Android: Installing CA certs

Created: 23 May 2025
Updated: 29 May 2025
adbfun.png
Figure 1: Making sense of what they do at botfarms.

I own a very old cellphone with android. No phoneline. Just as a dumb video player for youtube and listen to some podcasts.

It's so old, that the oldest Android version supported by the Play Store.

Problem

One of the things that tend to happen with old hardware, that runs old software, is that their root certificates get outdated. And with them your ability to see some webpages.

This can be somewhat sidestepped using Chrome and pressing "ignore invalid cert". (Or maybe installing Firefox since they seem to come with their own CA's). But all that still leaves you with some apps not working.

Solution

When I first looked at solutions, it seemed that it will require a rooted phone. However I took another look today and I found a way to do it without it. That is by "manually" importing them from an SDCard.

Getting the new certs

We download the certs from a official source. We unpack them. And rename them to .pem, this was needed for the manual installation to see the certificates. 

$ mkdir temp-certs/
$ cd temp-certs/
$ wget -O android-ca.tar.gz https://android.googlesource.com/platform/system/ca-certificates/+archive/refs/heads/main/files.tar.gz
$ tar xvzf android-ca.tar.gz
$ for i in *.0; do mv "$i" "${i%.0}.pem"; done
$ for i in *.pem; do adb push "$i" /sdcard/SDC4-N4M3/; done

Manual Installation

advance-setting.jpg
Figure 2: menu steps needed to reach the ui to install ca certs

We need to:

  1. go to Settings > Security > Install from SD Storage
  2. select the cert we want to install
  3. write a name for it
  4. tap on "Accept"

Those last 3 steps for each of the +140 certs…

Automation

Problem is we are talking about +140 certs with no easy way to bulk import.

The other solution is using "adb" (aka android debugger) to tell it to install and to interact with the dialog to name the new cert and to accept the dialog. All hands-off!! 

for i in *.pem; do
    echo "$i"
    adb shell "am start -n com.android.certinstaller/.CertInstallerMain -a android.intent.action.VIEW -t application/x-x509-ca-cert -d file:///storage/SDC4-N4M3/$i"
    adb shell input text "$i"
    adb shell input tap 420 692 # I got this XY value with the help from Developer Tools and importing it once manually
    sleep 2 # Could be less...
done

Et voila! No more sketchy certs. And no more apps partially working or not at all.

Addenum

Well, apparently Android does not like you adding new CA root certs. So a warning message is displayed on each reboot.

adbfun3.jpeg
Figure 3: warning now showed, once per reboot

So as long as your new root certificates are at /data/misc/keychain/cacerts-added and not in a root protected place like /system/etc/security/cacerts it keep warning you about it. There is no way to tell it to stop.

See: