It’s very trivial to install a user-trusted certificate on android. Under Settings -> Security you can install new trusted certificates. However, this creates a permanent “Your network could be monitored” warning in your task tray and forces you to have a lock-screen. In addition to this, in newer versions of Android, Android apps will by default only trust system certificates.

By default, apps that target API level 24 will—by design—not honor such CAs unless the app explicitly opts in.
https://android-developers.blogspot.co.uk/2016/07/changes-to-trusted-certificate.html

So, ultimately if you want to be keeping an eye on what your phone is up to, you’re going to need to install a system trusted certificate come Android 7.0 onwards.

This setup is largely inspired from http://wiki.pcprobleemloos.nl/android/cacert - but without the endless references to cacert, which we aren’t using.

What you need

  • A rooted Android phone
  • ADB setup and ready to go
  • An SSL certificate in PEM form ** If you are using Charles Proxy, go to charlesproxy.com/getssl to download your certificate from your proxy in PEM form
  • OpenSSL command line tools ** On Linux, Google how to install for your distro ** On Windows, either setup Bash for Windows 10, or install OpenSSL and add the executable to your PATH environment variables

Step 1 - Setup the certificate

If your certificate isn’t in .PEM form, convert it from whatever format you currently have it in into .PEM first.

As an example, if you have it in .CER format, use openssl x509 -inform der -in cert.cer -out cert.pem to get it into .PEM.

You need to find the hash of your certificate first. To do this, run the following command on your certificate (mine is called cert.pem, replace as needed):

openssl x509 -inform PEM -subject_hash_old -in cert.pem | head -1

You should get something like 5h543h5a.

Write our .pem certificate to a new file with the hash name from above and the file extension .0 (replacing the hash with the result you had from above):

cat cert.pem > 5h543h5a.0

Now we need to export the PEM information into the bottom of this new file.

openssl x509 -inform PEM -text -in cert.pem -out /dev/null >> 5h543h5a.0

Now you have your .0 file ready for adding to the Android device!

Step 2 - Setup the device

Have the device plugged in and make sure you’ve enabled ADB debugging.

Run the following to make sure we’re debugging as root on the device:

adb root

If you have any issues here, you might need to enable root ADB in the developer options on the device. Google if you have other issues and then come back here when you’re set!

Now you probably need to remount your device to get access to the system files for writing our certificate.

adb remount

Push your new file to your device in the system certificates folder.

adb push 5h543h5a.0 /system/etc/security/cacerts/

Now open the shell by running adb shell and then run the following command to set the correct file permissions:

chmod 644 /system/etc/security/cacerts/5h543h5a.0

Now reboot the phone and if you go to Settings -> Security you should be able to find your new system trusted certificate!