A slightly more vetted version of the Android CACert keystore
Java Shell Makefile
Switch branches/tags
Nothing to show


Guardian Project CA Bundle for Android

In response to growing concerns about the less-than trustworthy state of the global Certificate Authority ecosystem, we have decided to began curating our own CACert keystore for use on Android devices.

This certificate bundle contains all the CAs from the Mozilla CA Certificate Store as obtained through Debian's ca-certificates package.

TODO: How to use the pinned certificate store?

Projects using this cacert

  • NetCipher - strong TLS verification and proxy library for Android


We rely on Debian's tool to parse the Mozilla trust database and output PEM encoded certificates, which we then combine into a keystore ready for inclusion in Android.

    git submodule update --init --recursive

The resulting keystore will be in stores/debiancacerts.bks ready to be imported into an Android project.

Add it as a raw resource to your project, then use something like the following to load it:

    mTrustStore = KeyStore.getInstance("BKS");
    in = mContext.getResources().openRawResource(R.raw.cacerts);
    mTrustStore.load(in, new String("changeit").toCharArray());

Relevant Reading


We would like to ack Open WhisperSystems as an inspiration for this, as they were able to push out a small patch through their WhisperCore update tool in order to modify the keystore to remove DigiNotar.