Skip to content

Instantly share code, notes, and snippets.

@pwlin
Last active October 18, 2024 14:20
Show Gist options
  • Save pwlin/8a0d01e6428b7a96e2eb to your computer and use it in GitHub Desktop.
Save pwlin/8a0d01e6428b7a96e2eb to your computer and use it in GitHub Desktop.
Android : add cert to system store
https://code.google.com/p/android/issues/detail?id=32696#c5
If you have a certificate that is not
trusted by Android, when you add it, it goes in the personal cert store.
When you add a cert in this personal cert store, the system requires a
higher security level to unlock the device. But if you manage to add your
cert to the system store then you don't have this requirement. Obviously,
root is required to add a certificate to the system store, but it is quiet
easy.
Here is how to do it :
1 - add your cert normally, it will be stored in your personal store and
android will ask you a pin/password... Proceed
2 - With a file manager with root capabilities, browse files
in /data/misc/keychain/cacerts-added. You should see a file here, it's the
certificate you have added at step 1. If you can not find it in that path, look in /data/misc/user/0/cacerts-added/
3 - Move this file to system/etc/security/cacerts (you will need to mount
the system partition r/w)
4 - Reboot the phone
5 - You are now able to clear the pin/password you have set to unlock the
device.
I Think that this will only work for Root or Intermediate CA.
I got the idea by reading this :
http://nelenkov.blogspot.fr/2011/12/ics-trust-store-implementation.html
@phillippmueller74
Copy link

Tested on API 28

adb root
adb disable-verity
adb reboot
adb root
adb remount
adb push FILENAME.0 /system/etc/security/cacerts
adb shell chmod 664 /system/etc/security/cacerts/FILENAME.0

@b4cktr4ck2
Copy link

Has anyone managed to do this with AVD with Google Play (NOT Google API's) and Android 11 installed? I realize I've sort of shot myself in the foot here, but if anyone knows of a way to root such a device please let me know using Android Studio.

@prot0man
Copy link

prot0man commented Mar 3, 2023

@devnoname120
Copy link

devnoname120 commented Sep 12, 2023

For future visitors: this method doesn't work for Android 14 (aka API level 34) as certificates are now loaded from /apex/com.android.conscrypt/cacerts (instead of /system/etc/security/cacerts) . This new path corresponds to the mounted com.android.conscrypt APEX container, which is signed and immutable.

See here for more information: https://httptoolkit.com/blog/android-14-breaks-system-certificate-installation/ (mirror)

Edit: see this comment for a working fix.

@directentis1
Copy link

Well, always not easy works.
I failed almost at very first time when trying to use certificates that pushed to system trust store via Magisk Overlayfs modules, but always at first, most of apps don't accept them.
Quite tiring and boredom.

@directentis1
Copy link

Btw, the certificates that installed by user, with der format, but the format of all certificates in system root certificate store is "pem" with plaintext contain the cert in base64 itself and its text below with sha1 fingerprint.

I tried to mimic all of these things but still failed 😪

@Efpophis
Copy link

Efpophis commented Nov 5, 2023

Yeah this thing is ancient by now. With system-as-root, the only way to install your own system level certificates is with the magisk overlay. But nothing accepts them anymore because they don't have a trusted verification server, which is nigh impossible to get without getting your root ca fully trusted anyway. You can still install them as user certs without root, but then you have to deal with the 'network may be monitored' warning.

I abandoned my personal CA and just switched all my stuff over to letsencrypt.

@devnoname120
Copy link

devnoname120 commented Jan 13, 2024

Good news: Adguard found a solution to make their custom cert work on Android 14 i.e. /apex/com.android.conscrypt/cacerts.

See here: AdguardTeam/adguardcert/module/post-fs-data.sh#L50-L73
Just replace Adguard's certificate with your own certificate in this module and you're good to go.


See also this module for an alternative: nccgroup/ConscryptTrustUserCerts
It didn't work for me but it may work for you (or could be fixed in the future).

@Things22
Copy link

Good news: Adguard found a solution to make their custom cert work on Android 14 i.e. /apex/com.android.conscrypt/cacerts.

See here: AdguardTeam/adguardcert/module/post-fs-data.sh#L50-L73 Just replace Adguard's certificate with your own certificate in this module and you're good to go.

See also this module for an alternative: nccgroup/ConscryptTrustUserCerts It didn't work for me but it may work for you (or could be fixed in the future).

@devnoname120
pls tell me how to replace adguard module to reqable and httpcanary ca certificate

i tried but didn't understand anything

@RevealedSoulEven
Copy link

RevealedSoulEven commented Feb 16, 2024

@Things22 I did it brother.
For httpcanary, I did it hurray!

Just download the zip from here https://github.com/AdguardTeam/adguardcert/releases/

Then open it and go post-fs-data.sh and you need to just change two things. Look for something like this AG_CERT_HASH , AG_CERT_FILE and edit both of them to this.

AG_CERT_HASH=87bc3517 AG_CERT_FILE=/data/local/tmp/87bc3517.0

Make sure to copy your root certificate to /data/local/tmp

And then install that zip to magisk as you do for modules.

Reboot and done.

@Nattle
Copy link

Nattle commented Feb 27, 2024

+1 Thanks a bunch.

This helped a lot with Let's Encrypt rolling over to their ISRG Root X1 cert and old android machines.

@vivek-np
Copy link

@Nattle @RevealedSoulEven could you tell how it worked for you
i am testing on android 14 samsung real device i followed the steps and edit the both variable but getting Error
unZip Error

@bulletProofCat
Copy link

@Nattle @RevealedSoulEven could you tell how it worked for you i am testing on android 14 samsung real device i followed the steps and edit the both variable but getting Error unZip Error

this: https://xdaforums.com/t/magisk-module-unzip-error.4503395/ works for me.

You need to be careful to not include an dir in the zip file, after editing, only zip files in unzipped dir instead of zip the dir.

@devnoname120
Copy link

@Sudo989 No.

@pwnlogs
Copy link

pwnlogs commented Aug 8, 2024

I adopted the Adguard module and wrote Cert-Fixer for installing custom CA certificates.

The module copies user certificates installed on the phone to system certificate store during boot. I've tested and verified it on an AVD emulator Pixel 8, Android 15 (API 35) and Pixel 8, Android 14 (API 34).

No intense testing was done on this. So if you get an error, copy the logs from /data/local/tmp/cert-fixer.log and ping me.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment