Below, I will demonstrate how to do this for google.com, but it will work for any website accessible on the phone

1. Connect an Android device to your computer (make sure USB debugging is on).

2. Open Google Chrome on your computer and go to chrome://inspect to show a list of debug-enabled WebViews on your device.

3. Click "Inspect".

4. Select "Security" and click on "View Certificate" as shown in the picture.

5. Now, drag the certificate icon (you could also drag a root CA certificate or an intermediate one) to your Desktop.

6. Done.

Chrome is one of the few apps that trusts custom root CA certificates installed by the user.

First you need the custom root CA certificate. Usually it can be downloaded to your Android device. Place it e.g. in Downloads folder.

The following installation procedure is for Android 11 running a non-modified version of Google Android. On older phones or on phones that are running a heavily modified Android version (like used by Samsung and other manufacturer) the settings may be named different.

Therefore you can simply open Android Settings app and in the Security section select Encryption & credentials -> Install a certificate -> CA certificate. Then select the downloaded certificate.

You can verify that the certificate has been installed in Encryption & credentials -> user credentials.

Note that the installed custom root CA certificate will be only used by Chrome. Other apps will not accept it as by default modern apps (targeting Android 6+) don't trust certificates installed by users.

2023-06:

Recent versions of Chrome for Android no longer accept custom root CA certificates because Chrome now checks certificates additionally using the Certificate Transparency system.

Prior to Android KitKat you have to root your device to install new certificates.

From Android KitKat (4.0) up to Marshmallow (6.0) it's possible and easy. I was able to install the Charles Web Debbuging Proxy cert on my un-rooted device and successfully sniff SSL traffic.

Extract from http://wiki.cacert.org/FAQ/ImportRootCert

Before Android version 4.0, with Android version Gingerbread & Froyo, there was a single read-only file ( /system/etc/security/cacerts.bks ) containing the trust store with all the CA ('system') certificates trusted by default on Android. Both system apps and all applications developed with the Android SDK use this. Use these instructions on installing CAcert certificates on Android Gingerbread, Froyo, ...

Starting from Android 4.0 (Android ICS/'Ice Cream Sandwich', Android 4.3 'Jelly Bean' & Android 4.4 'KitKat'), system trusted certificates are on the (read-only) system partition in the folder '/system/etc/security/' as individual files. However, users can now easily add their own 'user' certificates which will be stored in '/data/misc/keychain/certs-added'.

System-installed certificates can be managed on the Android device in the Settings -> Security -> Certificates -> 'System'-section, whereas the user trusted certificates are manged in the 'User'-section there. When using user trusted certificates, Android will force the user of the Android device to implement additional safety measures: the use of a PIN-code, a pattern-lock or a password to unlock the device are mandatory when user-supplied certificates are used.

Installing CAcert certificates as 'user trusted'-certificates is very easy. Installing new certificates as 'system trusted'-certificates requires more work (and requires root access), but it has the advantage of avoiding the Android lockscreen requirement.

From Android N (7.0) onwards it gets a littler harder, see this extract from the Charles proxy website:

As of Android N, you need to add configuration to your app in order to have it trust the SSL certificates generated by Charles SSL Proxying. This means that you can only use SSL Proxying with apps that you control.

In order to configure your app to trust Charles, you need to add a Network Security Configuration File to your app. This file can override the system default, enabling your app to trust user installed CA certificates (e.g. the Charles Root Certificate). You can specify that this only applies in debug builds of your application, so that production builds use the default trust profile.

Add a file res/xml/network_security_config.xml to your app:

<network-security-config>    
    <debug-overrides> 
        <trust-anchors> 
            <!-- Trust user added CAs while debuggable only -->
            <certificates src="user" /> 
        </trust-anchors>    
    </debug-overrides>  
</network-security-config>

Then add a reference to this file in your app's manifest, as follows:

<?xml version="1.0" encoding="utf-8"?> 
<manifest>
    <application android:networkSecurityConfig="@xml/network_security_config">
    </application> 
</manifest>