I have a .pem file and -key.pem. I'm on a Pixel 4a with Android 13, and when I go to Settings -> Security -> Advanced Settings -> Encryption -> Install certificate -> CA certificate, I can select one file. When I select the .pem file it just goes back to the Install certificate screen, and when I choose the -key.pem file it says that I need a private key to install it. I don't know much about SSL certificates so help would be very much appreciated :) ---------- Edit: I am using mkcert to generate a certificate for a certain IP address in my network. I am using KDE connect to send the files to my phone.

I am developing an Android Enterprise solution where I provision devices as fully managed (Device Owner) using the Android Management API. My requirement is to install my own custom CA certificate into the system trust store so that all apps on the device will trust it automatically — not just apps that trust user-installed CAs. So the problem is that even on a fully managed (Device Owner) device DevicePolicyManager.installCaCert() only installs into the user CA store. Many apps using network security config with trust-anchors restricted to system do not trust user-installed CAs. In the Android Management API policies docs I haven't found any options that will allow me to do that either. There appears to be no way via Android Management API to install my CA into the system store after provisioning. Is there any current officially supported method in Android Management API to install a system CA (not user CA)? If not, are there any other methods to achieve that(I don't consider using root for this, as it may break overall user experience using other apps and services).

I can't connect to campus WiFi anymore after installing latest ROM with december 2020 security patches. The configuration is PEAP/MSCHAPV2. Under CA certificate, we usually choose "Do not validate" but now CA certificates is set to "Use system certificates" and can't be changed. "Use system certificates" setting requires Domain name which I don't know and have never needed to use before in any ROM. Is there any workaround to choose "Do not validate" in "CA certificate"?

Can I install AdBlock certificate on my Motorola 2025 phone to block ads? I don't have a certificate/encryption subtitle in settings, under Security and Privacy.

I've set up a server that accepts HTTPS connections with a custom CA certificate. I've installed it on my Samsung Galaxy A50, and can now access the server without warnings in Chrome. Now, I'd like to limit access to clients authenticated with **mTLS**, where they submit client certificates. So far, it works properly on desktop browsers, refusing a TLS connection when a client certificate isn't provided. I now need to access this on the Android phone. I usually use Firefox on that phone, but [Firefox does not support client certificates yet](https://bugzilla.mozilla.org/show_bug.cgi?id=1813930) (as of writing this question, it does support it as of March 2025). Chrome does, however: when I access https://certauth.idrix.fr with the client certificate installed, the certificate choice popup does appear. It doesn't do that for my server, however: instead, it shows a ERR_BAD_SSL_CLIENT_AUTH_CERT (*WEBSITE didn't accept your login certificate, or one may not have been provided. Try contacting the system admin.*), and doesn't prompt me to pick the certificate. From my testing, the problem doesn't seem to be specific to my server: the same happens with mTLS configs for Nginx, Apache HTTPd, and Traefik. However, the https://certauth.idrix.fr server is somehow special, because the mTLS works for it. How do I get Chrome to do this prompt? If I can't, what other browsers support client certificates? (It seems that very few do.)

I installed an app **LUMEN** that installed a certificate. Ever since the certificate was installed, it is showing that *your secure network maybe monitored or modified* How to remove a certificate Authority installed? Device model: Redmi Note 5

According to a well-regarded QA answer by a member of our Android community here on Stack Exchange: > By the current schedule, Let's Encrypt cross signing will end on September the 30th 2024. After this date Android 7.1 stock devices will become more or less useless for Internet surfing as all Let's encrypt based certificates will be considered untrusted and the connection will not be established. Has this schedule changed? I haven't seen any announcement of a change, but I've noticed that affected devices suddenly have certificate validation failures when trying to connect to many internet hosts. The problem seems to stem from Let's Encrypt R3, which is affected by the changes that were supposed to be effective much later this year. Is there any documentation as to why these devices are being affected earlier than planned? Are there any workarounds for non-rooted devices? Relevant: - https://letsencrypt.org/2024/03/19/new-intermediate-certificates - https://letsencrypt.org/2020/12/21/extending-android-compatibility.html - https://community.letsencrypt.org/t/lets-encrypt-new-intermediate-certificates/209498

In January 2021 all devices with Android prior to 7.1.1 will not be able to connect to HTTPS servers using Let's Encrypt certificate ([Let's Encrypt blog post explaining the details](https://letsencrypt.org/2020/11/06/own-two-feet.html)) Is there any workaround that's system-wide (i.e. all apps, not just a single app, like using Firefox) for the SSL certificate expiration on Jan 11th 2021? Assume that one has root access to their device, and that upgrading to a newer device is not an option.

I have two legacy Android 4.0 Garmin Monterra devices. It's not possible anymore to open the Google Play Store or some websites. When I open most of the websites with Chrome, I receive an SSL error 107. Some websites with HTTPS or HTTP are possible to open. I'm guessing that there is an issue with the CA certificates. I found this solution [Update trusted SSL root certs in AOSP](https://stackoverflow.com/q/68587205/2821954) , but it's not possible to copy the certificates to the devices. I tried the ADB-Shell but without any success (permission issue). Is there any solution to update expired certificates? Is it possible to convert the ca-certificates from the .0 file format to any other possible format and to import over the SD certificate import from Android 4.0?

I have a Samsung Galaxy Note 8 (Android 9, One UI 1.0) and am using Samsung's Email app (which comes preloaded on Samsung phones) to access my work email. Recently, I went abroad and had to rely on various Wi-Fi connections (hotels, airports, etc) for Internet connectivity. Suddenly, I started getting an error when I launched the Email app, which said: > **Certificate not secure for *[my email address]*** > > The certificate isn't from a trusted authority. > > If you continue with this certificate, your emails and account may be at risk. The error keeps popping up if I click on "Cancel". If I click on "View", all the important fields related to the Security Certificate are shown as totally blank, so it is difficult to know which certificate is causing the problem: Since this happened, the email is not syncing now, i.e. I am now unable to send or receive new emails from the app. I googled a lot to resolve this problem and the two main solutions were (though I have no idea how well any of these would work): 1. Uninstall the Email app and re-install it. But I don't want to go down such a drastic route without getting to the bottom of the problem. 2. Find the offending certificate (Settings > Biometrics and Security > Other security settings > View security certificates) and delete that certificate. However, my problem is, that the Email app is not showing the details of the offending certificate. What is going on here and how do I resolve it? Have some "rogue" certificates been installed by those free Wi-Fi connections I used recently? If so, how harmful could those be and how do I get rid of them? Hopefully nothing serious! And how do I get my Email app to work normally again?

I realize sometimes when browsing with HTTPS, it shows the certificate is not valid, "This certificate is not from a trusted authority". Clicking "continue" will just pop up the same warning. That time, I start thinking the certificate store is not updated. I try to compare with Windows trusted CA which will be updated automatically. I think the certificate must be updated in a period of time since the validity of trusted CA is about 1 to a few years. I cannot find this thing mention in Android anywhere. Does the way it manages certificates is different? How can I make sure I get the latest update?

I am trying to connect my Pixel 6a to WiFi using a CA certificate. When I select install certificates from the dropdown box, install the certificate, and put in the password to extract it, there is no option to select this certificate in the dropdown box. It appeared there as an option before. I cleared the certificates hoping that if I redownloaded it, it would work. But now there is no option to choose it from the CA certificate dropdown box. I have also installed it as a WiFi certificate using these steps, but there is still no option to select it from the CA certificate dropdown: 1. Open your device's Settings app. 1. Tap Security & privacy then More Security settings and then Encryption & credentials. 1. Tap Install a certificate And then Wi-Fi certificate. 1. Tap Menu. 1. Tap where you saved the certificate. 1. Tap the file. 1. If needed, enter the key store password. Tap OK. 1. Enter a name for the certificate. 1. Tap OK. Any troubleshooting would be greatly appreciated!

Would like to ask if it is possible to decrypt the user private key store found in android keystore. I know that you need the masterkey to decrypt it. But is it possible to obtain the masterkey from a rooted android device?

This is a follow up question related to this answer . In short: I am importing the self signed Root CA certificate into android system via Settings -> Security -> Trusted Credentials -> install from SD path slightly differs on different android versions. Then point any browser (tested with Firefox, chrome and opera) to the secure (java script based) resource and I receive a socket error. The resource is an index.html with js web-socket logic to securely connect to a mosquitto broker. If I on the other hand point the browser to "https://myserver :" I receive a privacy warning, can continue unsafe and this somehow sets a cookie or other storage thing thus I am able to do future requests over the js based secure resource. It feels, that browsers on android do not make use of the system's user imported CA certificates although they are listed in the trusted certificates "user" tap and in the trusted credentials area. Tested with android 7.1.2 and 10. All desktop browsers work fine, tested on ubuntu / mint & raspi. How to accomplish browser based TLS requests on android without accepting unsafe privacy risks? **Additional test:** I've tested the same thing on a ios 13.3 IPhone 7, importing the CA certificate, putting the secure resource on a proper web space since local file access isn't possible on ios. Worked out of the box. So it seems to be a real android issue. It might make sense to put this question to an android space. Could someone make a suggestion please? **Further research:** Here is a detailed explanation, on how to get a custom certificate into the system's certificate section. But to be honest, that's not a usual way to go. Root access is not for ordinary mortals plus it might not work for more recent android versions. User certificates are for android applications written by your own. You can have a view lines of property settings in app.config to work with your self signed user certificates. Chrome browser and others on the other hand are kind of system applications or applications from vendors not being made to be aware of specific user certificates. And that's the only valid reason, why it will not know of certificates in the user section. It only knows of system certificates. So the only way remaining, seems to be making your own application or somehow recompile a whole browser application configuring it to look for user certificates. This is quite cumbersome and unsatisfying, since the web would give you all you need on any device, except android of course, which forces a detour.

I have enabled HTTPS filtering in AdGuard. I installed AdGuard's certificates, and the Magisk module that moves the certificates to the system store. Nevertheless, some apps don't work. Why is this? If the certificate is in the system store how can they tell the difference? Also is there a way to tell which apps actually use HTTPS?

I am trying to connect MetaQuest2's Android 12 to a Wi-Fi network that does not broadcast SSID, but the connection button is not enabling. The certificate installation was successful and the proxy settings are correct, so what could be the cause?

Requestly.io currently allows to intersect the HTTP and HTTPS packets if requests are made from google chrome as the SSL certificates can not be installed for "VPN and App". How to inspect any android app's HTTP/HTTPS request using Requestly.io if the phone is running Android T (13)?

I am trying to set up TLS interception with PolarProxy, using my own CA cert to see the clear-text payload of Android traffic. I am using BlueStacks 10 as an Android emulator. I used the procedure [at this link](https://android.stackexchange.com/questions/237141/how-to-get-android-11-to-trust-a-user-root-ca-without-a-private-key) to generate a CA cert and used the procedure [at this link](https://xdaforums.com/t/tutorial-how-to-install-custom-ssl-certificates-root-etc-on-bluestacks-4-5.4513773/) to place it on the BlueStacks instance. Specifically I mounted the drive for the BlueStacks instance onto a VirtualBox machine to add the cert onto the BlueStacks' drive. I've checked that the cert is being used by PolarProxy since it shows up on the Windows machine I am hosting BlueStacks on. Further, the cert is on the machine since I see it at the /system/etc/security/cacerts folder in BlueStacks with the same permissions as the other certs on the instance. However, when I navigate to a website on BlueStacks using Chrome, Firefox, or Opera, the certificate is not trusted and I get an error. Is there a post-install step I'm missing here or something else that needs to happen for the BlueStacks instance to trust the cert?

I want to sniff SSL/TLS encrypted traffic of my installed apps using BURP. After installing the burp certificate on my One Plus 5T and moving certificates through the Magisk tweak "Move Certificates" there are still applications like mcdonalds that I can't sniff because tell me there isn't Internet connections. I'm sure that Internet connections there is because another app like deliveroo work perfectly with burp. I was wondering if there was a solution to this problem.

I want to setup this app called Http Toolkit and for some reason I have the warning "System Trust Disabled". My android 11 device is rooted using ksu . How do I trust a certificate on android device?