list certificate stored in user credentials

Question

In Android 7 Nougat, user installed certificate goes to "User credentials" instead of "Trusted credentials"(which consists of system credential & user credential).

I used to access "Trusted credentials" by:

KeyStore keystore = KeyStore.getInstance("AndroidCAStore");

through the above code I can then access system & user trusted credentials.

But now, in Android 7, user installed certificate goes to a separate place called "User credentials" under Settings --> Security --> User credentials.

My question is how can I programmatically list the credentials inside User credentials in Android 7?

Reading the docs I would assume that an app has implicit access to the user certificates if configured via [](https://developer.android.com/training/articles/security-config.html#trust-anchors) (as it is automatically done for apps for AP23 and below). I have not read anything that there is a way for explicitly access the user credentials store. — Robert, Nov 01 '16 at 16:03
I added `` in ``, however, my app still doesn't trust my certificate that located under "User credentials". — Mellon, Nov 03 '16 at 17:45
I think you could be misunderstanding `Settings-->Security-->User credentials`. It shows the certificate & private keys installed by user, not the trusted certificates. Android6 can manage user certificates but you can not see them in settings,only the root CAs. When you install a PKCS#12, the private key is accesible in KeyChain, and the root CA can be installed as user trusted credential in `AndroidCAStore`. AndroidCAStore contains user&system entries and is what you are seeing in Android 6&7.If you are looking for a way to list private keys (the content of User credentials),there is no API. — pedrofb, Nov 17 '16 at 13:11
@pedrofb, no, I am not misunderstanding, e.g. in Android 6 when I install my certificate & private key, it goes to `Settings ---> Security-->Trusted credentials(Users tab)`, but in Android 7, it goes to `Settings --> Security-->User credentials` which is not trusted. My question is how can I know in Android 7 my certificate is installed in `Settings-->Security-->User credential`? My certificate CAN NOT be listed from AndroidCAStore, I have tried it. AndroidCAStore only list trusted entries. — Mellon, Nov 17 '16 at 13:12
I have checked it with a real certificate both 6 & 7. In android 6, the intermediate certificates and root CA are installed in AndroidCAStore (not the leaf), but in android 7, it does not. You can see the certificate installed in `Settings-->Security-->User credential`, but the root CA is not installed in `AndroidCAStore`. You have to install it manually. I have exported the public certificate as `.cer` from the `.pfx` and installed, and then is shown — pedrofb, Nov 17 '16 at 13:40
@pedrofb, I am using a self-signed certificate. What you found is exactly the same as what I found. I am not sure why we discuss this which we both understand the same way. My question is how to programmatically check my self-signed certificate is installed in `Settings-->Security-->User credentials`. It seems there is no official API to do that. That's why I post this question. — Mellon, Nov 17 '16 at 22:45
I was lost with the difference between 6 and 7. But with a self-signed certificate I understand it now. When installed a p12 in 7 , the root CA (the certificate itself) is not installed as trusted, as in 6 — pedrofb, Nov 18 '16 at 06:49
@pedrofb, yes, let's see if anyone can suggest a workaround or solution to access `Settings-->Security-->User credentials` programmatically. — Mellon, Nov 18 '16 at 16:08
Match if alias name contains "user" string, if yes then you can list those as user-added credentials. — Tushar Bapte, Sep 14 '21 at 12:36

Pravin Divraniya · Answer 1 · 2018-08-06T09:07:41.750

To provide a more consistent and more secure experience across the Android ecosystem, beginning with Android Nougat, compatible devices trust only the standardized system CAs maintained in AOSP.

Previously, the set of pre-installed CAs bundled with the system could vary from device to device. This could lead to compatibility issues when some devices did not include CAs that apps needed for connections as well as potential security issues if CAs that did not meet our security requirements were included on some devices.

First, be sure that your CA needs to be included in the system. The preinstalled CAs are only for CAs that meet our security requirements because they affect the secure connections of most apps on the device. If you need to add a CA for connecting to hosts that use that CA, you should instead customize your apps and services that connect to those hosts. For more information on Customizing trusted CAs.

In above link you can find all the necessary information for trusting custom CAs with different needs like

Trusting custom CAs for debugging
Trusting custom CAs for a domain
Trusting user-added CAs for some domains
Trusting user-added CAs for all domains except some
Trusting user-added CAs for all secure connections

So, Basically you need to add a Security Configuration File and Configure a custom CA(For Android 7.0 (API level 24) and higher).

In Your manifest.xml

<manifest ... >
    <application android:networkSecurityConfig="@xml/network_security_config"
                    ... >
        ...
    </application>
</manifest>

In res/xml/network_security_config.xml:

<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
    <domain-config>
        <domain includeSubdomains="true">example.com</domain>
        <trust-anchors>
            <certificates src="@raw/my_ca"/>
        </trust-anchors>
    </domain-config>
</network-security-config>

Just for Information :- If you operate a CA that you believe should be included in Android, first complete the Mozilla CA Inclusion Process and then file a feature request against Android to have the CA added to the standardized set of system CAs.

Let me know for any further help.

Hope this will help you. Keep Coding!!!

Tow questions: 1. for my app, I need to install my own root certificate to trust storage in Android 7. Are you saying Mozilla CA Inclusion Process is a must to do process in order to have my root certificate being trusted by Android 7? — Mellon, Nov 24 '16 at 22:00
2. What is `example.com`, do I have to put this? What is this subdomain? I mean I know I have a root certificate to install to trust storage, but where I get the subdomain? — Mellon, Nov 24 '16 at 22:02
1) Mozilla CA inclusion process is not must, it is just required if you want your CA in trusted credentials list in Android 7.0 and above. — Pravin Divraniya, Nov 25 '16 at 03:55
2) This is your domain and sub domains to which you want to make secure connection. If you want your custom CA to trust all domains than check #5 ' Trusting user-added CAs for all secure connections ' in this link. http://android-developers.blogspot.in/2016/07/changes-to-trusted-certificate.html?m=1 — Pravin Divraniya, Nov 25 '16 at 04:08
I still want to ask the Mozilla CA inclusion process. So, as you said "it is just required if you want your CA in trusted credentials list in Android 7.0 and above", there are two sub-lists in trusted credentials list, "System trusted" list & "User trusted" list, which list requires the Mozilla CA inclusion process? Both? I think I need my CA to be installed to the Settings-->Security--> trusted credentials (Users tab), I mean user trusted list. — Mellon, Nov 25 '16 at 10:10
As per documentation Mozilla CA inclusion process is required to add CA in standardized set of system CAs, so it will be for 'trusted' list. For 'User trusted' list I think when you add your certificate in 'network_security_config' you might see it in 'User trusted'(I didn't check it). — Pravin Divraniya, Nov 25 '16 at 10:31
Let us [continue this discussion in chat](http://chat.stackoverflow.com/rooms/129051/discussion-between-pravin-d-and-mellon). — Pravin Divraniya, Nov 25 '16 at 14:25

pedrofb · Answer 2 · 2016-12-14T22:18:35.890

In addition to changing how to configure the Ca (@Pravin D answer),Android has changed the way a pkcs12 certificate is loaded from 6 to 7. I highlight the important elements:

When importing a pkcs12, is the root CA imported as trusted?

Android 6: Yes
Android 7: No

Where can I see the trusted credentials?

Android 6: Settings ---> Security-->Trusted credentials (system & user)
Android 7: Settings ---> Security-->Trusted credentials (system & user tab)

How to install user credentials?

Android 6: pkcs#12 file, certificate file, programmatically
Android 7: pkcs#12 file( without private keys), certificate file, programmatically, custom CA configuration(@ Pravin D answer)

Where can I see the user credentials (private keys)?

Android 6: not available from settings
Android 7: Settings-->Security-->User credentials

Is it possible to list user credentials programmatically?

Android 6: No
Android 7: No

Reviewing Android code in depth, internal Android Keystore is wilfully hidden, only available to use from Android core classes. It is not possible to implement a workaround to list user credentials

What about in Android 7 install pkcs#12 with private key? How to install such certificate programmatically? — Mellon, Apr 06 '17 at 13:26

list certificate stored in user credentials

2 Answers2

Linked