Step 1: Make the certs compatible (if they are not already)
At the very beginning we need to figure the file name of our the cert file. The name of the cert file is a hash one can obtain from the certificate itself. For this, one needs the openssl
tools. On Unix/Linux the steps are then as follows:
# Obtain the hash – in my case that returned d6a2705a – so we have the file name
openssl x509 -inform PEM -subject_hash_old -in root.crt | head -1
# Copy the original file
cat root.crt > d6a2705a.0
# Append additional data
openssl x509 -inform PEM -text -in root.crt -out /dev/null >> d6a2705a.0
Step 2: Get the cert into our system cert chain
If your device is rooted, a solution to this is importing the certificate as system cert (not user-cert). You will need the command line for that, using either adb shell
or a terminal app on-device. The following snippet assumes your certificate was already pushed to the SD card, saved as /sdcard/d6a2705a.0
(adjust that to your cert name), and you're at the command prompt of your device.
mount -o remount,rw /system
cp d6a2705a.0 /system/etc/security/cacerts/d6a2705a.0
chown root:root /system/etc/security/cacerts/d6a2705a.0
chmod 0644 /system/etc/security/cacerts/d6a2705a.0
mount -o remount,ro /system
Done. Now you should be able to use the cert – and as you do not have any "unsafe user certs", you're free to use whatever unlock mechanism you prefer.
A quick check shows all these steps are also described in the CaCert Wiki on how to create Android compatible certificate files from their original files. So my personal notes I took the above from might well originate here, at least partly.