Android Certificates

I’m enjoying my new Samsung Captivate, still running Android 2.1 (c’mon, AT&T, let’s see 2.2!). But I’ve found that Android doesn’t trust the SSL certificate I installed from StartSSL. No problem, I just need to add that to the list of trusted certificates, right? Not so fast.

It seems that Android has gotten to version 2.2. without implementing a user-editable certificate store. Even figuring that out was a challenge:  it’s mostly a matter of wading through Android bug reports. Here are are few references; in the bug reports, click on the star at the bottom, above the comment box, to be notified of updates:

Google Code Star

Here’s a StackOverflow question on how to install a cert manually.

Importing CACert root certificates into Android. Looks like this procedure is for Unix users.

StartCom Root CA trusted as of Android 2.2. Issue 5657; see comment 24.

List of trusted Certification Authorities as of September 9, 2010. Issue 10985; see comment 11. That comment says the current source code should be here, but I get a 500 error on that page It looks like it is here now. There is one file per certificate. A Java script named certimport.sh “recreates the cacerts.bks file from the x509 CA certificates in the cacerts directory.” Somewhere I read that cacerts.bks winds up on the phone as /etc/security/cacerts.bks, but I don’t have access to that . (The fact that the certs are hard-coded in source code is of course the main problem.)

Long bug thread about editing CA certs:  Issue 6207; see comment 48 about why it was closed unsolved. Also a brief note that the Android certificate installer available from the Settings > Location and security > Credential storage user interface only affects the VPN; certificates installed there are not used by the browser, email client, or third-party applications.

Current bug thread, replacing 6207, about managing CA certs:  Issue 11231. Comment 8 has more detail about only VPN and WiFi using the user-modifiable keystore.

Site for creating a cert to use with WiFi:  http://www.realmb.com/droidCert.

Some SSL issues are really issues with intermediate certificates:  Issue 1946. Comment 21 says there may be some improvements (in 2.2?) to handle out-of-order certificates. This site tests certificates:  http://www.ssltest.net.

Conclusion

Android 2.1 and 2.2 allow you to import certificates, but only for use with WiFi and VPN. There is no user interface for updating the list of trusted root certificates, but there is discussion about adding that feature. It’s unclear whether there is a reliable workaround for manually updating and replacing the cacerts.bks file.

8 thoughts on “Android Certificates

  1. Sole Viktor

    Android 1.6 and 2.1-update1 does not support StartSSL, however 2.2 and 2.2.1 seems to support it fine. You might be interested in looking at http://www.ssltest.net/compare/ it is our newest project in the line of SSL testing, working on mapping what clients work with different SSL certificates.

    We are a lot of people needing to know what SSL certificates work with different mobile phones, this tool and the resulting comparison chart should help us with this in the future.

    And thanks for the link to the server SSL testing tool http://www.ssltest.net

    Regards, Sole

  2. Pingback: Good-Bye Android | MCB Systems

  3. Pingback: Why Apple (and Sony, Amazon, Microsoft etc.) Should Support Jailbreaking | Electronic Frontier Foundation

  4. Pingback: Why Apple (and Sony, Amazon, Microsoft etc.) Should Support Jailbreaking | GrassrootsHeadlines.com

  5. neaty

    there is a certificate error which does not allow me to download or install games or applications. any idea on how to fix this? android 2.2

  6. Pingback: How do I install a user certificate? | DL-UAT

Leave a Reply

Your email address will not be published. Required fields are marked *

Notify me of followup comments via e-mail. You can also subscribe without commenting.