Install CA without having to activate screen lock

Question

I have a Nexus 7 (Android 4.1.1) and I want to add a CA (Certificate Authority) to my device to use it for the ssl-connection to my mail server. The CA is self-signed. The Certificate does only contain the public key of the CA (of course!).

I also want to keep my screenlock disabled because on a tablet not leaving my house it does not make sense to have a screen lock.

Now the problem arises: Whenever I want to import the CA, Android wants me to change my screenlock to digits/password which I want to avoid.

Can this behaviour somehow be prevented? There is nothing security critical at a public key of a CA.

I know that when the phone is rooted one can add a CA, but I want to avoid rooting my phone.

Answer 1

I've written an article on creating & installing CAcert certificates as Android System Certificates (Android >=4.2), thus allowing you to use your device without lockscreen:

http://wiki.pcprobleemloos.nl/android/cacert

Main part of my article:

cat root.crt > 5ed36f99.0
openssl x509 -inform PEM -text -in root.crt -out /dev/null >> 5ed36f99.0
cat class3.crt > e5662767.0
openssl x509 -inform PEM -text -in class3.crt -out /dev/null >> e5662767.0

Copy the files 5ed36f99.0 and e5662767.0 to /system/etc/security/cacerts/ (and chmod 644 them), reboot and it should work. Check Settings -> Security -> Certificates, it should list both "CAcert Inc." and "Root CA". Note that some browsers might use their own certificate store instead of the Android one.

The Android security model explicitly forces you to have a lockscreen whenever a non-system (user) certificate is installed. There is no configuration option around this.

You can either replace your stock Android version with one which has removed this requirement (I do not think that any exist, but you could theoretically create your own).

The other option is using (temporary) root access for installing this certificate, and then 'unrooting' it, although that sounds a bit silly.

Answer 2

Sorry, root access is require AFAIK. For everybody who has root access and Android 4+, here a detailed description how to add it to Android's system certificate folder:

Assuming your certificate file - let's call it root.cer - looks like this:

-----BEGIN CERTIFICATE-----
MIIDgzCCAmugAw[...]
[...]
-----END CERTIFICATE-----

Obtain the name Android needs for it (".0" is appended) and store in variable $name:

name=$(openssl x509 -inform PEM -subject_hash_old -in root.cer | head -1).0

Sample output for: echo $name

00673baa.0

Create the certificate file for Android:

cat root.cer > $name
openssl x509 -inform PEM -text -in root.cer -out /dev/null >> $name

Copy certificate file to SD card:

adb push $name /sdcard

Open Android shell:

adb shell

Become root and copy certificate to Android's system certificate folder:

su
mount -o remount,rw /system
cp /sdcard/00673baa.0 /system/etc/security/cacerts/

Note: For the last command you need to replace the certificate file name!

Now reboot. Make sure that the certificate was correctly installed: Goto Settings -> Security -> Show trusted certificates. Here in the system list you should find the name of the issuer of your self-signed certificate (which is equal to the subject). You can print it using:

openssl x509 -inform PEM -issuer -in root.cer -out /dev/null

Now you can delete all certificates (system certificates are not touched) and remove the lock screen.

Answer 3

There is no way I know of which will achieve this. I've been looking for a way of doing the same thing for a while now, as my work requires me to use a CA, but have found nothing after a lot of looking. If you were rooted then it might be possible, but without root I'm afraid you're going to have to just deal with it.

Sorry!

Answer 4

In case you decide to root the phone (you can only root it temporarily to install the certificates, it doesn't need to remain rooted), you can upload the certificates into a directory and the next reboot they will be validated:

adb shell mount -o remount,rw /system
adb push 1dbdda5d.0 /system/etc/security/cacerts/

where 1dbdda5d.0 is your certificate to be trusted.

Answer 5

I found a way to solve the problem, but it requires root and may only work with root, self-signed, or intermediate CAs.

If you have a certificate that is not trusted by Android, when you add it, it goes in the personal cert store. When you add a cert in this personal cert store, the system requires a higher security level to unlock the device. But if you manage to add your cert to the system store then you don't have this requirement. Obviously, root is required to add a certificate to the system store, but it is quiet easy.

Here is how to do it :

1 - Add your cert normally. For example, my cert was called some.crt. It will be stored in your personal store and android will ask you a pin/password... Proceed.

2 - With a file manager with root capabilities, browse files in /data/misc/keychain/cacerts-added or /data/misc/keystore. You should see a file here called 1000_USRCERT_some it's the certificate you have added in step 1.

3 - Move this file to system/etc/security/cacerts (you will need to mount the system partition r/w)

4 - Reboot the phone

5 - You are now able to clear the pin/password you have set to unlock the device.

Worked for me with a self-signed cert on Android 4.4.2. Hope it helps!

Answer 6

There is a way. Just install your certificate the usual way and set "Patterns" as lock screen to do so. Lock the screen. Fail on the patterns 5 times, then click on "forgot pattern" in the lower right corner, login with your Google account and voilà ... the lock screen is reset to "none" and certificates are still there.

Just tested it on Galaxy Note N7000 with 4.1.2