Tuesday, March 12, 2013

How to update HTTPS security certificate authority keystore on pre-android-4.0 device

The Problem

I have a Samsung Galaxy S phone with Android 2.3.3 (Gingerbread).  This device came out in March 2010 which is ancient in terms of mobile devices, but I am still rather fond of this phone.  I began having trouble with certain websites when they changed their certifying authority early in 2013. 
This included problems with well known sites such as facebook and redbox.  Many sites would get the security warning 'This certificate is not from a trusted authority'.  Also I had some problems with apps using SSL.




The Details

When looking in logcat I see something like:
     javax.net.ssl.SSLPeerUnverifiedException: No peer certificate
 

Looking at the example website using my computer's browser on https://www.redbox.com, I noticed the certificate was recently renewed Feb 28, 2013 which is about when I started having problems (the CN listed was from: "Cybertrust Public SureServer SV CA").  Cybertrust now has another CN in Baltimore that is authorizing the new certificate for redbox.com.

You'll need to have root access to your device to do any of these commands.  Also note that Android 4.0 has a different mechanism for working with certificates.  Getting root access of your device is beyond the scope of this tutorial.

Using adb I was able to pull the keystore and examine it to check for the certificates I was looking for.
        adb pull /system/etc/security/cacerts.bks cacerts.bks

You can examine the keystore on your computer using the Portecle software.  Portecle is available from http://portecle.sourceforge.net/
    Select File / Open Keystore... and choose the cacerts.bks file.
    Select Tools / Keystore Report and copy that information into a text editor so you can review it.

The Fix

To fix my problem and update my android 2.3.3 phone certificates I copied the one from the android 3.2 emulator and put that on my phone.  Android 4.0 devices do not use the same cacerts.bks file so they could not be used to copy from. 
  1. Download the updated cacerts.bks file here.
  2. Connect your device to be updated (must be root).  You may need to remount the /system folder as rw for read/write capabilities if you have failures on the push procedure.
  3. Save a copy of the old cert file from your device:
         adb pull /system/etc/security/cacerts.bks cacerts.bks.old
  4.  Put the updated cert file on your device
         adb push cacerts.bks /system/etc/security/
  5.  Reboot the device
Now your device should have access to the updated list of certificates from the new keystore.  You can verify this by pulling the cacerts.bks file from the device and comparing it to the original file.

Related Work:

Hope you found this guide useful, please drop a note, somewhat funny internet cat picture, or +1 if it helped.
You may also want to check out my WorxForUs Android Database and Networking framework that assists database access and network access and addresses several common pitfalls.