Android Citrix Receiver – Import Private Root Certificate

You might get SSL/TLS error when connecting to Xenapp/Xendesktop using CGW or SG. This could be because the Root certificate you use may not be trusted in Android.

Android smart phones & Tablets don’t have all the Root Certificate Authorities Trusted by default, also there would be cases where enterprises would like to use their own Root certificates.

We can import the required certificates to its cert store using the below procedure,

– You will need adb/android SDK to do this change, download it from http://developer.android.com/sdk/index.html 

– Import root certificate store from Android’s device file system

  • C:\android-sdk-windows\platform-tools> adb pull /system/etc/security/cacerts.bks cacerts.bks
– Import your private root certificate to the certstore just downloaded from Android device, To manipulate the keystore download the java archive http://www.bouncycastle.org/download/bcprov-jdk16-145.jar and copy it to “c:\Program Files\Java\jre6\lib\ext” .
– Using Keytool in the JRE, below command would help to import the certificate to certstore downloaded from Android device.
  • C:\Program Files\Java\jre6\bin>keytool.exe -keystore <path to downloaded cert store from Android device> -storetype BKS -provider org.bouncycastle.jce.provider.BouncyCastleProvider -storepass changeit -importcert -alias DJ_ROOT -file <path to the private root certificate>
  • Say “Yes” to “Trust this Certificate”
– System partition of the Android device will be mounted as Read-Only, mount it as Read-Write to Export the modifed certstore to the Android device,
  • C:\android-sdk-windows\platform-tools>adb shell
  • #su
  • # mount -o rw,remount -t yaffs2 /dev/block/mtdblock3 /system
  • #exit
  • #exit
  • C:\android-sdk-windows\platform-tools>adb remount
  • C:\android-sdk-windows\platform-tools> adb push <path to modified cert store of Android device> system/etc/security
– Try initiating the Citrix Receiver, Should work without any warnings/errors.
Enjoy ICA Experience.

  • hey,

    I’ve got error when trying to run keytool to add my cert to the store:
    keytool error: java.io.IOException: KeyStore integrity check failed.

    any ideas?

    I run:
    # keytool -keystore cacerts.bks -storetype BKS -provider org.bouncycastle.jce.provider.BouncyCastleProvider -storepass android -importcert -alias DJ_ROOT -file dev_ssl_cert.crt

    • Rajeev

      Hi Mike,

      I suspect this would be because exported certstore should be damaged. Did you try to export it again?