Importing private CA certificates in Android

Internal encryption in company networks is important and something that's done relatively easy. By creating your own certificate authority (CA) and signing your server certificates with it, you can establish a centralized point of trust on all your devices, making it much more easy for you to maintain your network encryption. Plus, it doesn't cost a dime in licenses if you use free solutions such as openssl and you are much more flexible than with paid certificates.

When you are using your own domains, such as yourcompany.local, your own CA is a great way to provide trusted certificates for all your applications. The only requirement is that your CA certificate is imported on all devices that connect to those services. Let's see how we can import your CA certificate into the Android certificate store.

On Android, importing system wide certificates is fairly straight forward. Just open your settings, scroll down to Security and tap the Install from storage option.

img-android-settings img-android-security img-android-storage

Browse to the location of your CA certificate and tap the file to import it. After naming your imported certificate authority and specifying what it should be used for, your should get a success message and the certificate should now be listed in the User tab.

img-android-import img-android-confirm img-android-check

Errors and Notes

The following screenshots show three minor things we encountered.

img-android-nocert img-android-needpin img-android-nottrusted

First, if you get the error message No certificate to install shown above, your certificate is most likely formatted incorrectly. Android requires .DER formatted certificates to be able to import them. You can convert your certificate easily with the following command.

openssl x509 -inform PEM -outform DER -in ca_cert.crt -out ca_cert_der.crt

Your certificate might already be called ca_cert.pem, which would indicate that it's PEM formatted, however the ending .crt is not only used for .DER certificates but sometimes as a file extension for certificates in general, which can result in the wrong assumption that it is a .DER file, when it fact it might not be.

You can check the format with the following commands.

$ openssl x509 -in ca_cert.crt -text -inform der
unable to load certificate
139809376417424:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1198:
139809376417424:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:372:Type=X509

$ openssl x509 -in ca_cert.crt -text -inform pem
Certificate:
Data:
    Version: 3 (0x2)
    [...]

The first command tries to import the certificate as DER file. Since it fails, we now know that it's not a DER formatted file. The second command tries to import the same certificate as PEM file. The command is successful and shows us the content of the certificate, which indicates that this must be a PEM formatted file.

Once you have converted your certificate, you should be able to import it and be presented with success message (see above).

The second thing we encountered was that if you use neither a PIN, nor a password to unlock your device, importing a CA certificate might require you to improve your device security first. Just set a pin or password, or if you have already but are using a "auto-unlock" app for your home network, simply disable WIFI temporarily and you should be good to go.

Last but not least, since a custom CA allows the owner of the CA to create valid certificates for any website on your device (even google.com, facebook.com, etc.), you should get the following info message. Only ever allow certificates you have good reason to trust in, especially when it comes to CA certificates.

Hopefully you enjoyed this little excourse into the Android certificate store. Leave a comment if you think we should also cover other devices such as iOS, Windows Phone, Linux, Mac and Windows and Mozilla applications, which all keep their own certificate store?