How to add root SSL certificate to Android subsystem

webwarrior · 23 December 2021 11:43

Recently I had to install self-signed certificate for Android apps, and the guides I’ve found were either not working or involved rebuilding aliendalvik image.

But after some trial and error I’ve found another way by adding mount entry to LXC config.

For some reason adding single file fails, so you have to replace whole directory.

First, copy your existing certificates to dir with write access, let’s say /home/defaultuser/cacerts

mkdir /home/defaultuser/cacerts
lxc-attach -n aliendalvik /system/bin/sh
cp /system/etc/security/cacerts/* /home/defaultuser/cacerts

Then copy your certificate (that must have name according to http://wiki.cacert.org/FAQ/ImportRootCert#Android_Phones_.26_Tablets) to dir with existing certificates.

Create file /var/lib/lxc/aliendalvik/extra_config and add following line to it:

lxc.mount.entry = /home/defaultuser/cacerts/ system/etc/security/cacerts/ none bind,optional,create=dir 0 0

Reboot Android support, and your certificate should be among root certificates.
You will have to repeat step 1 if certificates in Android image were updated to get latest versions.

thomas · 16 July 2022 13:50

Thank you for theses instructions, really helpful.
I think they are a bit outdated however, I had to tweak them a bit.
lxc-attach needs a ‘–’ now before the command.
/home/defaultuser/ is not mounted by default in dalvik.
So you can copy your certificate in /home/defaultuser/Documents/, then :

mkdir /home/defaultuser/android_storage/cacerts/
lxc-attach -n aliendalvik -- /system/bin/sh
cp /system/etc/security/cacerts/* /data/media/0/cacerts/
exit
cp /home/defaultuser/Documents/xxx.0 /home/defaultuser/android_storage/cacerts/

In /var/lib/lxc/aliendalvik/extra_config :

lxc.mount.entry = /home/defaultuser/android_storage/cacerts/ system/etc/security/cacerts/ none bind,optional,create=dir 0 0

jlangenbach · 18 February 2023 08:41

On Sailfish 4.4 this worked for me straight forward as well. But with 4.5 executing

Results in

lxc-attach: aliendalvik: attach.c: get_attach_context: 403 Failed to get init pid
lxc-attach: aliendalvik: attach.c: lxc_attach: 1430 Failed to get attach context

May be it is related to the changed privileges or this notice: https://forum.sailfishos.org/t/two-failed-services-every-time-on-xperia-10/9928/5

Do you have the same problem or is it still working for you?

miau · 18 February 2023 09:34

Take a look here and adapt, maybe it helps:

jlangenbach · 28 February 2023 19:36

Actually I done it with the native Android tools.

Opened the android system settings with apkd-launcher com.android.settings/com.android.settings.Settings
Installed the CA certificates into the global key store (s. e.g. Can't install CA certificate on Android 11 - Stack Overflow)