HOWTO Install a custom cert without "Your network could be monitored" message

[forceu]

HOWTO Install a custom cert without "Your network could be monitored" message

As an app developer, I have various servers to process my orders / act as backups etc - to enable secure connections, I am using SSL, but it would be a waste of money to buy a certificate just for internal communication.

The same problem applies to companies / individuals who need certificates for accessing wifi - since KitKat you are always greeted with a big message telling you, that your network might be monitored.

The solution to this problem is to install the certificate on your rooted phone's internal storage; this also has the side effect that a secure lockscreen is not needed (but I still recommend it for rooted phones!).

How-To:

This is a guide written for Nexus 5 devices. If the file /system/etc/security/cacerts.bks exists on your device, refer to this tutorial.

Method 1:

1. Add the certificate to your custom certificates in Android Settings
2. Move the new file from /data/misc/keychain/cacerts-added/ to /system/etc/security/cacerts/

Method 2:

1. Save your certificate in the PEM format
2. Get the subject of the certificate with "openssl x509 -inform PEM -subject_hash -in CERTIFICATE.FILE" It should be in a format similar to eg "0b112a89"
3. Save the certificate into a text file with "openssl x509 -inform PEM -text -in CERTIFICATE.FILE > yourcert.txt"
4. Switch the PEM section and the text, "-----BEGIN CERTIFICATE-----[...]" has to be at the beginning of the file
5. Rename the file to 0b112a89.0 (replace with the subject you got in step 2)
6. Copy the file into /system/etc/security/cacerts/ and make sure chmod permissions are set to 0644 (rw,r,r)
7. Your certificate should now show up in the trusted certificate list
8. If that doesn't work, disable and enable the certificate in Android Settings, which creates a file in /data/misc/keychain/cacerts-added/. Move that file to /system/etc/security/cacerts/ and delete your original file from step 6

​

I hope that helps some people out there solving this annoyance.

Source: http://stackoverflow.com/a/18390177/819367

 

[King ov Hell]

It's public.Congratulations

 

[Maurice5813]

will this work on other devices?

 

[SubZero5]

Worked on my i9300 on 4.3

Got CaCert.org Root Certificate (PEM Format) at http://www.cacert.org/certs/root.crt renamed to 5ed36f99.0 and dropped in /system/etc/security/cacerts/ with chmod 644 and chown root:root

 

[forceu]

will this work on other devices?

Yes, it should work on almost all Android Devices.

 

[jeekajoo]

procedure for cacert.org certificates installation

Here is my proc using linux. Adapt it to your environment:

$ wget https://www.cacert.org/certs/root.crt
$ wget https://www.cacert.org/certs/class3.crt
$ cat root.crt > 5ed36f99.0
$ cat class3.crt > e5662767.0
$ openssl x509 -inform PEM -text -in root.crt -out /dev/null >> 5ed36f99.0
$ openssl x509 -inform PEM -text -in class3.crt -out /dev/null >> e5662767.0
$ ~/bin/android-sdk-linux/platform-tools/adb push e5662767.0 /sdcard/
$ ~/bin/android-sdk-linux/platform-tools/adb push 5ed36f99.0 /sdcard/
$ ~/bin/android-sdk-linux/platform-tools/adb shell
su
mount -o remount,rw /system
cp /sdcard/5ed36f99.0 /system/etc/security/cacerts/
cp /sdcard/e5662767.0 /system/etc/security/cacerts/
cd /system/etc/security/cacerts/
chmod 644 5ed36f99.0
chmod 644 e5662767.0
reboot

Enjoy

origin: https://fralef.me/links/?EZ9QtA

 

[mase76]

Tried it and works on Cyanogenmod 11. But it does not seem to survive a rom
update.

 

[bmg002]

Tried it and works on Cyanogenmod 11. But it does not seem to survive a rom
update.

if I am not mistaken, that is expected behavior. /system gets blown away when you do a rom update.

 

[mase76]

if I am not mistaken, that is expected behavior. /system gets blown away when you do a rom update.

Yes, it is. So I have to remember to copy it back after flashing.

 

[Trueglich]

ok stupid question what program are you using to move the certs. i am kinda new at this and i have tired 3 diffrent root exploers and i still get access denied when i tired to move cert files. and yes i am rooted.

 

[bmg002]

You need one that will remount system as rw. I like root explorer myself

Sent from my SAMSUNG-SGH-T989 using xda app-developers app

 

[Trueglich]

You need one that will remount system as rw. I like root explorer myself

Sent from my SAMSUNG-SGH-T989 using xda app-developers app

ok... I used root explorer to move the certs now when I open wifi and try to set up a profile the wifi cert is't an option. did i need to connect to the Wifi before moving the cert?

if i re add them as a user cert connect then remove will the copies in system take over? have a screwed myself and spend $4 bucks in process?

 

[bmg002]

ok... I used root explorer to move the certs now when I open wifi and try to set up a profile the wifi cert is't an option. did i need to connect to the Wifi before moving the cert?

if i re add them as a user cert connect then remove will the copies in system take over? have a screwed myself and spend $4 bucks in process?

I would just repeat method one from the op using root explorer after you connect art least one time
If you are rooted and like tweaking, root explorer is not a waste of money I use it and adb a lot

Sent from my SAMSUNG-SGH-T989 using xda app-developers app

 

[Trueglich]

I would just repeat method one from the op using root explorer after you connect art least one time
If you are rooted and like tweaking, root explorer is not a waste of money I use it and adb a lot

Sent from my SAMSUNG-SGH-T989 using xda app-developers app

ok well partial successes.

Removed certs from system
Reinstalled them as user certs
resetup wifi and it worked.
Moved certs back to system turn off wifi and back on still works
reboot phone still works no error message
turned off lock screen still works
rebooted phone with lock screen off. Wifi no working
turn lock screen on still not working
reboot phone with lock screen on still not working

Well so looks like i can get rid of message but i still need to use google lock screen (was hoping to replace with a smarter one)

if anyone has more ideas let me know

 

[bmg002]

ok well partial successes.

Removed certs from system
Reinstalled them as user certs
resetup wifi and it worked.
Moved certs back to system turn off wifi and back on still works
reboot phone still works no error message
turned off lock screen still works
rebooted phone with lock screen off. Wifi no working
turn lock screen on still not working
reboot phone with lock screen on still not working

Well so looks like i can get rid of message but i still need to use google lock screen (was hoping to replace with a smarter one)

if anyone has more ideas let me know

I could be wrong on this (and feel free to correct me if I am), but I think the idea behind the certs is that you only need them with the lock screen stuff setup. so if you turn off the lock screen and reboot, I think you need to manually delete any certs you put in /system... I could be wrong on this (and likely am), but that is my understanding on how they work.

Also, I've had goofy issues with my wifi where it won't connect to a network while being turned on. It shows it is on and that my preferred network is available, but won't actually connect. I need to turn off my wifi, wait about 30-60 seconds then turn it back on. Likely due to my cheap router more than anything else, but may be your issue too?

 

[Nutomic]

I made an app that handles this whole process automatically for you.

Get it here

 

[Nutomic]

For Lollipop, the user certificates path changed to "/data/misc/user/0/cacerts-added". System certificates are in the same directory.

Edit: I've also updated my app Move Certs for Lollipop support:
Google Play Download
F-Droid Download

 

[kiranreddi]

Any process for non rooted phones ??

Hi

i am using my office certificates in my mobile , those certificates wont install in Rooted phone . Is it possible to get rid of this notification in Non rooted phones .
Please help me with this issues .

Thanks
Kiran

 

[TheChaves]

Thanks!

Thank you for this post. I was trying to perform Method 2 from other posts on the web but it wasn't working for me. I found that Method 1 worked for me and was the path of least resistance. Didn't get a change to try Method 2 but your steps appear to be updated and much clearer.

How-To:

Method 1:

1. Add the certificate to your custom certificates in Android Settings
2. Move the new file from /data/misc/keychain/cacerts-added/ to /system/etc/security/cacerts/

Method 2:

1. Save your certificate in the PEM format
2. Get the subject of the certificate with "openssl x509 -inform PEM -subject_hash -in CERTIFICATE.FILE" It should be in a format similar to eg "0b112a89"
3. Save the certificate into a text file with "openssl x509 -inform PEM -text -in CERTIFICATE.FILE > yourcert.txt"
4. Switch the PEM section and the text, "-----BEGIN CERTIFICATE-----[...]" has to be at the beginning of the file
5. Rename the file to 0b112a89.0 (replace with the subject you got in step 2)
6. Copy the file into /system/etc/security/cacerts/ and make sure chmod permissions are set to 0644 (rw,r,r)
7. Your certificate should now show up in the trusted certificate list
8. If that doesn't work, disable and enable the certificate in Android Settings, which creates a file in /data/misc/keychain/cacerts-added/. Move that file to /system/etc/security/cacerts/ and delete your original file from step 6

 

[patrick@heppler.net]

Hi I'm on a rooted Sony Xperia Z2 with Stock Lollipop ROM.
I have setup my own CA with Intermediate certificate to sign my own certificates for internal use (NAS, Homeserver etc).
I followed the instructions in post #1 and I can see my CA and Intermediate listed in Settings -> Security -> Trusted Credentials, but Chrome still shows an error:
NET::ERR_CERT_AUTHORITY_INVALID
Details say it can't load the website because it's using HSTS.

Even copying the certs to /data/misc/user/0/cacerts-added too doesn't help.

Any idea what i'm missing?