Scenario

You use your own Exchange 2010 server with a self-signed certificate. So you need your root certificate to be copied to the client before you can access the server.

Same with Android 4.x, but a quite useless “feature” was implemented with this main version: If you copy and install your certificate the common way (so it gets into the user certificates folder), you get some restrictions for your lockscreen – e.g. you must a password to unlock your screen, even if this isn’t enabled in your Exchange server’s policy.

Workaround

Android is a bit stricter with self-signed (root) certificates, so we have to copy it into the directory where the pre-installed certs reside. Please note: 4.0? (and before?) handles certificates another way, please see this blog instead. This explanation however is for 4.1.

Prerequisites: Rooted phone.

First install your CA certificate the usual way, e.g. send via Bluetooth and copy it to the root of your interal memory card.

Then copy it from /data/misc/keychain/cacerts-added/[yourcertfilename] to /system/etc/security/cacerts. This is a bit tricky because you do not have write permissions to the system partition by default. Maybe there is a root capable explorer app which can re-mount the partition itself (haven’t heard of such one yet), I did it via “adb” anyway.

You can get adb from the Android SDK, you can then run it from Windows command line like “adb shell” and you get access to your phone with usual Linux commands.

Connect your phone, start “adb shell”, run “su” and then re-mount the /system partition like it is explained here (nearly at the page bottom).

If copying succeeded, remove the certificat from the personal store (the original directory) and reboot your phone.

If you still have problems with using non-secure lockscreen options, remove your Exchange account from the phone, check if there are any device administrators left (if yes, delete them), and press settings->security->remove permissions. Then reboot your phone, reconfigure your Exchange account and everything should work fine.

 

Reference

Share This:

  [email protected]