Cert-Fixer - Installing CA Certificates in System Store for Android 14+

Aug 2024

Cert-Fixer is a Magisk module that installs custom CA certificates to Android's system certificate store. To install system CA certificates using Cert-Fixer, you first install Cert-Fixer as a module in Magisk, install your custom CA certificates under the user certificate store, and reboot. Cert-Fixer will copy all your user CA certificates to the system certificate store during boot up. Cert-Fixer is tested against Android 14 and 15 (API 34 and 35). This article is a step-by-step guide for installing custom CA certificates on the system store of Android 15 (API 35).

Cert-Fixer

Overview

  1. Create AVD Emulator: Pixel 8 Pro, Android 15 (API 35)
  2. Root the Emulator
  3. Install Cert-Fixer
  4. Install Custom CA Certificates

Creating AVD Emulator: Pixel 8 Pro, Android 15 (API 35)

Let's use Virtual Device Manager from Android Studio to create the AVD Emulator. In Virtual Device Manager, you can create two types of devices. (1) Devices that have Google Play Store support, and (2) Devices that do not have Google Play support. We will choose a device without Google Play Support as it makes it a lot easier to root the device.

The default Hardware Profiles of Android 14+ devices in Virtual Device Manager all have Play Store support. However, you could simply clone one of the devices to create a profile without Play Store support.

Select the newly created device profile (that does not have Play Store), choose API 35, and create a new device.

Start the device and make sure it works.

Root the Emulator

We will use rootAVD to root our device. While the device is running, execute rootAVD to root your device. 

# Download rootAVD from gitlab and unzip
wget https://gitlab.com/newbit/rootAVD/-/archive/master/rootAVD-master.zip
unzip rootAVD-master.zip 
cd rootAVD-master

# List all the available AVDs
./rootAVD.sh ListAllAVDs

# Choose your AVD and root it
# In my case, the AVD is system-images/android-35/google_apis_ps16k/x86_64/ramdisk.img
# Note that its `android-35/google_apis_ps16k` and not `android-35/google_apis_playstore` because we do not have Play Store
./rootAVD.sh system-images/android-35/google_apis_playstore/x86_64/ramdisk.img

After successful rooting, rootAVD will shut down your emulator. Otherwise, shut it down manually. Once the emulator is shut down, start it using Cold Boot.

Its at most important to start your device using Cold Boot in this step. If you boot it normally, your device will not be rooted.

After Cold Booting, once the device is up, open Magisk in your device. You might have to do some updates. Ensure that the Magisk version is the latest. Otherwise, Cert-Fixer installation will fail with an error Please install Magisk v20.4+!.

Notes:

  • After updating the 'App', Magisk asked me for 'Additional Setup'. I ignored this pop-up, and things were fine for me.
  • For updating 'Magisk', use the recommended 'Direct Install' method.

Complete all Magisk updates and reboot the device. Then you are ready to install Cert-Fixer.

Install Cert-Fixer

Copy the latest version of Cert-Fixer to the device. 

# Download Cert-Fixer
wget https://github.com/pwnlogs/cert-fixer/releases/download/v1.0/Cert-Fixer.zip

# Copy Cert-Fixer to the device
# Note: You might have to correct the destination path in the following command.
#       /storage/emulated/0/Download/ is usually the Downloads folder of the SD card.
adb push Cert-Fixer.zip /storage/emulated/0/Download/

Open Magisk and install Cert-Fixer from the modules page.

Ensure successful installation of Cert-Fixer. If you encounter an error, please copy the Cert-Fixer log file (/data/local/tmp/cert-fixer.log) from the device and create an issue on Cert-Fixer.

Install Custom CA Certificate

To install a custom CA, download your certificate to the device, and install it through the device settings. If you are trying to install the Burp Suite certificate, you can simply download it from its proxy page (http://burp/) or export it from proxy settings as shown below: 

# Copy the certificate to the device
adb push burp-cert.der /storage/emulated/0/Download/

Once you have copied the certificate to the device, open settings and search for 'install a certificate'. Under this menu, you can install the certificate under the user certificate store.

Once you have installed the CA certificate in user store, verify the installation.

Once the user certificate installation is completed and verified, reboot the device. During the reboot, Cert-Fixer will copy your CA certificate from the user store to the system certificate store.

Verifying the Installation under System Certificate Store

Once the device is rebooted, you can verify the custom CA certificate installation under the system certificate store.

The end
Designed, Developed, and Authored by Jithin Pavithran
Other Articles
Cert-Fixer - Installing CA Certificates in System Store for Android 14+
Parsing SSH Private Keys, Public Keys, and Certificates
Privilege Escalation through Race Condition
Safe Development with LXC
Advanced Proxy Extension for Burp Suite
SSH Port Forwarding
OAuth 2.0 Flows
Docked-VPN - A Docker-based proxy with VPN support
Working on and off VPN simultaneously (Linux)
NTLM in one diagram
D-TIME
A closer look at sockets and TCP/IP
Ethical Hacking Workshop
High bandwidth cache-based covert channel attack
Privilege Escalation Attack - Linux (CVE-2017-0358)
Matrix Layer Rotation
Easy NPTEL