Prior to Android KitKat you have to root your device to install new certificates.
From Android KitKat (4.0) up to Marshmallow (6.0) it's possible and easy. I was able to install the Charles Web Debbuging Proxy cert on my un-rooted device and successfully sniff SSL traffic.
Extract from http://wiki.cacert.org/FAQ/ImportRootCert
Before Android version 4.0, with Android version Gingerbread & Froyo, there was a single read-only file ( /system/etc/security/cacerts.bks ) containing the trust store with all the CA ('system') certificates trusted by default on Android. Both system apps and all applications developed with the Android SDK use this. Use these instructions on installing CAcert certificates on Android Gingerbread, Froyo, ...
Starting from Android 4.0 (Android ICS/'Ice Cream Sandwich', Android 4.3 'Jelly Bean' & Android 4.4 'KitKat'), system trusted certificates are on the (read-only) system partition in the folder '/system/etc/security/' as individual files. However, users can now easily add their own 'user' certificates which will be stored in '/data/misc/keychain/certs-added'.
System-installed certificates can be managed on the Android device in the Settings -> Security -> Certificates -> 'System'-section, whereas the user trusted certificates are manged in the 'User'-section there. When using user trusted certificates, Android will force the user of the Android device to implement additional safety measures: the use of a PIN-code, a pattern-lock or a password to unlock the device are mandatory when user-supplied certificates are used.
Installing CAcert certificates as 'user trusted'-certificates is very easy. Installing new certificates as 'system trusted'-certificates requires more work (and requires root access), but it has the advantage of avoiding the Android lockscreen requirement.
From Android N (7.0) onwards it gets a littler harder, see this extract from the Charles proxy website:
As of Android N, you need to add configuration to your app in order to have it trust the SSL certificates generated by Charles SSL Proxying. This means that you can only use SSL Proxying with apps that you control.
In order to configure your app to trust Charles, you need to add a Network Security Configuration File to your app. This file can override the system default, enabling your app to trust user installed CA certificates (e.g. the Charles Root Certificate). You can specify that this only applies in debug builds of your application, so that production builds use the default trust profile.
Add a file res/xml/network_security_config.xml to your app:
<network-security-config>
<debug-overrides>
<trust-anchors>
<!-- Trust user added CAs while debuggable only -->
<certificates src="user" />
</trust-anchors>
</debug-overrides>
</network-security-config>
Then add a reference to this file in your app's manifest, as follows:
<?xml version="1.0" encoding="utf-8"?>
<manifest>
<application android:networkSecurityConfig="@xml/network_security_config">
</application>
</manifest>
Videos
Prior to Android KitKat you have to root your device to install new certificates.
From Android KitKat (4.0) up to Marshmallow (6.0) it's possible and easy. I was able to install the Charles Web Debbuging Proxy cert on my un-rooted device and successfully sniff SSL traffic.
Extract from http://wiki.cacert.org/FAQ/ImportRootCert
Before Android version 4.0, with Android version Gingerbread & Froyo, there was a single read-only file ( /system/etc/security/cacerts.bks ) containing the trust store with all the CA ('system') certificates trusted by default on Android. Both system apps and all applications developed with the Android SDK use this. Use these instructions on installing CAcert certificates on Android Gingerbread, Froyo, ...
Starting from Android 4.0 (Android ICS/'Ice Cream Sandwich', Android 4.3 'Jelly Bean' & Android 4.4 'KitKat'), system trusted certificates are on the (read-only) system partition in the folder '/system/etc/security/' as individual files. However, users can now easily add their own 'user' certificates which will be stored in '/data/misc/keychain/certs-added'.
System-installed certificates can be managed on the Android device in the Settings -> Security -> Certificates -> 'System'-section, whereas the user trusted certificates are manged in the 'User'-section there. When using user trusted certificates, Android will force the user of the Android device to implement additional safety measures: the use of a PIN-code, a pattern-lock or a password to unlock the device are mandatory when user-supplied certificates are used.
Installing CAcert certificates as 'user trusted'-certificates is very easy. Installing new certificates as 'system trusted'-certificates requires more work (and requires root access), but it has the advantage of avoiding the Android lockscreen requirement.
From Android N (7.0) onwards it gets a littler harder, see this extract from the Charles proxy website:
As of Android N, you need to add configuration to your app in order to have it trust the SSL certificates generated by Charles SSL Proxying. This means that you can only use SSL Proxying with apps that you control.
In order to configure your app to trust Charles, you need to add a Network Security Configuration File to your app. This file can override the system default, enabling your app to trust user installed CA certificates (e.g. the Charles Root Certificate). You can specify that this only applies in debug builds of your application, so that production builds use the default trust profile.
Add a file res/xml/network_security_config.xml to your app:
<network-security-config>
<debug-overrides>
<trust-anchors>
<!-- Trust user added CAs while debuggable only -->
<certificates src="user" />
</trust-anchors>
</debug-overrides>
</network-security-config>
Then add a reference to this file in your app's manifest, as follows:
<?xml version="1.0" encoding="utf-8"?>
<manifest>
<application android:networkSecurityConfig="@xml/network_security_config">
</application>
</manifest>
I spent a lot of time trying to find an answer to this (I need Android to see StartSSL certificates). Conclusion: Android 2.1 and 2.2 allow you to import certificates, but only for use with WiFi and VPN. There is no user interface for updating the list of trusted root certificates, but there is discussion about adding that feature. It’s unclear whether there is a reliable workaround for manually updating and replacing the cacerts.bks file.
Details and links: http://www.mcbsys.com/techblog/2010/12/android-certificates/. In that post, see the link to Android bug 11231--you might want to add your vote and query to that bug.
Hi all. I was just gifted a Samsung Android tablet. I was trying to figure out how to get the certificate running on it so I can have it as a bit of a general purpose family device and figured having it run against the filtered side of my XG would be the best bet. On my iPad, it was simple, as I just downloaded the .pem, imported it accordingly, and I was off to the races. On Android I need to install a separate app it seems? And it requires login? I was previously using clientless users for the general purpose/kid-specific devices. Should I be using an actual user account to log in to this app in order to get the certificate rolling? I looked up the documentation but it basically said download app, then visit user portal (https://IP.of.XG.here without the :4444) and then log in. But I looked at the log in step like... why? Log in with what?
Guess I'm just a little taken back as I didn't have to do this on iPad. Should I be using user accounts? Are they superior to clientless users in some way?
EDIT - I started thinking about this more and while I still haven't been able to add the cert on this Android device (PS, it's Android 7, and I read about some issues with Nougat??), I realized I can still do content filtering without HTTPS scanning. For some reason in my mind I thought I had to have a cert installed to do that.
I simply cloned my existing Child-Devices firewall rule but unchecked HTTPS decryption and also changed out the source in the firewall rule from Child-Devices to a new group I made; Child-Devices-No-HTTPS-Scan. With my home LAN I base everything on segments of my IP range mostly because it's easy for home and I can handle it without issue, so I created a small 5 address IP range and plopped the Android tablet in there, and just like clockwork, I was getting blocked on various sites (things like playboy.com etc) WITH the block page (as opposed to the "certificate error" page you can often get). I was certain the block page only came up with the cert installed. I was even able to maintain safe search enforcement + YouTube restriction. Thinking back I believe I was previously pushed to intercept Google/Bing/etc search results which the cert/HTTPS decrypt was required for. I'd still like to get the cert installed on this Android tablet if at all possible but 99% of my concern with some sort of basic filtering being on this device was effectively fixed with that realization. Anyway, felt the need to follow up in case anybody in the future ends up here. :)
I have an OpenSSL self signed cert that I use for self hosted services. I want to load it on my Android device so that I don't have to click through the cert warnings on web pages. No matter what I do, I just can't get it to work. I am using Android 13, Firefox Android, and a wildcard cert. Has anyone had success doing this?
Edit: Some additional summarized details:
Android 13
The device is fully up to date with what updates are accessible
Firefox Android 141.0.1
Tried importing in .cert and .pem formats
Tried importing from internal and SD card format
Tried importing through CA certificate setting and Files app
Main issue is that when attempting to import the cert, the settings app returns to the certificates page with no success/error message, as if it has crashed. This occurs after the workflow of selecting the cert file.
I've used RealmB's Android Certificate Installer to great success. You simply upload your PEM encoded (.cer or .pem) file and then point your phone's browser to the link that is provided. No need for a private key.
First: Android only understands binary format of CA and only with file format *.crt.
Second: Android only understands user certificates in *.p12 file format.
So You can check whether your CA file binary or text very simple: open it with any text editors^
If there something like 0‚ i0‚ Т , then it is binary.
If you see something like
Certificate: Data: Version: 3 (0x2) Serial Number: 96:0e:45:58:68:9a:bf:00 Signature Algorithm: sha1WithRSAEncryption Issuer: C=UA, ST=
Then it is text. It is very simple to convert it to binary by yourself in *nix:
openssl x509 -inform PEM -outform DER -in CA.pem -out CA.crt
Or just ask your system administrator.
Copy both CA.crt and usercert.p12 to your SD card or send it by email (if you have an email client configured on Android, usually downloaded attachments are stored in Download folder, actually it does not matter).
Go to Security and find option something like this: install certificate from your SD card
First install CA.crt, then usercert.p12
Go to wifi and make new connection, choose 802.1x EAP whatever and select your certificates for CA CA.crt and for user certificate usercert.p12 in my case I entered username as well.