Install the root CA on Android
The root CA must be installed on the client device to ensure that the client trusts server certificates that are signed by your private CAs.
To establish trust for the server certificate, we must install the trust anchor certificate (root CA) on the client device.
Only the root CA certificate (trust anchor) must be installed. We do not need to install any other certificates, such as intermediaries, on the device.
- Ensure that the root CA is in PEM or DER file format and has a .crt file extension. Convert
as needed.
- Run the following command to view the certificate details.
- openssl x509 -in certificate.crt -text -noout
- Ensure that the certificate is of version X.509 v3. The certificate details must show Version 3.
The following openssl flag generates X.509 v3 certificates:
- -reqexts v3_req
- Ensure that the certificate is a certificate authority. The certificate details must show X509v3 Basic Constraints:
CA:TRUE
The following openssl flag generates the CA extension:
- -extensions v3_ca
- To download the certificate file on the device, send it as an email attachment or host it on a secure website.
Do not install the server certificate by accessing the protected resource directly from the browser. This action imports the certificate only into the browser space and not into the device system truststore.
- After we have the file on the device, click the file to allow the Android system to install the certificate.
- Provide an alias name for the certificate when you are prompted.
- Check that the certificate was properly installed under Settings > Security > Trusted Credentials > User.
Parent topic: Configure SSL using untrusted certificates