[How-To] Import TLS certificate into Android support

asked 2018-04-21 19:37:13 +0300

takimata gravatar image

updated 2018-10-15 16:50:27 +0300

I needed a way to import own TLS certificates so that Android apps trust them. This is different to adding certs to SfOS, the Android subsystem doesn't use the same cert store as Sailfish does.

  • Note: If you are not familiar with the shell, read a guide like https://guide.bash.academy/?=Chapters#h0.3 first!

  • ${CERTFILE} denotes the certificate you want to import. -> You can set


    and copy&paste all other commands without adapting this ...

The first two steps require openssl. -> You need developer mode enabled to install openssl:

pkcon install openssl

You can also perform the next 2 steps locally on your Linux machine and not on the phone.

1.Add plaintext description: don't think that's really necessary, but all other certs I found in the certificate directory looked the same way. Besides, it is helpful to identify the certificate later.

openssl x509 -in "${CERTFILE}" -noout -text >> "${CERTFILE}"

2.determine md5 hash which will become part of the file name:

AnMD5Value=$(openssl x509 -subject_hash_old -noout -in "${CERTFILE}")

3.rename & copy to proper location:
I also tried /opt/alien/data_jolla/misc/keychain/certs-added/ (would be cleaner to put it there), but K-9 Mail didn't used it from there

devel-su mv "${CERTFILE}" /opt/alien/system/etc/security/cacerts/"${AnMD5Value}".0
  • Reboot, just to be sure

References: https://blog.kylemanna.com/android/android-ca-certificates/#installing-a-root-ca-certificate-on-android

edit retag flag offensive close delete


I wanna try your How-to, but fail on the first step. Where to find this ${yourCert.pem} on my phone? I mean there is a lot of TLS certs available in the settings area, but which one to take and where are the files? Thanks for your help in advance.

Vieno ( 2018-09-14 22:20:35 +0300 )edit

As stated above, this denotes the certificate you want to import - you have to replace it with the path to the certificate you want to import.

Where the certificate comes from and how you guarantee that nobody foists a faked one on you is up to you. Normally you have a certificate and want to use it with android applications - and that's what this guide is for - documenting where to put that cert...

As you are apparently new to the shell, https://guide.bash.academy/expansions/?=Parameter_Expansion#h2.2.2 might be worth reading.

I've tried to clarify usage a bit.

takimata ( 2018-10-15 17:07:12 +0300 )edit

Thanks for your guide. Actually I have an issue with a German Rail operator that requires TLS1.2 to buy tickets. Are you aware whether it'd be enough to install the desired certificates or would it require extra libraries?

jollajo ( 2018-10-15 17:54:42 +0300 )edit

After looking at the symbol table (readelf -a /opt/alien/system/lib/libssl.so | grep TLS) it looks like that there is an android-related library supporting TLSv1.1 and TLSv1.2 (but not TLSv1.3, though).

But at least Deutsche Bahn should be able to buy a certificate which CA is already commonly registered as a trusted certificate authority... Are you sure importing another cert is really necessary?

takimata ( 2018-10-16 09:47:36 +0300 )edit

I'm having the same problem with this German rail way company. Their app "DB Navigator" complains about a missing certificate. As I hv little knowledge about Android, Certs, ... I just write some assumptions: If I got it right, the "DB Navigator" app relays on the app "Android System WebView" (Android 5&6) or "Chrome v51" (Android 7) to establish a TLS 1.2 connection. Hence the certificate itself wont work (my own assumption). There is commit for a downstream merge for microG which implements a ProviderInstaller. May this will help.

Vieno ( 2018-10-16 14:40:13 +0300 )edit