CACertMan app to address DigiNotar & other bad CA’s

As I expect many of you are aware, there was a major compromise to a Dutch Certificate Authority named “DigiNotar” recently, where they allowed SSL certs for domains like *, * and even * as well as *.*.com to be issued.

It was brought up to the contribs of CyanogenMOD that they should probably remove the DigiNotar CA cert from the built-in Android OS keystore (located at /system/etc/security/cacerts.bks). Since they have 500k+ users, and can be more nimble than other ROM/device distributors, it was seen as a way to quickly address the problem, at least within their community. It turns out that it wasn’t as easy to convince them to do this (even though Mozilla, Google Chrome, IE, etc already had). You can read the thread, but it is still an open issue:

In the meantime, I decided to do something proactive about this, and took two approaches:

1) Create our own curated cacerts.bks file which rooted users could install using ‘adb’ from their desktop and/or the ‘Root Explorer’ app available in the market and elsewhere. Our version of the CACert file removes DigiNotar, as well as CNNIC, a Chinese gov’t-managed cert authority who we have reason not to trust. Our goal is to continue to audit, update and distribute our own cacerts file for users who trust us.

Install info:

Guardian’s CACert:

2) We also wanted to create an app that let the user decided which certs they wanted available, and which they didn’t. Beyond this one CA problem, there are potentially many more, and every handset manufacturer or carrier can also place their own CA certs into the system. We need an app to address today’s and future CA threats.

I have been hacking away on a solution to address this, and an initial test release is available for you. ‘CACertMan’ is a simple app that loads up the system cacert store, allows you to back it up, search for certs, delete them, and then save it back to the system. You can always restore from your initial backup, as well. In the future we may allow for a cert to just be disabled, but for now it is delete and/or restore.

Here is the first alpha build for testing. This does require root, as well as a device that has the ‘grep’ command on it. This is basically CyanogenMOD, but most likely any other custom ROM. If the ‘save’ doesn’t work, then you will need to use ‘RootExplorer’ to make you /system partition read-write.

Download CACertMan v0.0.1-Alpha:

You can find the source project here:

Once we get confirmation that the app works for most people, we’ll place it in the market, and on or site for wider distribution.

Through these two approaches, we hope to mitigate the threats facing Android users who might encounter man-in-the-middle attacks enabled through the DigiNotar exploit. While many of you are presumably in “free” countries, we do know that may of our users of Orbot, Gibberbot and other software are not, and we hope this message can reach them.

28 comments for “CACertMan app to address DigiNotar & other bad CA’s

  1. Santiago.
    2011/09/05 at 4:17 pm

    Great work.

  2. Dave
    2011/09/05 at 9:02 pm

    on the certs do they redownload when you go to a website or they have to be on your phone allready to be able to connect to the site? If so would it be safe to delete all of them? I’m a noob at this situation at hand thanks.

    • n8fr8
      2011/09/06 at 5:36 am

      If you delete them all, you will get warnings at very https site. Many apps would also break. I don’t recommend you do that for now, until there is a more sophistaced “trust this cert” type feature.

  3. asksven
    2011/09/06 at 4:14 am

    I wanted to report a positive test on samsung sgs2 using vr2.4.2 (obviously rooted). Tested: backup, delete, save to original place.

  4. Desean
    2011/09/06 at 1:11 pm

    The APK works for me. Thanks.

  5. Aphex13
    2011/09/06 at 1:54 pm

    Works like a champ on Samsung Captivate running CM7. Thanks for looking out for us.

  6. arcane613
    2011/09/06 at 9:59 pm

    apk installs fine..appears like it working on my Samsung GS2 but it does not. It backs up fine. If I choose save, it then says error reading… (permission denied) then it won’t load CA store anymore.

    Reboot phone, get gapp force close issues….that google apps error force close pops up every 30 seconds or so…

    Before and after reboot cannot save or restore it gives permissions denied error. this happens ONLY after hitting save the first time.

    ROM is Cognition S2 1.5.1 with Ninphetamine 2.1.3 kernal. If there are logs you need, or further testing feel free to contact me at my email….

    good idea on this app though…

    • arcane613
      2011/09/06 at 10:02 pm

      i actually couldn’t restore via the app either had to adb push cacerts.bks /system/etc/security/

      someone else with this phone works fine so it’s clearly rom or kernel related, but I couldn’t tell you which

      • Derek
        2011/09/06 at 10:32 pm

        since you’re getting a permissions problem, does your ROM provide root access? do you have the superuser apk installed to manage application root permissions?

        • arcane613
          2011/09/07 at 2:20 am

          i’m rooted for sure.

          setcpu running, overclocked and undervolted…but i don’t think that would cause the issue…

          just retried again, took screen shots..

          seems any time i choose restore or save…it gives the error…if I try save a second time it says it failed to load the KeyStore or something like that..for some reason I took ss of everything but the last error…

          basically it seems to be issues with google app framework and gmail…so cointacts/email..which is annoying…try clear data of both gmail, google framework services, delete and rebuild sync accounts, clear data on calender, contacts, manually sync each item that syncs with push…all items sync, no error…but after syncing errors start popping up in random orders…lol..

          only thing to fix it is restoring original file…

          cognition is samsung 2.3.4 based, so not AOSP which I would guess might be the main source of the issue.

          i could still be overlooking something, i am relatively new to the android os….

          • Derek
            2011/09/07 at 3:48 pm

            thanks for documenting! similar to Michael’s question (see below), this could potentially be a write issue with the /system partition on your ROM. please try mounting /system from Recovery and then pushing the updated certs.bks file to the appropriate location.

  7. Phil
    2011/09/06 at 10:38 pm

    Works for me.
    s-off desire on LeeDroid 3.3.3

  8. Michael
    2011/09/07 at 11:39 am

    Does this work on devices where you have root, but no access to the /system partition as it is locked other than in recovery (e.g HTC Desire)?


    • n8fr8
      2011/09/07 at 11:58 am

      No it requires the ability to mount the /system partition in read/write mode. We will update our readme and check code to verify that.

      • Michael
        2011/09/07 at 1:34 pm

        OK, thanks. I used the ‘manual’ method described above and it worked a treat. Cacertman can still be used to check it worked though. Cheers.

        • n8fr8
          2011/09/07 at 2:50 pm

          Actually, if the manual method worked, then it means we CAN mount your /system read-write, but you must not have the ‘busybox’ binary installed on your ROM. We use that to look up the proper device for mounting. We can actually update our app to try the same command in the manual operation in case busybox doesn’t exist. Look for this in the 0.0.3 update!

          • Michael
            2011/09/07 at 3:20 pm

            Ahh, I should have explained it better. I booted into Clockwork recovery and then mounted the /system partition for write access from the menu. Then I used adb to push the update.

  9. Chad
    2011/09/07 at 10:00 pm

    Works like a champ: HTC Incredible, CM7 nightly 180. Only problem I had was a little user error. 🙂

  10. Chad
    2011/09/07 at 10:04 pm

    Works like a champ: HTC Incredible, CM7 nightly 180. No errors; just installed and deleted the diginotar certificate. Only problem I ran into was a little user error. 🙂

  11. Franck
    2011/09/14 at 8:04 pm

    Diginotar removed from my desire
    Xj miui 1.9.9 & Manu 2.0 kernel

  12. Kbt
    2011/10/20 at 3:45 pm

    It’s great.

    An extra function, to versio 0.2 could be the “add CA certificate”.

  13. Pog
    2011/10/23 at 12:24 pm

    works fine on an Alcatel OT-990 Orange (non rooted). Waiting for a UserCertMan for .p12 files.
    Best Regards

  14. 2012/01/13 at 10:52 am

    This works great on my SGS!

    Can you port it to the Nokia N9 too?

    As you might know, it uses Qt for the interface, has Busybox and you can get root on it by something as easy as enabling developer mode (it’s in the settings; devel-su is used to run things as root, “rootme” is default password, but I have changed it, as everybody should).

    CA certs are stored in /etc/ssl/certs as individual .pem files, and there’s .0 files too (don’t know what they do). All with hexadecimal names. I want to be able to disable CNNIC and some others (I suggest doing it by just moving the files to /etc/ssl/certs/.disabled or /etc/ssl/disabledcerts).

    • n8fr8
      2012/01/15 at 10:50 am

      We actually have two members of our team who are Nokia N9 fans and users. However, we unfortunately have limited time and resources, and for now, we must focus on Android, because it is the most widely used open-source mobile platform. Our goal is to reach as many people as possible, even though there are some better and more truly open mobile platforms out there.

  15. Johannes
    2014/01/08 at 8:44 am

    It doesn’t seem to work on recent android. True?

    • Hans-Christoph Steiner
      2014/01/08 at 11:49 am

      yes, it is no longer needed in Android 4.x since Android now has the same functionality built-in.

  16. Robert
    2016/06/22 at 4:57 am

    I would like to use CACertman, but the link to the app is no longer valid. I found the app’s on some sites but the question is if someone has tempered with the code.
    Could you please give me a link to the correct download, or send me the file via email?

    Thanks in advance.

    • Hans-Christoph Steiner
      2016/07/25 at 5:46 am

      It is only useful on very old devices. Anything running Android 4.0 or newer has this functionality built-in. You can download it from Google Play or

Leave a Reply

Your email address will not be published. Required fields are marked *