How to trust self signed certificate on Android?

Question

I have generated self signed certificate for my server. Then added it to Android with Settings -> Security -> Install.

When I'm trying to connect to my server from the application I'm getting error:

java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.

As I understand after I've added certificate to list of trusted ones it should work fine. Am I missing something? The idea is to add certificate through Android system without modifying application code.

Btw I'm using OkHttpClient for network connection. Maybe I should enable something for https connection?

Possible duplicate: http://stackoverflow.com/questions/25509296/trusting-all-certificates-with-okhttp — shilch, May 17 '16 at 16:43
Have a look here, it describes how to solve this exception: https://developer.android.com/training/articles/security-ssl.html#CommonProblems — shilch, May 17 '16 at 16:49
Read this. It might be helpful. http://android-developers.blogspot.ru/2012/03/unifying-key-store-access-in-ics.html — Vyacheslav, May 17 '16 at 17:06

score 5 · Answer 1 · edited Dec 31 '21 at 18:09

5

It is important to Android that when you generate your self-signed certificate, you mark it as a Certificate Authority in order to empower it to certify certificates — even if only to sign itself and so certify that it is itself.

This is done in the basicConstraints extension, declaring CA:TRUE instead of the default CA:FALSE. When you import a certificate so marked, Android will consider it a user-installed root certificate, and you should be able to see it under Credential storage → Trusted credentials → USER.

However, a certificate having this bit is a mighty power, and such certificates have been used by nefarious tools to spy on supposedly encrypted user communication in the past. Accordingly, these days, Google Play Protect will want to have a word with the user when this kind of CA certificate is in force.

edited Dec 31 '21 at 18:09

Nathan Tuggy

2,237
27
30
38

answered Nov 09 '17 at 22:29

dig

449
5
7

1

Do you know whether this has changed with Android 9? I know that I had this working in the past (after setting `CA:TRUE`) but with Android 9, I can't get it running anymore... – eckes Feb 13 '20 at 07:21
Indeed after changing CA:FALSE to CA:TRUE parameter, Android 11 has successfully imported the localhost.crt, but I still got an SecurityError: An SSL certificate error occurred when fetching script (while trying to register service worker) – Jacob Jul 27 '22 at 23:20

score 1 · Answer 2 · edited Feb 25 '22 at 16:37

Consider using src/debug/xml/network_security_config.xml.

It should look similar to:

<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
    <debug-overrides>
        <trust-anchors>
            <certificates src="@raw/debug_cas"/>
        </trust-anchors>
    </debug-overrides>
</network-security-config>

Where debug_cas is the custom certification authority you used to generate the certificate for your server. Beware that if you are using a local server accessing it by IP you must have a subjectAltName with that IP inside your server certificate, otherwise it will give you a javax.net.ssl.SSLPeerUnverifiedException

score 0 · Answer 3 · answered Jan 03 '22 at 11:49

0

This example has two code paths https://stackoverflow.com/a/70543735/1542667

Firstly adding to the network security config, and secondly adding in the okhttp client.

answered Jan 03 '22 at 11:49

Yuri Schimke

12,435
3
35
69

How to trust self signed certificate on Android?

3 Answers3

Linked