Skip to content
A slightly more vetted version of the Android CACert keystore
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
.tx add config file for Transifex's tx tool Aug 21, 2013
app add new translations: cs de el es fr ja pl pt_PT ru sl sv Apr 25, 2017
ca-certificates @ 4771bbe pin project to mozilla's certificate store via debian May 31, 2013
libs update to support Android 15+ and bks-v1 certs and latest keytool Nov 2, 2015
pinnedCerts added "gmail.com" cert from XMPP into pinned store Nov 5, 2012
stores
.gitignore ignore Android build products Aug 21, 2013
.gitmodules use official url for anonymous Debian git: anonscm.debian.org Jul 23, 2013
CHANGELOG added CACert.org Class3 Root CA Sep 6, 2011
DEVELOPERS
INSTALLATION adding first simple install info Sep 1, 2011
KEYTOOL
Makefile
README.md
ca-certificates-maintainer-Michael-Shuler.pub.asc pin project to mozilla's certificate store via debian May 31, 2013
pemsToAndroid.sh update to support Android 15+ and bks-v1 certs and latest keytool Nov 2, 2015
setup-ant.sh add script to set up 'ant' for the Jenkins auto-builds Jul 23, 2013

README.md

Guardian Project CA Bundle for Android

In response to growing concerns about the less-than trustworthy state of the global Certificate Authority ecosystem, we have decided to began curating our own CACert keystore for use on Android devices.

This certificate bundle contains all the CAs from the Mozilla CA Certificate Store as obtained through Debian's ca-certificates package.

TODO: How to use the pinned certificate store?

Projects using this cacert

  • NetCipher - strong TLS verification and proxy library for Android

Usage

We rely on Debian's tool to parse the Mozilla trust database and output PEM encoded certificates, which we then combine into a keystore ready for inclusion in Android.

    git submodule update --init --recursive
    make

The resulting keystore will be in stores/debiancacerts.bks ready to be imported into an Android project.

Add it as a raw resource to your project, then use something like the following to load it:

    mTrustStore = KeyStore.getInstance("BKS");
    in = mContext.getResources().openRawResource(R.raw.cacerts);
    mTrustStore.load(in, new String("changeit").toCharArray());

Relevant Reading

Credits

We would like to ack Open WhisperSystems as an inspiration for this, as they were able to push out a small patch through their WhisperCore update tool in order to modify the keystore to remove DigiNotar.

You can’t perform that action at this time.