In principle, shoguevara and I have been bothering for quite some time about installing a root certificate in an Android device, and even found a couple of not very trivial instructions, but there was no need for such an action before. Need appeared after acquisition of the tablet on Android.

A little background:

It is in our office Citrix XenApp to ensure remote work from the office. What kind of beast it is and what we eat it with will not be told - to whom it is necessary, they have long been aware of
In this joint recording, we want to talk about installing the root certificate and setting up the client part - Citrix Receiver for Android .


')
In principle, the client is not the poorest - you can use it, and if you are somewhere on a trip, and you only have an Android phone or tablet in your hands, this is the only way to quickly connect and fix something through a working computer.
It seems that the software is not particularly tricky, and the settings do not require much, and if you use the web interface to launch applications, as is done in our organization, then absolutely no ...
But not everything is so cloudless!

What kind of problems could arise?

To organize this kind of remote access architecture, certificates are often used that are signed by non-standard centers. Why is Google so bad, and they didn’t include such a simple function in their OS (along with the necessary function, such as the ability to register a proxy server) as installing additional root CA certificates, we are not going to discuss here.
The first sign that the server uses a self-signed certificate is that when you open a web resource from anywhere using, for example, Mozilla Firefox browser, the program displays a message that it cannot decide to trust whether or not a certificate is established to establish a secure connection - it provides you with the right of choice.
If you have such a picture, then this article is just for you!

So what does it take to run applications published on Citrix XanApp of your enterprise through Citrix Receiver?

First of all, as it turned out, you need to install Mozilla Firefox for Android . It's very strange, but no other browser sends the file (launch.ica) needed for the connection to the client program. We only know that everything works fine with Firefox.

Secondly, the client program itself is needed. Here on the Android Market we have a choice: a stable Citrix Receiver, or a Citrix Labs Receiver, which is in the testing phase. The second one didn’t want us to accept the certificate in any way, the first one was stable, and after a sleepless night, it did work for us.

Thirdly, you need to have root access to your device, or the ability to extract and write back files via adb, although in this case you also need root access (how to configure it, you can learn by spending a little time watching the results, which gave you Google for a query like "<your device name> root access howto" or "<your device name> adb configure howto").

We didn’t bother with the adb setup question again, since we prefer to work directly through the file managers with the system. In any case, there is quite a lot of information on this subject in the network (a Russian-language resource with the most information of this kind on this site is http://w3bsit3-dns.com.ru/forum , an English-language resource is http://forum.xda-developers.com ). If you use direct access to system files, then you need a file manager that can use root-rights (for example, Root Explorer).

Fourth, we need a machine with any of the popular Linux distributions and an installed Java machine from Oracle (we used Ubuntu 10.10 with an installed JRE ).

And last but not least, the root certificate of the certification center itself (let it be called CompanyCA.crt).

From the requirements (if all of them are fulfilled) go to action.

For convenience, we will list all the points.

1. Go from the device to the Android Market and install Firefox.
2. Go to the device on the Android Market and install Citrix Receiver.
3.1.1 (3.1.x for those who prefer direct access) Using the file manager, copy the /system/etc/security/cacerts.bks cacerts.bks file to the SD card.
3.1.2 We connect the device as a drive to a computer with Linux.
3.1.3 Copy the cacerts.bks file from the root of the card to your home folder.
3.2.1 (adb) copy the certificate
$ adb pull /system/etc/security/cacerts.bks cacerts.bks

4. This item assumes that you have already installed and configured JRE 1.6 and the environment variable JAVA_HOME (in my case JAVA_HOME = / usr / lib / jvm / java-6-sun /) is registered.
Download the bouncycastle.org/download/bcprov-jdk16-146.jar package and drop it into the $ JAVA_HOME / jre / lib / ext / folder
If you have a JDK installed, then this package should also be dropped into the / usr / lib / jvm / java-6-openjdk / jre / lib / ext folder
wget bouncycastle.org/download/bcprov-jdk16-146.jar
sudo cp bcprov-jdk16-146.jar $JAVA_HOME/jre/lib/ext/bcprov-jdk16-146.jar
# sudo cp bcprov-jdk16-146.jar /usr/lib/jvm/java-6-sun/jre/lib/ext/bcprov-jdk16-146.jar


5. We throw the certificate file CompanyCA.crt in the home folder as well. If you do not have it, but you agreed to accept the certificate when you go to the XenApp web interface, then you can export it from Firefox. How to do this - tells Google . We can only clarify that you need X.509 PEM encryption.

6. Download and install the Android SDK (if you do not plan to use adb, you can skip this step):
wget dl.google.com/android/android-sdk_r10-linux_x86.tgz
tar -xvzf android-sdk_r10-linux_x86.tgz
sudo mv android-sdk-linux_x86 /usr/lib/android-sdk-linux_x86
To run anything from the kit for our task is not required. But you need to register the executable SDK files in the environment variables export PATH = $ {PATH}: / usr / lib / android-sdk-linux_x86 / tools.
In our case, the issue with environment variables is solved by adding lines to the end of the ~ / .bashrc file.
export PATH=${PATH}:/usr/lib/android-sdk-linux_x86/tools
export JAVA_HOME=/usr/lib/jvm/java-6-sun/jre


7. Open the console and execute the command.
keytool -keystore cacerts.bks -storetype BKS -provider org.bouncycastle.jce.provider.BouncyCastleProvider -storepass changeit -importcert -trustcacerts -alias CACERT -file CompanyCA.crt


Be careful - do not change the parameter -storepass changeit, there really is such a password)

In response to this command, you should receive information about the certificate and the request “Trust this certificate? [no]: "- respectively, answer" y ".
Everything, our file is prepared. Now you need to download it to your device.

8.1.1 (direct access) We connect the device as a drive to the computer;
8.1.2 Download the cacerts.bks file to the card;
8.1.3 We transfer using the cacerts.bks file manager from the / sdcard folder to the / system / etc / security / folder, after having previously mounted it for writing;
8.2.1 (adb) Mount the system for recording:
$ adb shell mount -o remount, rw / system;
8.2.2 Downloading the file:
$ adb push cacerts.bks / system / etc / security /;
8.2.2 Install the system for reading only:
$ adb shell mount -o remount, ro / system.

This is the hard part. Left a pair of "feints ears."

9. Reboot the device.

10. Launch Firefox and open the web access page.
A picture like this will appear:


Here we need to click on the “Already installed” link at the top of the screen;

11. Select the application from the list and try to start;

12. Profit!

In preparing the instructions used resources:
http://wiki.cacert.org/ImportRootCert#Android_Phones
http://blog.dest-unreach.be/2010/05/03/installing-an-additional-x-509-root-certificate-on-android
http://bouncycastle.org/
As a bonus - a useful utility for working with certificates (Java): http://portecle.sourceforge.net