Skip to content

Instantly share code, notes, and snippets.

@pwlin
Last active November 25, 2024 13:50
Show Gist options
  • Save pwlin/8a0d01e6428b7a96e2eb to your computer and use it in GitHub Desktop.
Save pwlin/8a0d01e6428b7a96e2eb to your computer and use it in GitHub Desktop.
Android : add cert to system store
https://code.google.com/p/android/issues/detail?id=32696#c5
If you have a certificate that is not
trusted by Android, when you add it, it goes in the personal cert store.
When you add a cert in this personal cert store, the system requires a
higher security level to unlock the device. But if you manage to add your
cert to the system store then you don't have this requirement. Obviously,
root is required to add a certificate to the system store, but it is quiet
easy.
Here is how to do it :
1 - add your cert normally, it will be stored in your personal store and
android will ask you a pin/password... Proceed
2 - With a file manager with root capabilities, browse files
in /data/misc/keychain/cacerts-added. You should see a file here, it's the
certificate you have added at step 1. If you can not find it in that path, look in /data/misc/user/0/cacerts-added/
3 - Move this file to system/etc/security/cacerts (you will need to mount
the system partition r/w)
4 - Reboot the phone
5 - You are now able to clear the pin/password you have set to unlock the
device.
I Think that this will only work for Root or Intermediate CA.
I got the idea by reading this :
http://nelenkov.blogspot.fr/2011/12/ics-trust-store-implementation.html
@MosheL
Copy link

MosheL commented Oct 23, 2020

@snehalbaghel it can be done with a shell script ?

@pswalia2u
Copy link

pswalia2u commented Oct 23, 2020

I have tried this on Android 10.
@snehalbaghel Thanks bro, this works. I think, only this method works on latest android version. However I wonder how does httpcanary is able to make its certificate persistent 🤔. It remains in system store even after reboot and even if we uninstall the app. App is at, https://play.google.com/store/apps/details?id=com.guoshi.httpcanary&hl=en&gl=US do check it out once.
Screenshot_2020-10-23-16-16-18-96

@pswalia2u
Copy link

pswalia2u commented Oct 23, 2020

Hey, I am able to make the changes persistent. You just need to:

  1. Reboot to recovery (You need twrp to be installed, I have not tried on other ones).
  2. Mount /system partition in twrp.
  3. Connect usb to be able to use adb.
  4. Then transfer your hash.0 cert file to /system/etc/security/cacerts/ .
  5. At last just run these commands one by one:
    chown root:root /system/etc/security/cacerts/*
    chmod 644 /system/etc/security/cacerts/*
    chcon u:object_r:system_file:s0 /system/etc/security/cacerts/*
  6. Now your installed cert(hash.0) will remain even after reboot!.

Please note location of these certs will be /data/adb/modules/movecert/system/etc/security/cacerts/ (in my case atleast)
I have tried this before also but,
this last command did the magic.
chcon u:object_r:system_file:s0 /system/etc/security/cacerts/*

@snehalbaghel
Copy link

@pswalia2u That's great! Thanks for the tip.

@Efpophis
Copy link

For android 10, which uses system-as-root, the only way I've found is to use a magisk overlay module. Fortunately, I have created one of those to install my self-signed CA cert. Find it here: https://github.com/Efpophis/Efpophis_Net_Magisk

@snehalbaghel
Copy link

@pswalia2u can you send me httpcanary's certificate? I would like to try the app but it doesn't support Android 11's manual certificate installation. (https://github.com/MegatronKing/HttpCanary/issues/133)

@snehalbaghel
Copy link

@Efpophis Exposed had a lot of modules that did exactly this. I was surprised Magisk didn't. Thanks for making one :)

@pswalia2u
Copy link

@pswalia2u can you send me httpcanary's certificate? I would like to try the app but it doesn't support Android 11's manual certificate installation. (MegatronKing/HttpCanary#133)

sent you via email. You can download certificate from within the app settings also.

@dextacy10-13
Copy link

@vsTerminus your process worked for me using Emulator on Nexus S with Android 9.0, tried loads of others which did not work
image

@sizief
Copy link

sizief commented Dec 5, 2020

This is how I did it on my Sony Xperia z5 Android 10 (rooted)

  • Install MTIMPROXY
  • cd ~/.mitmproxy and then openssl x509 -inform PEM -subject_hash_old -in mitmproxy-ca-cert.cer | head -1
  • adb root
  • adb shell
  • mount -o rw,remount /
  • Open a vim in the shell and copy paste the content of file in step 2.
  • Save the file in system/etc/security/cacerts/FILENAME.0 find the file name in step 2
  • chmod 644 system/etc/security/cacerts/FILENAME.0
  • mount -o ro,remount /
  • Reboot
  • Open MITMPROXY on PC and set the proxy on android.

Now I can see all HTTP or HTTPS traffic. The only traffic that I can not see is the CA-pinned traffic (Facebook for example) for those you need to decompile APK, change the res file, compile it again and install it on your android device.

@Romern
Copy link

Romern commented Jan 2, 2021

For Magisk users I can also recommend this addon, if you only have your own user certificates. Technically it should also be possible to create an own Magisk Module only containing your certificate, but this was easier to setup quickly.

@sabbirrahman
Copy link

sabbirrahman commented Jan 18, 2021

5 - Move the cert. Replace "cert.0" with whatever the filename is. eg c7451f0d.0

adb ls /data/misc/user/0/cacerts-added
adb pull /data/misc/user/0/cacerts-added/cert.0
adb push cert.0 /system/etc/security/cacerts/

@vsTerminus I'm stuck on the 3rd command from step 5. Getting this error:

adb: error: failed to copy '13e3ab67.0' to '/system/etc/security/cacerts/13e3ab67.0': remote couldn't create file: Read-only file system`

When I run adb root it says 'adbd is already running as root'.
Any help will be appreciated.
Thanks.

@Hritik14
Copy link

Hritik14 commented Jan 25, 2021

@sabbirrahman I guess you forgot to remount root as read-write.

# mount -o rw,remount /

@Efpophis
Copy link

Efpophis commented Jan 25, 2021

Some of you guys are missing a critical detail. Since Android 10, and possibly earlier, Google has gone with a ”system-as-root” approach. This means you cannot remount the /system position as read/write, and you can't modify it directly, even as root. The magisk add-ons mentioned are now pretty much the only game in town.

@Hritik14
Copy link

Fsck Google

@fantasyado
Copy link

user certs location in my device:
/data/misc/user/0/cacerts-added

Meizu 16s also located here. Thanks :)

@dylanninin
Copy link

you can read System CA on Android Emulator from mitmproxy:

3. Insert certificate into system certificate store

Now we have to place our CA certificate inside the system certificate store located at /system/etc/security/cacerts/ in the Android filesystem. By default, the /system partition is mounted as read-only. The following steps describe how to gain write permissions on the /system partition and how to copy the certificate created in the previous step.

Instructions for API LEVEL > 28

Starting from API LEVEL 29 (Android 10), it seems to be impossible to mount the "/" partition as read-write. Google provided a workaround for this issue using OverlayFS. Unfortunately, at the time of writing this (11. April 2021), the instructions in this workaround will result in your emulator getting stuck in a boot loop. Some smart guy on Stackoverflow found a way to get the /system directory writable anyway.

Keep in mind: You always have to start the emulator using the -writable-system option if you want to use your certificate. Otherwise Android will load a "clean" system image.

Tested on emulators running API LEVEL 29 and 30

Instructions

  • List your AVDs: emulator -list-avds (If this yields an empty list, create a new AVD in the Android Studio AVD Manager)
  • Start the desired AVD: emulator -avd <avd_name_here> -writable-system (add -show-kernel flag for kernel logs)
  • restart adb as root: adb root
  • disable secure boot verification: adb shell avbctl disable-verification
  • reboot device: adb reboot
  • restart adb as root: adb root
  • perform remount of partitions as read-write: adb remount. (If adb tells you that you need to reboot, reboot again adb reboot and run adb remount again.)
  • push your renamed certificate from step 2: adb push <path_to_certificate> /system/etc/security/cacerts
  • set certificate permissions: adb shell chmod 664 /system/etc/security/cacerts/<name_of_pushed_certificate>
  • reboot device: adb reboot

@fabiorzfreitas
Copy link

I managed to put the cert (.0 file) in /system/etc/security/cacerts/ using a Magisk module, but still can't get it to work, permissions seem to be the same for all certs there

@VitorJeremias
Copy link

VitorJeremias commented Oct 27, 2021

I managed to put the cert (.0 file) in /data/misc/user/0/cacerts-added. By doing that it will recognize as a user-imported certificate, and no remount/reboot is necessary. adb root is still necessary though.
Note: It works right away by using adb push from the host machine. If you use adb shell cp from another location inside the device, you'll need to chmod the cert file for it to work.

@Suavac
Copy link

Suavac commented Nov 7, 2021

Is it possible to retain certificate added to system store after unrooting?

@phillippmueller74
Copy link

Tested on API 28

adb root
adb disable-verity
adb reboot
adb root
adb remount
adb push FILENAME.0 /system/etc/security/cacerts
adb shell chmod 664 /system/etc/security/cacerts/FILENAME.0

@b4cktr4ck2
Copy link

Has anyone managed to do this with AVD with Google Play (NOT Google API's) and Android 11 installed? I realize I've sort of shot myself in the foot here, but if anyone knows of a way to root such a device please let me know using Android Studio.

@prot0man
Copy link

prot0man commented Mar 3, 2023

@devnoname120
Copy link

devnoname120 commented Sep 12, 2023

For future visitors: this method doesn't work for Android 14 (aka API level 34) as certificates are now loaded from /apex/com.android.conscrypt/cacerts (instead of /system/etc/security/cacerts) . This new path corresponds to the mounted com.android.conscrypt APEX container, which is signed and immutable.

See here for more information: https://httptoolkit.com/blog/android-14-breaks-system-certificate-installation/ (mirror)

Edit: see this comment for a working fix.

@directentis1
Copy link

Well, always not easy works.
I failed almost at very first time when trying to use certificates that pushed to system trust store via Magisk Overlayfs modules, but always at first, most of apps don't accept them.
Quite tiring and boredom.

@directentis1
Copy link

Btw, the certificates that installed by user, with der format, but the format of all certificates in system root certificate store is "pem" with plaintext contain the cert in base64 itself and its text below with sha1 fingerprint.

I tried to mimic all of these things but still failed 😪

@Efpophis
Copy link

Efpophis commented Nov 5, 2023

Yeah this thing is ancient by now. With system-as-root, the only way to install your own system level certificates is with the magisk overlay. But nothing accepts them anymore because they don't have a trusted verification server, which is nigh impossible to get without getting your root ca fully trusted anyway. You can still install them as user certs without root, but then you have to deal with the 'network may be monitored' warning.

I abandoned my personal CA and just switched all my stuff over to letsencrypt.

@devnoname120
Copy link

devnoname120 commented Jan 13, 2024

Good news: Adguard found a solution to make their custom cert work on Android 14 i.e. /apex/com.android.conscrypt/cacerts.

See here: AdguardTeam/adguardcert/module/post-fs-data.sh#L50-L73
Just replace Adguard's certificate with your own certificate in this module and you're good to go.


See also this module for an alternative: nccgroup/ConscryptTrustUserCerts
It didn't work for me but it may work for you (or could be fixed in the future).

@Things22
Copy link

Good news: Adguard found a solution to make their custom cert work on Android 14 i.e. /apex/com.android.conscrypt/cacerts.

See here: AdguardTeam/adguardcert/module/post-fs-data.sh#L50-L73 Just replace Adguard's certificate with your own certificate in this module and you're good to go.

See also this module for an alternative: nccgroup/ConscryptTrustUserCerts It didn't work for me but it may work for you (or could be fixed in the future).

@devnoname120
pls tell me how to replace adguard module to reqable and httpcanary ca certificate

i tried but didn't understand anything

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment