How to install trusted CA certificate on Android device

Question

I have created my own CA certificate and now I want to install it on my Android Froyo device  HTC Desire Z   so that the device trusts my certificate    Android stores CA certificates in its Java keystore in  system etc security cacerts bks  I copied the file to my computer  added my certificate using portecle 1 5 and pushed it back to the device    Now  Android does not seem to reload the file automatically  I have read in several blog posts that I need to restart the device  Doing so results in the file being overwritten with the original one again   My next try was to install the certificate from SD card by copying it and using the according option from the settings menu  The device tells me that the certificate has been installed  but apparently it does not trust the certificate  Moreover  when I try to copy the keystore to my computer  I still find the original stock cacerts bks   So  what is the right way to install my own root CA certificate on an Android 2 2 device as a trusted certificate  Is there a way to do it programmatically

User · Answer

I spent a lot of time trying to find an answer to this (I need Android to see StartSSL certificates). Conclusion: Android 2.1 and 2.2 allow you to import certificates, but only for use with WiFi and VPN. There is no user interface for updating the list of trusted root certificates, but there is discussion about adding that feature. It’s unclear whether there is a reliable workaround for manually updating and replacing the cacerts.bks file.

Details and links: http://www.mcbsys.com/techblog/2010/12/android-certificates/. In that post, see the link to Android bug 11231--you might want to add your vote and query to that bug.

User · Answer

Here s an alternate solution that actually adds your certificate to the built in list of default certificates  Trusting all certificates using HttpClient over HTTPS  However  it will only work for your application   There s no way to programmatically do it for all applications on a user s device  since that would be a security risk

User · Answer

There is a MUCH easier solution to this than posted here  or in related threads   If you are using a webview  as I am   you can achieve this by executing a JAVASCRIPT function within it   If you are not using a webview  you might want to create a hidden one for this purpose   Here s a function that works in just about any browser  or webview  to kickoff ca installation  generally through the shared os cert repository  including on a Droid    It uses a nice trick with iFrames   Just pass the url to a  crt file to this function   function installTrustedRootCert  rootCertUrl        id    rootCertInstaller       iframe   document getElementById  id        if  iframe    null   document body removeChild  iframe        iframe   document createElement   iframe         iframe id   id      iframe style display    none       document body appendChild  iframe        iframe src   rootCertUrl      UPDATE   The iframe trick works on Droids with API 19 and up  but older versions of the webview won t work like this   The general idea still works though - just download open the file with a webview and then let the os take over  This may be an easier and more universal solution  in the actual java now     public static void installTrustedRootCert  final String certAddress         WebView certWebView   new WebView  instance          certWebView loadUrl  certAddress         Note that instance  is a reference to the Activity   This works perfectly if you know the url to the cert   In my case  however  I resolve that dynamically with the server side software   I had to add a fair amount of additional code to intercept a redirection url and call this in a manner which did not cause a crash based on a threading complication  but I won t add all that confusion here

User · Answer

If you need your certificate for HTTPS connections you can add the  bks file as a raw resource to your application and extend DefaultHttpConnection so your certificates are used for HTTPS connections   public class MyHttpClient extends DefaultHttpClient        private Resources  resources       public MyHttpClient Resources resources             resources   resources              Override     protected ClientConnectionManager createClientConnectionManager             SchemeRegistry registry   new SchemeRegistry            registry register new Scheme  http   PlainSocketFactory              getSocketFactory    80            if   resources    null                registry register new Scheme  https   newSslSocketFactory    443              else               registry register new Scheme  https   SSLSocketFactory                  getSocketFactory    443                      return new SingleClientConnManager getParams    registry              private SSLSocketFactory newSslSocketFactory             try               KeyStore trusted   KeyStore getInstance  BKS                InputStream in    resources openRawResource R raw mystore               try                   trusted load in   pwd  toCharArray                   finally                   in close                              return new SSLSocketFactory trusted             catch  Exception e                throw new AssertionError e

User · Answer

The guide linked here will probably answer the original question without the need for programming a custom SSL connector   Found a very detailed how-to guide on importing root certificates that actually steps you through installing trusted CA certificates on different versions of Android devices  among other devices    Basically you ll need to    Download  the cacerts bks file from your phone   adb pull  system etc security cacerts bks cacerts bks Download the  crt file from the certifying authority you want to allow  Modify the cacerts bks file on your computer using the BouncyCastle Provider Upload the cacerts bks file back to your phone and reboot    Here is a more detailed step by step to update earlier android phones   How to update HTTPS security certificate authority keystore on pre-android-4 0 device

User · Answer

Prior to Android KitKat you have to root your device to install new certificates   From Android KitKat  4 0  up to Nougat  7 0  it s possible and easy  I was able to install the Charles Web Debbuging Proxy cert on my un-rooted device and successfully sniff SSL traffic   Extract from http   wiki cacert org FAQ ImportRootCert     Before Android version 4 0  with Android version Gingerbread  amp  Froyo  there was a single read-only file    system etc security cacerts bks   containing the trust store with all the CA   system   certificates trusted by default on Android  Both system apps and all applications developed with the Android SDK use this  Use these instructions on installing CAcert certificates on Android Gingerbread  Froyo           Starting from Android 4 0  Android ICS  Ice Cream Sandwich   Android 4 3  Jelly Bean   amp  Android 4 4  KitKat    system trusted certificates are on the  read-only  system partition in the folder   system etc security   as individual files  However  users can now easily add their own  user  certificates which will be stored in   data misc keychain certs-added        System-installed certificates can be managed on the Android device in the Settings -  Security -  Certificates -   System -section  whereas the user trusted certificates are manged in the  User -section there  When using user trusted certificates  Android will force the user of the Android device to implement additional safety measures  the use of a PIN-code  a pattern-lock or a password to unlock the device are mandatory when user-supplied certificates are used       Installing CAcert certificates as  user trusted -certificates is very easy  Installing new certificates as  system trusted -certificates requires more work  and requires root access   but it has the advantage of avoiding the Android lockscreen requirement    From Android N onwards it gets a littler harder  see this extract from the Charles proxy website      As of Android N  you need to add configuration to your app in order to   have it trust the SSL certificates generated by Charles SSL Proxying    This means that you can only use SSL Proxying with apps that you   control       In order to configure your app to trust Charles  you need to add a   Network Security Configuration File to your app  This file can   override the system default  enabling your app to trust user installed   CA certificates  e g  the Charles Root Certificate   You can specify   that this only applies in debug builds of your application  so that   production builds use the default trust profile    Add a file res xml network security config xml to your app    lt network-security-config gt           lt debug-overrides gt            lt trust-anchors gt                lt  -- Trust user added CAs while debuggable only -- gt               lt certificates src  user    gt            lt  trust-anchors gt           lt  debug-overrides gt     lt  network-security-config gt    Then add a reference to this file in your app s manifest  as follows     lt  xml version  1 0  encoding  utf-8   gt    lt manifest gt       lt application android networkSecurityConfig   xml network security config  gt       lt  application gt    lt  manifest gt

User · Answer

Did you try  Settings - gt  Security - gt  Install from SD Card      Alexander Egger Dec 20  10 at 20 11  I m not sure why is this not an answer already  but I just followed this advice and it worked

User · Answer

These steps worked for me    Install Dory Certificate Android app on your mobile device  https   play google com store apps details id io tempage dorycert amp hl en US Connect mobile device to laptop with USB Cable  Create root folder on Internal Phone memory  copy the certificate file in that folder and disconnect cable  Open Dory Certificate Android app  click the round     button and select the right Import File Certificate option  Select format  provide a name  I typed same as filename   browse the certificate file and click the  OK   Three cards will list up  I ignored the card that only had the  SIGN CSR  button and proceeded to click the  INSTALL  button on the two other cards  I refreshed the PWA web app I had opened no my mobile Chrome  it is hosted on a local IIS Web Server  and voala  No chrome warning message  The green lock was there  It was Working    Alternatively  I found these options which I had no need to try myself but looked easy to follow    Apple Device  http   help netmotionsoftware com support docs mobilityxg 1100 help mobilityhelp htm page Mobility 2520Server 2Fconfig 05 083 html 23 Android Device  http   help netmotionsoftware com support docs mobilityxg 1100 help mobilityhelp htm page Mobility 20Server config 05 084 html   Finally  it may not be relevant but  if you are looking to create and setup a self-signed certificate  with mkcert  for your PWA app  website  hosted on a local IIS Web server  I followed this page   https   medium com  aweber01 locally-trusted-development-certificates-with-mkcert-and-iis-e09410d92031  Thanks and hope it helps

User · Answer

If you have a rooted device  you can use a Magisk Module to move User Certs to System so it will be Trusted Certificate  https   github com yochananmarqos Move-Certificates

User · Answer

What I did to beable to use startssl certificates was quite easy   on my rooted phone   I copied  system etc security cacerts bks to my sdcard  Downloaded http   www startssl com certs ca crt and http   www startssl com certs sub class1 server ca crt   Went to portecle sourceforge net and ran portecle directly from the webpage   Opened my cacerts bks file from my sdcard  entered nothing when asked for a password   Choose import in portacle and opened sub class1 server ca crt  im my case it allready had the ca crt but maybe you need to install that too    Saved the keystore and copied it baxck to  system etc security cacerts bks  I made a backup of that file first just in case   Rebooted my phone and now I can vist my site thats using a startssl certificate without errors

[android] How to install trusted CA certificate on Android device?

Examples related to android

Examples related to ssl

Examples related to installation

Examples related to certificate