There doesn't seem to be a central Android resource that lists the Trusted Root CAs included in the OS or default browser (related question on SO), so how can I find out which are included on my phone by default? With the number of root certificates that have been compromised, and the number of fraudulent SSL certs created over the last couple of years, this is an issue for anyone relying on SSL for security, as otherwise you won't know if you want to remove any trusted CAs. (not listing my manufacturer or OS version as I'm looking for a generic resource or solution that should be applicable to any device)
asked Jul 26, 2012 at 13:47 22.1k 9 9 gold badges 78 78 silver badges 127 127 bronze badgesI have used this app (root required) to list and delete individual root certs: CACertMan or on Play Store. The guradian project also maintains an edited version of the standard keystore: github.com/guardianproject/cacert
Commented Jul 26, 2012 at 14:02 Play Store link in previous comment is wrong - Here's the right one Play Store Commented Jul 26, 2012 at 14:38@Michael: Thanks for the hint, seems I messed up with my copy/paste buffer (leaving the comment, as you and eldarerathis both provided the correct one)
Commented Jul 26, 2012 at 14:44On ICS or later you can check this in your settings. Go to Settings->Security->Trusted Credentials to see a list of all your trusted CAs, separated by whether they were included with the system or installed by the user.
Earlier versions of Android keep their certs under /system/etc/security in an encrypted bundle named cacerts.bks which you can extract using Bouncy Castle and the keytool program. The summary is to first pull the bundle using adb (you need a root shell) then you can use Bouncy Castle to list the contents of the bundle:
shell~$ adb pull /system/etc/security/cacerts.bks` shell~$ keytool -keystore cacerts.bks -storetype BKS -provider org.bouncycastle.jce.provider.BouncyCastleProvider -storepass changeit -v -list
There's also at least one app that you can try if you'd prefer not to use the shell: CACertMan (requires root to modify the list, but should allow you to view the list without root). I believe it came about due to the DigiNotar fiasco since there were no particularly easy ways for a user to revoke the cert at the time. Since the certs are stored differently on ICS and later this app will only work on devices running Gingerbread (or earlier), but it is obsolete on ICS/JB anyway.