If you have just updated to Android 4.4 KitKat, and you use a custom root certificate to sign SSL/TLS certs for your own server/website/WiFi then you may have had the “Network may be monitored by an unknown third party” prompt.
Android allows you to add user defined SSL Certificate Authority Certs, but it then complains about them continually, which is incredibly annoying!
Installing CAcert root certificates
I'm going to use the CAcert root certificates as an example, since so many people use their free certificate signing service.
- Set a pattern or pin lock on your phone.
- In the stock Android browser (not FireFox because it has its own cert management), navigate to the CAcert Cert Download Page and click on the PEM format keys
- Click through the notifications to add the cert. You should now get notifications in your notification panel and a tile in the quick settings tray. You can view the certs by clicking the notifications, or: Settings --> Security --> Trusted Credentials --> User
Here’s how to permanently dismiss the security warning
To do this you need:
- A rooted phone with Busybox and SuperSU installed
- Android Terminal Emulator app (FOSS, available from Google Play or F-Droid)
- Hacker’s Keyboard is useful in the terminal as it has arrow keys in landscape mode, but not essential. It is also available from F-Droid.
Open Android terminal emulator and type:
u0_a79@deb:/ $ su
Click the prompt to grant SuperUser access to Android Terminal Emulator app.
Now do the following.
Mount your system flash memory read-writable:
root@deb:/ # mount -o remount,rw /system
Change directory to where Android stores user imported certs:
root@deb:/ # cd /data/misc/keychain/cacerts-added/
List the certs you have imported:
root@deb:/ # ls
Use the cat command to read the certs and copy the contents to a new file in the folder where system certs are stored (replace “5ed36f99.0″ etc. with the cert file names). Note, we’re using cat because mv doesn’t work here – you get an error like “failed on ’5ed36f99.0′ – Cross-device link”.:
root@deb:/ # cat 5ed36f99.0 > /system/etc/security/cacerts/5ed36f99.0 root@deb:/ # cat e5662767.0 > /system/etc/security/cacerts/e5662767.0
Change directory to the location of the new certs, and list them in long format to show their permissions:
root@deb:/ # cd /system/etc/security/cacerts root@deb:/ # ls -l
Change the permissions to match the other certs in the file (644 – readable by everyone, only root has permissions to write to the files):
root@deb:/ # chmod 644 5ed36f99.0 e5662767.0
If all went well, you can now reboot:
root@deb:/ # reboot
The new certs will now appear in the Trusted Credentials GUI
You can now remove the certs from the user section of Trusted Credentials, and those security warnings will disappear!
Quickly restoring CAcert root certs after OTA updates
Following the steps above to restore the CAcert certificate every time can be a pain, so you might like to make a copy of the certs to a folder on your
cat them across and change the permissions each time you receive an update.
If that still seems like a lot of effort, here's a script that will download the certificate from CAcert and do the rest for you:
#!/bin/sh dlroot="/sdcard/CAcert-root" dlclass3="/sdcard/CAcert-class3" # md5sums for .der versions md5root="a61b375e390d9c3654eebd2031461f6b" md5class3="f72512824e67b5d08d92b77c0b867a42" # final destinations for the certificates destroot="/system/etc/security/cacerts/5ed36f99.0" destclass3="/system/etc/security/cacerts/e5662767.0" # Check for CAcert certificate and delete it if it already exists: if [ -f $dlroot ] then echo "Previously downloaded CAcert root detected, will be removed" rm $dlroot fi if [ -f $dlclass3 ] then echo "Previously downloaded CAcert class 3 detected, will be removed" rm $dlclass3 fi # download CAcert root certs from cacert.org wget --output-document=$dlroot http://cacert.org/certs/root.der wget --output-document=$dlclass3 http://cacert.org/certs/class3.der # calculate md5sums for comparison md5root_calc=$(md5sum $dlroot | cut -d " " -f 1) md5class3_calc=$(md5sum $dlclass3 | cut -d " " -f 1) # check MD5sums and abort if they don't match the expected values then abort # NB: "[" is an alias for the "test" command which is in busybox if [ $md5root_calc != $md5root ] then echo "Calculated MD5sum for root cert ( $md5root_calc ) does not equal expected MD5sum ( $md5root ), aborting" exit 1 else echo "MD5sum for root cert OK" fi if [ $md5class3_calc != $md5class3 ] then echo "Calculated MD5sum for class 3 cert ( $md5class3_calc ) does not equal expected MD5sum ( $md5class3 ), aborting" exit 1 else echo "MD5sum for class 3 cert OK" fi echo "Re-mounting root filesystem read-write" mount -o remount,rw /system echo "Copying certs to root filesystem" cat $dlroot > $destroot cat $dlclass3 > $destclass3 # check the write was successful, warn and abort if not if [ ! -f $destroot ] then echo "Something went wrong: root cert was not written to root filesystem" exit 1 fi if [ ! -f $destclass3 ] then echo "Something went wrong: class 3 cert was not written to root filesystem" exit 1 fi echo "Changing file permissions for certs to 644" chmod 644 $destroot $destclass3 echo "Re-mounting root filesystem read only" mount -o remount,ro /system echo "Done!" exit
Save it to your computer as
android-cacert-script.sh and then use adb to transfer it:
adb push ~/android-cacert-script.sh /sdcard/android-cacert-script.sh
Now all you need to do after an update is open the terminal emulator app and type these commands:
su sh /sdcard/android-cacert-script.sh
That's it! The script will warn you and abort if the certs downloaded don't match the expected md5sum.
Android app Move Certs
Yet another option is an app called "Move Certs" written by Felix Ableitner, which he kindly released under the GPLv3 free software licence. get it on F-droid!