Getting Keytool to Work With BouncyCastle in Ubuntu

This isn’t going to be an earth shattering post of supreme l33t-ness, just a quick note so I don’t forget how to do this:

If you want to get the Bouncy Castle provider working in Ubuntu – so you can do things like, say, update the cacerts.bks on an Android device with the PortSwiggerCA.crt to MiTM SSL traffic from a mobile device – you need to do the following things:

  1. Download the Bouncy Castle Provider of your choice. As of this post, the version I’m using is here.
  2. Put the .jar file in the following directory:
    /usr/lib/jvm/java-6-sun/jre/lib/ext
  3. Add the following to /usr/lib/jvm/java-6-sun/jre/lsecurity/java.security:
    security.provider.9=org.bouncycastle.jce.provider.BouncyCastleProvider
  4. Run the following command:
    keytool -keystore cacerts.bks -storetype BKS -provider org.bouncycastle.jce.provider.BouncyCastleProvider -storepass changeit -importcert -trustcacerts -alias PortSwiggerCA -file PortSwiggerCA.crt
For completeness, the cacerts.bks file can be pulled off the Android device using:
adb pull /system/etc/security/cacerts.bks
You’ll need to remount the /system file system as read-write to push the modified one back, you can do that using the following command (from the adb shell):
# mount -o rw,remount /dev/block/system /system
A side note: it seems that IE9 and Chromium browser have decided to disallow the export of untrusted CA certificates (Older Firefox still allows it, but newer ones may not – I didn’t check). As a result, you may have difficulty getting a copy of the PortSwiggerCA.crt file. If you find yourself in that situation, you’re mostly screwed – unless you have the pro version of Burp, which has an export option.