top | item 37392328

(no title)

ZeWaren | 2 years ago

I have a private PKI I use to connect to my self-hosted software: email server, calendar provider, notes server, photo sync tool, etc.

I NEED to be able to add my root cert to the list of certified authorities.

I don't need to change anything to the system provided list. I just need to add mine. It's my device, I'd like to be able to change anything if I want to.

discuss

agwa|2 years ago

You can install your own CA certificate in the user certificate store, and it will be trusted by Chrome and any other app which opts into user-installed CAs, which should include email and calendar apps.

What is unlikely to work is installing your own CA and using it to intercept traffic between apps and the app-makers' servers. That sucks - you should be able to inspect what your own device is doing - but your use case of using a private PKI for your self-hosted software is definitely supported.

Brian_K_White|2 years ago

You should also have the final say in what is NOT trusted. Not merely adding a cert to trust.

charcircuit|2 years ago

>That sucks

It's insecure. If you are a bank app you doesn't want other people to be able to steal the users password by installing a new certificate.

gh02t|2 years ago

Same for me, but don't a lot of corporate IT policies deploy root certificates to devices too? You'd think there has to be a way to do it.

jeroenhd|2 years ago

User certificates still work fine. Apps have to opt into the user CA store (many of them don't) but any app deployed by IT should be fine. Chrome works, Firefox can be made to work, and I believe the Gmail app also works with user CA certificates.

8organicbits|2 years ago

One alternative is to use public CAs on your private networks. I've been working on tooling for this at getlocalcert [1]. Side stepping the need to add a trust root makes the public on private approach a net win for some networks. I honestly wasn't expecting Android to block private CAs, but I guess here we are.

[1] https://www.getlocalcert.net/

Hackbraten|2 years ago

That looks super convenient! However, some reverse engineering tasks would still require root CA certificates, for example observing app traffic.

severino|2 years ago

I was also confused about that. I don't use an Android phone currently, but I remember you could add your own CA certificates to an Android phone -without being root, just using some option under settings- and at least applications like the web browser would trust them. And I'm not talking about long ago. So I couldn't understand if the need of rooting your device to install custom certificates was for something different.

jeroenhd|2 years ago

On Android 7, Google changed the defaults for certificates. Previously, apps trusted system certificates and user certificates unless they opted out. On Android 7, apps have to opt into trusting then user certificate store.

Browsers opt in, or in the case of Firefox, can be configured through hidden settings to opt in. Many other apps don't, though.

If you're trying to intercept traffic or use apps that should opt in but don't, the system store could be altered with root access so that these apps still trusted the certificates you're trying to inject. However, most apps worth their salt implement certificate pinning, so that's hardly reliable anymore. It's Arnold workaround that works on some apps but not on most.

Furthermore, Google Chrome and derivatives require certificates to be logged publicly so malicious CAs can't mess with random domains. Your private CA isn't logged in the public record, so adding the certificate to the system store actually breaks HTTPS for many browsers. You can add the cert to both stores to make it work, but it's kind of a hack.

On iOS loading certificates is easier, but you'll still need to work around certificate pinning if you want to intercept HTTPS traffic.