Skip to Content.
Sympa Menu

cacert-de - Re: [s20131127.4] [CAcert.org] Possible SPAM

Subject: Deutschsprachige CAcert Support Liste

List archive

Re: [s20131127.4] [CAcert.org] Possible SPAM


Chronological Thread 
  • From: CAcert Support <support AT cacert.org>
  • To: cacert-support AT lists.cacert.org, cacert AT lists.cacert.org, cacert-de AT lists.cacert.org
  • Subject: Re: [s20131127.4] [CAcert.org] Possible SPAM
  • Date: Wed, 27 Nov 2013 22:45:19 +0000
  • Organization: CAcert

From:
sgiebels_cacert_android AT pcprobleemloos.nl
To:
support AT cacert.org
ReplyTo:
sgiebels_cacert_android AT pcprobleemloos.nl
Subject: [CAcert.org] Possible SPAM
Date: 2013-11-27 02:31:23

Installing CAcert certificates on Android as 'system' credentials
without lockscreen - instructions

The article 'How can I trust CAcert's root certificate?' (
http://wiki.cacert.org/FAQ/ImportRootCert#Android_Phones ) unfortunately
does not include how to include the CAcert root class3 into the Android
'System' Trusted Credentials certificate storage.

The existing method of importing user certificates works fine, but it
has the disadvantage that Android.it requires a PIN / password
lockscreen whenever user certificates are installed.
By installing the CAcert certificates as system certificates, these
files are better protected from tampering by malicious apps, and there
is no lockscreen requirement (allows 'Slide to unlock' or no lock at
all).

Instructions for Android 4.2 and up:

You will need a rooted phone, and a system with openssl software for
creating the new certificates.
(I will not host the certificates, for obvious security reasons. I'll
show you how to create these yourself.)

Get CAcert root certificates from the cacert.org website
https://www.cacert.org/index.php?id=3
Download the root certificate PEM format (root.crt) and the Class 3 PKI
key in PEM format (class3.crt)

Get the hash of the root.crt certificate:
openssl x509 -inform PEM -subject_hash_old -in root.crt | head -1
This shows you the hash, in the case of the CAcert PEM file 'root.crt'
it is '5ed36f99' (note the use of '-subject_hash_old' instead of
'-subject_hash', to get an openssl 0.9 compatible hash)

We will use this hash value, append '.0' (dot zero) and use this as the
filename for the resulting Android certificate:
cat root.crt > 5ed36f99.0
openssl x509 -inform PEM -text -in root.crt -out /dev/null >> 5ed36f99.0

Repeat these steps for the Class 3 PEM certificate file 'class3.crt'.

If things go well you will end up with the files 5ed36f99.0 and
e5662767.0
(if you get the hash values 590d426f and 99d0fa06, you are not using the
'-subject_hash_old' parameter to openssl)

Copy the files to the /sdcard folder, either with any file manager or
with 'adb push'.

Go into adb shell (adb shell), or open the 'terminal'-application on
your android device
You will get a command prompt similar like "shell@android:/ $ "

Gain superuser/root rights, neccessary to perform privileged actions:
su
Make the /system folder writable (will return to read-only upon reboot):
mount -o remount,rw /system
Copy the new certificate files to the correct folder on your Android
device:
cp /sdcard/5ed36f99.0 /system/etc/security/cacerts/
cp /sdcard/e5662767.0 /system/etc/security/cacerts/
Correct the file permissions to u=rw, g=r, o=r:
cd /system/etc/security/cacerts/
chmod 644 5ed36f99.0
chmod 644 e5662767.0

Check if the files are ok:
ls -al -Z
Omit '-Z' if you are using a version of Android without SElinux, it just
shows some extra security settings which might be useful if you run into
trouble.
Amongst the other default android certificate files, you will see the
two new files:
-rw-r--r-- root root u:object_r:system_file:s0
5ed36f99.0
-rw-r--r-- root root u:object_r:system_file:s0
e5662767.0

The certificates will be loaded upon the next boot of your device, so
reboot your device:
reboot

I would recommend posting these newer instructions on the wiki (url at
top of msg).
Please verify these instructions yourself before posting them.

Yours,
Sebastiaan Giebels


  • Re: [s20131127.4] [CAcert.org] Possible SPAM, CAcert Support, 11/27/2013

Archive powered by MHonArc 2.6.18.

Top of Page