I had recently swapped from a Motorola Droid1 to a Motorola Droid2, and was hit with an issue that was a bit perplexing.

It seems that accessing services (Citrix) and sites which use an SSL certificate issued by GeoTrust, resulted in notification that the the RootCA is not trusted.  These same sites and services worked fine on my Droid1, so something must be different with the default certificates that were shipped with the devices.

The certificates that are currently installed on the phone are found in the systemetcsecuritycacerts.bks file.

I had copied the cacerts.bks file to my PC, and investigated what certs from GeoTrust/Equifax were contained in there.  It seems that the RootCA cert was not the correct one, so I downloaded the latest one from the GeoTrust site and added it to my cacerts.bks file.   If you do not know how to add certificates to your Android phone,  please follow directions below.

You will need to be on a Rooted phone to update the file on your system.

  1. Download the cacerts_wGeoTrustRoot.zip file which has the latest Geotrust cert in it.
  2. Extract cacerts.bks from the Zip file in step 1.
  3. Simply use your Root file manager of choice (Astro,  SUFBS, Root Explorer, etc) and backup or rename your systemetcsecuritycacerts.bks file. (Remember to set your system to RW)
  4. Copy the cacerts.bks file from step 1 into the systemetcsecurity directory on your phone.
  5. Reboot the phone, and now those sites and services should now be trusted and work.

This same update might work on the DroidX as well, but I cannot confirm.  I used the instructions posted here for others who might want to update their own cacerts.bks files.

I had tried tools like the droidCert tool to no success, but this could be that I was adding a RootCA cert. I see there is a current feature request for better certificate management file on the Google code site, so hopefully this will not be as painful in the future.

Android really does need better certificate management if it hopes to be adopted by enterprises who have their own private RootCAs.

Update: I was informed that GeoTrust RootCA was added in Android 2.3 as per this link.  So this should only be affecting lower revision OS’s.

  • Phazed

    I had the same probelm when I updated my Access Gateway certs– but after following the directions and confirming the file size of the current systemetcsecuritycacerts.bks file, I'm still getting SSL/TLS error "You have chosen not to trust GeoTrust SSL CA" bla bla… I told the receiver to trust it and rebooted the phone a second time. Any ideas?

    • Jef

      Did you remove the original cacerts,bks or just rename it to another file ending in bks? Be sure the capitalization is correct?

      I recently flashed the 3.0.0 release and all I had to do was the steps above. I used the SUFBS file manager to set the system to RW, copy the new file overwriting the existing, set it to RO and rebooted.

      • Phazed

        I'm only using the plain receiver, I saw the one for the labs, but I didn't download it.

        I did all of this from the terminal (as SU) from SUFBS. I did a chmod 777 for the original file, copied it elsewhere, made sure it was there, then rm'ed the copy from etcsecurity. Then I copied the file from the SD card into the etcsecurity folder and set the chmod back to 644 (I think it was?). Rebooted the phone from the command line… also powered the phone off and booted it back up after the first shot didn't take.

        As for the case, I think it's all lowercase. The file size that's in the security folder is 60.82k (same as the file on the sd card) and the original is 64.14k

        • Jef

          I didn't use CHMOD at all, as I literally just copied the file from my SDcard to the Systemetcsecurity location via the Edit menu options.

          1 – Enabled RW on System
          2 – Navigated to SDcard location of file and long pressed and used Copy option from Edit menu
          3 – Navigated to System location and long pressed and used Paste from Edit Menu
          4 – Enabled RO on System
          5 – Rebooted Phone
          6 – Citrix worked again.

          Want to email me your original file? Since mine was 60.82 and yours is large maybe there is a difference? I can add the Geotrust cert to that one.

          • Phazed

            Wish I still had it to send you… I put the new nebula rom on my phone and kinda wiped it out 🙁 I did try your steps again with the certs file and not doing the chmod or anything– damn thing still won't trust it :/ I'm going to put in a rom request to have the new CAs integrated… or just wait until 2.3 🙂 Thanks for your help!

    • Jef

      Also I assume when you said "Receiver" you meant the Citrix Receiver? Did you try both versions on the marketplace? There is the regular one called "Citrix" and the other called "Citrix Labs". Both work for me however.