How to add root SSL certificate to Android subsystem

Recently I had to install self-signed certificate for Android apps, and the guides I’ve found were either not working or involved rebuilding aliendalvik image.

But after some trial and error I’ve found another way by adding mount entry to LXC config.

For some reason adding single file fails, so you have to replace whole directory.

First, copy your existing certificates to dir with write access, let’s say /home/defaultuser/cacerts

mkdir /home/defaultuser/cacerts
lxc-attach -n aliendalvik /system/bin/sh
cp /system/etc/security/cacerts/* /home/defaultuser/cacerts

Then copy your certificate (that must have name according to to dir with existing certificates.

Create file /var/lib/lxc/aliendalvik/extra_config and add following line to it:

lxc.mount.entry = /home/defaultuser/cacerts/ system/etc/security/cacerts/ none bind,optional,create=dir 0 0

Reboot Android support, and your certificate should be among root certificates.
You will have to repeat step 1 if certificates in Android image were updated to get latest versions.


Thank you for theses instructions, really helpful.
I think they are a bit outdated however, I had to tweak them a bit.
lxc-attach needs a ‘–’ now before the command.
/home/defaultuser/ is not mounted by default in dalvik.
So you can copy your certificate in /home/defaultuser/Documents/, then :

mkdir /home/defaultuser/android_storage/cacerts/
lxc-attach -n aliendalvik -- /system/bin/sh
cp /system/etc/security/cacerts/* /data/media/0/cacerts/
cp /home/defaultuser/Documents/xxx.0 /home/defaultuser/android_storage/cacerts/

In /var/lib/lxc/aliendalvik/extra_config :

lxc.mount.entry = /home/defaultuser/android_storage/cacerts/ system/etc/security/cacerts/ none bind,optional,create=dir 0 0

1 Like

On Sailfish 4.4 this worked for me straight forward as well. But with 4.5 executing

Results in

lxc-attach: aliendalvik: attach.c: get_attach_context: 403 Failed to get init pid
lxc-attach: aliendalvik: attach.c: lxc_attach: 1430 Failed to get attach context

May be it is related to the changed privileges or this notice:

Do you have the same problem or is it still working for you?

Take a look here and adapt, maybe it helps:

Actually I done it with the native Android tools.

  1. Opened the android system settings with apkd-launcher
  2. Installed the CA certificates into the global key store (s. e.g. Can't install CA certificate on Android 11 - Stack Overflow)