How do I install a user certificate?

I have my own Root certificate that signs user certificates. I have a site that will only allow you on with a user certificate which is signed by the root ca. I have managed to get this site working in Ios and Windows, but just can't get it working from Android (4.2.2) I have tried many different methods of importing the certificate including converting between formats - I get as far as it being recognised and "installing", but, it never actually seems to get installed or be visible anywhere (checked under trusted credentials > user). I have read here and the only solutions seem to involve downloading/modifying files and reuploading then restarting - or to have modified firmware/similar. I really want a supported way of doing this and don't really want to consider a hack as I need a scalable solution.

asked Nov 29, 2013 at 14:53 William Hilsum William Hilsum 331 1 1 gold badge 2 2 silver badges 4 4 bronze badges

Welcome to Android Enthusiasts! Have you had a chance to see How to install a web certificate on an Android Device? While the question is old, the top answer is still valid for Android 4.4.

Commented Nov 29, 2013 at 15:18

Hi, Yes I did. on a HTC device, it asks if I want to use it as a "VPN or (can't remember) certificate" or "Wireless Certificate", then says it is installed but does nothing. On a Samsung phone, I get no options after installing/it saying it has been installed and then again, nothing happens.

Commented Nov 29, 2013 at 15:37

@dotVezz That question is about installing a web server's certificate. Mr Hilsum is asking about using a client certificate to authenticate to a server.

Commented Nov 29, 2013 at 15:44

What happens when you try to visit the site? In Chrome >= 27.0.1453.49, it should prompt you to select the certificate when the web server asks for that authentication method. Firefox doesn't support this.

Commented Nov 29, 2013 at 15:56

@Dave You need to ask a new question to see if anyone knows. Adding a question in the comments means most people who can answer won't see it.

Commented Jan 20, 2016 at 23:55

3 Answers 3

I spent a lot of time trying to find an answer to this (I need Android to see StartSSL certificates). Conclusion: Android 2.1 and 2.2 allow you to import certificates, but only for use with WiFi and VPN. There is no user interface for updating the list of trusted root certificates, but there is discussion about adding that feature. It’s unclear whether there is a reliable workaround for manually updating and replacing the cacerts.bks file.

Details and links: http://www.mcbsys.com/techblog/2010/12/android-certificates/. In that post, see the link to Android bug 11231 --you might want to add your vote and query to that bug.

11231 was closed in November of 2011 and the status was Released for Android 4.0 ICS.

Here are the notes associated with the Released status:

system certificate authorities (CAs) are now visible in Settings > Security > Trusted Credentials.
system CAs can now be disabled and reenabled
users can install their own CAs from Settings > Security (as well as other mechanisms such as via browser or opening from email attachment.
user CAs can be viewed and deleted in Settings > Security > Trusted Credentials
instead of a separate 8 character PIN for credential storage, access is now controlled via the lock screen

KeyChain.createInstallIntent allows applications to request credential installation in, basically making public the interface used by Settings to request installation. users need to confirm installation requests as before.
KeyChain.choosePrivateKeyAlias/getPrivateKey/getCertificateChain allow applications to request private keys and their associated certificates for application use. a common use case would be for client certificate authentication with https.

Email now uses the KeyChain API to allow client certificate authentication for Exchange accounts

Browser will now use the KeyChain to prompt for a client certificate when the server requests one for authentication.

In March 2014, an enhancement request was created Allow users to install own CA certificates.

Many users (including companies) use self-signed certificates for SSL/TLS, either because they don't want to pay for it or because they just don't trust other companies and want to do it themselves (actually, there's no reason to buy a certificate when it's not required that anonymous Internet users trust your server).

At the moment, it's possible install a custom CA certificate in Android, but it's detected as "user certificate" which seems to be intended for client-side certificates. As a result, these certs are shown as "user certificates" in the GUI and since Android 4.4, a terrible "Network may be monitored" has been implemented.