14

I was trying to use Packet Capture app to find out some URLs used by an app. Packet Capture allows you to capture SSL packets by installing a VPN Gateway with its own root CA certificate and then channeling app requests through that gateway. However, when I try to generate the certificate from within the app (on my Galaxy Note 8), I just get the error "Cannot create certificate". I don't know why this is as the app doesn't give any further explanation, but this means I can't use SSL capture in the app.

The app does have another way to just import an existing CA certificate, known as "Import PKCS#12 file". However I need to generate the PKCS#12 file myself to use this, and not sure how to do this.

What I did so far: I installed the app "Dory". Then I tried creating a public/private keypair, CSR and root CA certificate, all the time setting the passphrase and alias to "abc". But when I tried to import the p12 file to Packet Capture, it just said "java.lang.RuntimeException: Cannot load key. Password might be wrong." I must have done something wrong; what should I be doing next?

Kidburla
  • 478
  • 1
  • 4
  • 18
  • 2
    I didn't find any solution to this directly (didn't find any way to generate a certificate for use with Packet Capture), but in case others have the same question, I switched from Packet Capture to an app called HttpCanary, which doesn't have the same problem with generating certificates directly inside the app. It provides similar features to Packet Capture and works well for me. – Kidburla Jul 12 '20 at 16:33

2 Answers2

10

I had some issues with this after the Android 11 update. Android 11 no longer allows you to add certificates from any app other than the settings app, so you will have to generate and set the certificate yourself.

  1. Generate the certificate in linux. You can also do this on the device if you get an openssl app or terminal. I followed this tutorial, except I added the name "alias" to the p12 key:

openssl req -x509 -newkey rsa:4096 -keyout myKey.pem -out cert.pem -days 365 -nodes

Hit enter for all the prompts

openssl pkcs12 -export -out keyStore.p12 -inkey myKey.pem -in cert.pem -name "alias"

Enter the password "test"

  1. Transfer keyStore.p12 and cert.pem to the android device

  2. In android settings, go to Biometrics and Security (note I have a Samsung device, it might be different for you) > Other Security Settings > Credential Storage > Install from device storage > CA Certificate > Accept the scary red warning and tap "Install anyway" > enter your pincode > find "cert.pem" and click "Done"

  3. Going back to "Install from device storage," > VPN and app user certificate > find keyStore.p12 > Enter password "test" and name it "alias"

  4. Go the the app info screen for Packet Capture > Permissions > Files And Media > Enable "Allow management of all files"

  5. Open packet capture > Setting > Tap "No CA certificate" > Import PKCS#12 file > find keyStore.p12. Enter password "test" and the "alias". Restart packet capture. If everything worked, the "Status" subtitle should say "Installed to trusted credentials"

  6. Restart device

SSL should work for most apps now but it can be hit and miss

Community
  • 1
Jared Kozak
  • 116
  • 2
  • 4
  • I was on Android 9 not 11, but I'll accept your answer as it gives a procedure for generating the cert. I was keen to do this entirely within Android and without needing to use a PC, but maybe that was overly ambitious. Anyway I am no longer using Packet Capture as I switched to HttpCanary. – Kidburla Jul 23 '21 at 22:46
  • 1
    Looks like you can do this within Android. I got the above commands to run in Termux – Kurtoid Aug 16 '21 at 17:41
  • 1
    At step 3, cert.pem is grayed out for me... – billy Sep 05 '21 at 20:10
  • 1
    "If everything worked, the Status subtitle should say Installed to trusted credentials" Mine says "Not installed. Tap to install to trusted credentials". – kiradotee Dec 20 '21 at 11:43
  • 2
    Ah, I think it's because when I try to install "cert.pem" as a CA certificate it says "Private key required to install a certificate". When I click on myKey.pem there's no pop up showing up and the certificate doesn't seem to be installed. – kiradotee Dec 20 '21 at 11:47
  • 2
    I needed to use the -legacy flag in the openssl pkcs12 command for it to work. When I do not provide the flag Android states the password is wrong. See https://stackoverflow.com/questions/71872900/installing-pcks12-certificate-in-android-wrong-password-bug/73512646#73512646 – Jan Wytze Jan 08 '23 at 18:56
1

I got it working on Android API 34 with the -legacy option as @JanWytze mentioned. Here's a simple script that will create the pair and push it to the device (password: test):

#!/bin/bash

Step 1: Generate the certificate


Generate a self-signed certificate and private key


openssl req -x509 -newkey rsa:4096 -keyout myKey.pem -out cert.pem -days 365 -nodes -subj "/C=US/ST=Some-State/O=Company Name"


Export the private key and the certificate into a PKCS12 keystore using the -legacy flag


openssl pkcs12 -export -out keyStore.p12 -inkey myKey.pem -in cert.pem -name "alias" -passout pass:test -legacy


echo "Successfully generated keyStore.p12 and cert.pem"


Step 2: Transfer files to Android device using adb


Check if device is connected


if adb devices | grep -q device$; then
    adb push keyStore.p12 /sdcard/
    adb push cert.pem /sdcard/
    echo "Files transferred successfully to the device!"
else
    echo "No device found. Make sure your device is connected and USB debugging is enabled."
fi
Erol444
  • 111
  • 1