificates in Android Settings
    2. Move the new file from /data/misc/user/0/cacerts-added/ to /system/etc/security/cacerts/

    I am using my office certificates in my mobile , those certificates wont install in Rooted phone . Is it possible to get rid of this notification in Non rooted phones .
    No, it will never be possible. Certs are stored on the system partition, and this partition is read only to non-rooted users.

    There is good reason why this is only possible with root permissions... moving certificates is a security risk, and a major one at that. It doesn't just allow owners to move their own trusted certs into system trusted, it also allows a malicious exploit to move a cert as well (thereby offering the ability for a MITM attack or others).
    • This is why the toast is generated upon a reboot, as it's to ensure the owner knows a certificate has been installed and if they did not install one, it's a major red flag the phone has been compromised.


    I'm on a rooted Sony Xperia Z2 with Stock Lollipop ROM.
    I have setup my own CA with Intermediate certificate to sign my own certificates for internal use (NAS, Homeserver etc).
    I followed the instructions in post #1 and I can see my CA and Intermediate listed in Settings -> Security -> Trusted Credentials, but Chrome still shows an error: NET::ERR_CERT_AUTHORITY_INVALID
    Details say it can't load the website because it's using HSTS.

    Even copying the certs to /data/misc/user/0/cacerts-added too doesn't help. Any idea what i'm missing?
    Most likely because the certificate chain of trust isn't correct for the intermediate CA. If you're creating your own CA, and using that CA to sign your Intermediate CA, both must combined into a single PEM, otherwise there's no way to verify the Intermediate CA. The combined PEM should be in the format of Intermediate CA, followed by CA:
    -----BEGIN CERTIFICATE-----
    -----END CERTIFICATE-----
    -----BEGIN CERTIFICATE-----
    -----END CERTIFICATE-----


    Windows
    • type IntermediateCA.crt CA.crt >> IntermediateCAchain.pem
    *nix/BSD:
    • cat IntermediateCA.crt CA.crt > IntermediateCAchain.pem
    The Intermediate CA is still used to sign the certs it issues, however the Intermediate CA chain certificate must be exported with the client cert & key to maintain the certificate chain of trust of Certificate -> Intermediate CA -> CA. This allows for the certificate path of the client cert to show a hierarchy of CA -> Intermediate CA -> Client
    • This only applies to user generated CA's that were not signed by a professional certificate authority.
      • Unless you're running a major website, in my opinion, it's a waste of money to have your intermediate CA signed by a professional certificate authority, as it's extremely easy to ensure your self generated CA & Intermediate CA certificates are installed by users who will need access to client certs issued by the CA/Intermediate CA. What you're paying for with a professional certificate authority is not the signing of the certificate, but the maintaining of the CRL.
    If the certificate chain of trust isn't broken, and the hierarchy shows CA -> Intermediate CA -> Certificate, it could be the cert, or the certificate authority, wasn't generated with the proper options within openssl.cnf.

    NET::ERR_CERT_AUTHORITY_INVALID means:
    • Certificate is not issued by the third party site; OR
    • The third party site certificate is not updated; OR
    • The third party and browser connection is not secure
    1
    ok well partial successes.

    Removed certs from system
    Reinstalled them as user certs
    resetup wifi and it worked.
    Moved certs back to system turn off wifi and back on still works
    reboot phone still works no error message
    turned off lock screen still works
    rebooted phone with lock screen off. Wifi no working
    turn lock screen on still not working
    reboot phone with lock screen on still not working

    Well so looks like i can get rid of message but i still need to use google lock screen (was hoping to replace with a smarter one)

    if anyone has more ideas let me know

    I could be wrong on this (and feel free to correct me if I am), but I think the idea behind the certs is that you only need them with the lock screen stuff setup. so if you turn off the lock screen and reboot, I think you need to manually delete any certs you put in /system... I could be wrong on this (and likely am), but that is my understanding on how they work.

    Also, I've had goofy issues with my wifi where it won't connect to a network while being turned on. It shows it is on and that my preferred network is available, but won't actually connect. I need to turn off my wifi, wait about 30-60 seconds then turn it back on. Likely due to my cheap router more than anything else, but may be your issue too?
    1
    Any process for non rooted phones ??

    Hi

    i am using my office certificates in my mobile , those certificates wont install in Rooted phone . Is it possible to get rid of this notification in Non rooted phones .
    Please help me with this issues .

    Thanks
    Kiran
Our Apps
Get our official app!
The best way to access XDA on your phone
Nav Gestures
Add swipe gestures to any Android
One Handed Mode
Eases uses one hand with your phone