证书安装，无需强制PIN锁屏 -- security 领域 和 lock-screens 领域 和 certificates 领域 android 相关 的问题

Google Support says:

The type of lock that's acceptable may be predetermined by your system administrator.

Where I can define what's acceptable? I can regenerate the certificate if needed.

So I can use slide lockscreen again.

(I'm using CM9 RC1, Android 4.0.4)

The problem with disabling the lockscreen security using the toggle/profile is that the lockscreen widgets don't appear either so you can't slide to unlock. Also, when you reboot your phone the buttons don't work until you retoggle the setting again.

Another way is to install the certificate as usual then backup the /data/misc/keychain and keystore directories using something that preserves the ACLs such as Root Explorer to a location that supports ACLs. I suggest copying them to /tmp. Then clear the credentials from Settings and enable Slide To Unlock. Then copy back the folders from /tmp. The CA will be installed.

I've described how to do exacly this on my page, "Installing CAcert certificates on Android as 'system' credentials without lockscreen - instructions" at http://wiki.pcprobleemloos.nl/android/cacert

I've also posted it on the cyanogenmod forum: http://forum.cyanogenmod.com/topic/82875-installing-cacert-certificates-on-android-as-system-credentials-without-lockscreen/

Basically, the commands are:

openssl x509 -inform PEM -subject_hash_old -in root.crt | head -1 

To get the correct filename, then convert the certificate:

cat root.crt > 5ed36f99.0 openssl x509 -inform PEM -text -in root.crt -out /dev/null >> 5ed36f99.0 

Copy them to /system/etc/security/cacerts/ and chmod the new .0 files to '644'. Reboot and verify. On your android device select 'Clear cerficates' and you are able to remove the pin (by entering the pin and changing your lockscreen to 'none' or 'wipe'

Here I used the CAcert root certificate, but you probably want the class3.crt certificate as well, or use your own certificates.

I've discovered a solution that works without additional software or manual file copying:

1. Set your lock screen to "pattern". Enter a pattern and an unlock PIN. Remember the unlock PIN.
2. Install your user certificate.
3. Turn the screen off and on.
4. Enter the pattern wrongly a few times, until the "Forgot pattern?" option appears.
5. Click "Forgot pattern?", scroll down, enter the unlock PIN and confirm with "OK".
6. Close the "Screen unlock settings" window with the back button without selecting an option.

The system is now set to "Swipe unlock", but the user certificate is still usable (tested with the web browser and a custom app using DefaultHttpClient).

Tested on an Android 4.1.2 on a Galaxy Tab 2 10.1.

• You can make use of CyanogenMod's profiles.
  (For other readers: this needs the custom CyanogenMod Rom version 9+)

  Just create or modify an existing profile and switch off "screen lock" there.

  It's: System Settings->Profiles->Default->Lock screen mode->Disabled

• Integrate your certificate into the standard Android keystore file

  See CAcert's excellent howto here

  I'm not sure however if you can do this with a self-signed cert (you might have to switch to a self-made CA maybe (use tinyca for a nice gui-tool on *nix)).

I found a way to solve the problem, but it requires root and may only work with root, self-signed, or intermediate CAs.

If you have a certificate that is not trusted by Android, when you add it, it goes in the personal cert store. When you add a cert in this personal cert store, the system requires a higher security level to unlock the device. But if you manage to add your cert to the system store then you don't have this requirement. Obviously, root is required to add a certificate to the system store, but it is quiet easy.

Here is how to do it :

1 - Add your cert normally. For example, my cert was called some.crt. It will be stored in your personal store and android will ask you a pin/password... Proceed.

2 - With a file manager with root capabilities, browse files in /data/misc/keychain/cacerts-added or /data/misc/keystore. You should see a file here called 1000_USRCERT_some it's the certificate you have added in step 1.

3 - Move this file to system/etc/security/cacerts (you will need to mount the system partition r/w)

4 - Reboot the phone

5 - You are now able to clear the pin/password you have set to unlock the device.

Worked for me with a self-signed cert on Android 4.4.2. Hope it helps!