📱 Installing a Certificate into Android's System Trust Store (Root Required)

VijithVijith
3 min read

Are you trying to intercept HTTPS traffic on Android using tools like Burp Suite or Charles Proxy, but facing SSL certificate issues or pinning? Here's a simple guide to help you import and install a custom certificate (like Burp’s CA cert) into your Android system — step by step.

⚠️ This requires root access on the Android device and is intended for testing purposes only. Do this on a rooted test device or emulator.

🔧 Why Install a Certificate?

By default, Android doesn't trust self-signed or custom certificates. To make the device trust your proxy tool (e.g., Burp Suite), you need to install its CA certificate into the system trusted certificate store, not just user-installed ones. That’s because many apps (especially those using SSL pinning) ignore user-installed certs.

🛠️ What You Need

  • A rooted Android device or emulator

  • A self-signed certificate (e.g., Burp’s cacert.der)

  • adb installed and configured

  • openssl installed (comes with most Linux/macOS; use Git Bash on Windows)

âś… Step-by-Step Guide

Step 1: Convert the Certificate from DER to PEM

openssl x509 -inform DER -in cacert.der -out cacert.pem

Step 2: Generate the Subject Hash

openssl x509 -inform PEM -subject_hash_old -in cacert.pem | head -1

Rename the PEM file using the hash:

mv cacert.pem abcd1234.0

Step 3: Push the Certificate to Your Android Device

adb push abcd1234.0 /sdcard/

Step 4: Remount the System Partition

adb shell
su
mount -o rw,remount /system

Step 5: Move the Certificate to System CA Store

cp /sdcard/abcd1234.0 /system/etc/security/cacerts/

Step 6: Set Proper Permissions

chmod 644 /system/etc/security/cacerts/abcd1234.0
reboot

🎉 Done!

Now Android trusts your custom certificate at the system level. You should be able to intercept HTTPS traffic from most apps using tools like Burp Suite or Charles Proxy.

🔑 How SSL Certificate Trust Works on Android

  1. System Certificate Store
    When you install a certificate in /system/etc/security/cacerts/ (i.e., system CA store), Android treats it as trusted by the OS. So any app that relies on the system trust anchors (i.e., does not do pinning) will trust it automatically.

  2. User Certificate Store
    Certificates added via Settings → Security → Install from storage are added to the user CA store. Since Android 7 (Nougat), apps don’t trust user certificates by default unless explicitly configured with <networkSecurityConfig>.

âś… When SSL Pinning Does Work Properly

If an app:

  • Uses libraries like TrustKit, OkHttp with CertificatePinner, or native code with SSLContext pinning.

  • Pins the public key or certificate fingerprint explicitly.

  • Validates certs inside the code logic and does not rely on Android’s default trust manager...

... then your interception will fail, even with a system-installed cert. You'll see SSL handshake failures or connection timeouts.

0
Subscribe to my newsletter

Read articles from Vijith directly inside your inbox. Subscribe to the newsletter, and don't miss out.

AndroidSecuritybugbountysecurity testing android app security

Written by

Vijith
Vijith