Android Root Certificate Authorities List

Ever wondered which Certificate Authorities are trusted by Android? Here’s how to extract the root CA list from an Android device.

Prerequisites

1. Download the BouncyCastle provider JAR
2. Place it in $JAVA_HOME/lib/ext directory
3. Ensure $JAVA_HOME/bin is in your system PATH

Extracting the Certificates

Pull the certificate store from your device and extract the list:

# Pull the certificate store from the device
adb pull /system/etc/security/cacerts.bks cacerts.bks

# Extract certificate information
keytool -keystore cacerts.bks \
        -storetype BKS \
        -provider org.bouncycastle.jce.provider.BouncyCastleProvider \
        -storepass changeit \
        -list -v >> certificates.txt

What You’ll Find

Android 2.2 (Froyo) included 57 trusted certificate entries from authorities including:

• VeriSign
• DigiCert
• Equifax
• StartCom
• GlobalSign
• Thawte
• GeoTrust
• And many others from various countries

macOS Note

On macOS, you may need to use the full keytool command path:

/Library/Java/JavaVirtualMachines/jdk-X.X.jdk/Contents/Home/bin/keytool

Why This Matters

Understanding which CAs are trusted helps you:

• Debug SSL/TLS certificate issues
• Understand the security implications of your app’s connections
• Plan certificate pinning strategies