How to create a SuplRootCert for supl.google.com

Back to these bad GPS fixes for Android spread all over the net. This time I will describe how to find out which is the correct SSL root certificate you need and how to create it. So first we need know the root certificate the Google SUPL server has been signed. There are several ways but we use the easiest. Connect with the openssl binary to the SUPL server. This can be done by the following command:


$ openssl s_client -connect supl.google.com:7275

The output you will see will include the following relevant part at the beginning:


CONNECTED(00000003)
depth=2 C = US, O = "thawte, Inc.", OU = Certification Services Division, OU = "(c) 2006 thawte, Inc. - For authorized use only", CN = thawte Primary Root CA
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=supl.google.com
i:/C=US/O=Thawte, Inc./CN=Thawte SSL CA
1 s:/C=US/O=Thawte, Inc./CN=Thawte SSL CA
i:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA
2 s:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA
i:/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification Services Division/CN=Thawte Premium Server CA/emailAddress=
---

This means the server certificate of supl.google.com is signed by the “Thawte Premium Server CA” root certificate. So you need to go and find that. Each SSL certificate issuer has a site with all it root certificates available. You can find the root certificates for Thawte here:

https://www.thawte.com/roots/

UPDATE 2015: Google uses Root 2 – GeoTrust Global CA in the meantime. You can get it

Now download the “Root 2 Thawte Premium Server CA” certificate. You will get the certificate in the PEM format. The SuplRootCert file on Android is stored in the DER format so we need to convert it. This can be done with the following command:

openssl x509 -inform PEM -in thawte_Premium_Server_CA.pem -outform DER -out SuplRootCert

Now you have the correct SuplRootCert you can put in /system/etc and use with the gps.conf. If you have a SuplRootCert and you want to find out which root certificate it is you can do it with the following command:

openssl x509 -inform DER -in SuplRootCert -text

REMEMBER: This works only on vendor ROMs which provide SUPL TLS support. I didn’t see any CyanogenMod ROM with TLS SUPL support yet!!!

You may also like...

9 Responses

  1. foo says:

    What if there is a MITM attack going on?

  2. If it isn’t encrypted he can read your location or send you wrong location information.

  3. Mazarin07 says:

    This only works for Linux-geeks.
    Overall, is too much complicated for the average user.

  4. Nobody ever claimed that security is easy. Only if you understand it you can make things secure. There are so many experts out in the forums who are the guru’s of creating gps fix packages but have no clue what they are doing and they supply wrong certificates. I think that is worse than having no security. They give you a false impression.

  5. Akanksha says:

    Hi,

    Please help me to locate the path from where i can give the following commands
    openssl s_client -connect supl.google.com:7275

    Is it needs to be given from the adb shell or from the command prompt on the local system.

    Please reply asap.

    Thanks in advance!!

  6. The command is only relevant if you want to see what they use as the certificate authority. If you don’t understand what it is about, it doesn’t make sense to execute the command 🙂

    Maybe you should start here: https://en.wikipedia.org/wiki/Transport_Layer_Security

  7. Zsolt M. says:

    CM 10.1.2 doesn’t seem to have TLS SUPL support either.

  8. MartiniGM says:

    Is it correct that Google has switched to GeoTrust?

Leave a Reply

Your email address will not be published. Required fields are marked *