Badly configured root certificates on an Android device can lead to device hacks, broken apps, and non-functioning services. It's necessary to be able to securely install root certificates on Android and also to update them so that apps continue to work and your device remains secure.
In this guide, we'll define what Android trusted root certificates are, how to install root certificates on Android, and how to update them.
What are root certificates?
To enable secure network communications, devices need a way to encrypt those communications. For a client device to establish that it's communicating with a trusted server, it inspects the server's security certificate.
The server's certificate contains:
✔️ The server's public key
✔️ The server's identity
✔️ Info about the Certificate Authority that issued the certificate
A server (or domain) receives its certificate from a Certificate Authority (CA)—an organization entrusted to validate the identity of entities that it issues certificates to. That CA is either a root Certificate Authority (top of the chain) or an intermediary. Every intermediary has a certificate signed by a CA above it. The top CA is the root authority.
Client devices lack the ability to establish the truthfulness of the details contained in a certificate. For example, anyone can create a fraudulent certificate saying that it owns the domain google.com. That's why devices must trust CAs, whose job it is to verify this information.
A device contains a highly secure store of Root Certificates. These certificates come pre-bundled in devices and have been verified to originate from valid Root Certificate Authorities.
For example, below is a screenshot of the Root CAs managed by the Chromium Project:
Image: Root Certificate Authorities
When a device receives a copy of the server's certificate, it checks that the certificate was issued by a valid CA, then checks that the next certificate above was also issued by a valid CA until it hits the root authority certificate. If the Root Certificate was issued by a CA that the device has in its Root Store, the device then trusts the certificate.
Important: On Android, installing a root certificate means that any certificate issued by that entity will be automatically trusted by the Android device.
Because of this reason, AOSP has traditionally made it somewhat difficult to install root certificates on Android manually.
What are root certificates on Android?
A root certificate on Android is a certificate that has been fully trusted by the device. Any certificates signed by an entity that matches a certificate in the Android root store are automatically trusted.
Android root certificates list
Android's root certificates exist in the read-only partition /system/etc/security/cacerts.
Viewing the installed root certificates on Android depends on the Android version you're using. Generally, the procedure is as follows:
- Open Settings.
- Click Security. If you can't find security, search for "Encryption and Credentials."
- Click Encryption and Credentials.
- Click "Trusted Credentials."
This will show you a list of installed root certificates on Android for your specific device.
Image: List of installed root certificates on Android
Android install root certificate: How to do it
Installing a root certificate on Android that doesn't originate from a CA can open the door to malware. But sometimes you need to install root CA certificates on Android for testing purposes.
The steps to install a root certificate on Android depend on the version of Android you're using.
After downloading the certificate you want to install, navigate to "Encryption and Credentials," then click on "Install a certificate."
Click "CA Certificate." Google shows the following ominous warning:
Image: Warning when installing root certificates on Android
Click "Install anyway," navigate to where you saved the certificate, and select it.
To install a root certificate on Android this way puts it into the User certificate store instead of the System certificate store. To install root certificates into the System store, you need to root your device.
Update trusted root certificates Android
Before Android 14, it was impossible to update root certificates on Android without using an Over-the-Air software update. This poses a risk for users because they need to wait for an OEM to push an update before updating any root certificates that might be expiring.
It's rare that a CA loses its esteemed position of trust, but it can happen, such as when TrustCor was found to have corporate ties to several spyware companies. In such a case, it's necessary to update trusted root certificates on Android.
As of Android 14, it's possible to update trusted root certificates on Android via Google Play, but this still doesn't answer how users can update root certificates themselves. Usually the only way to update certificates is by rooting the device.
The other problem from an enterprise perspective is that companies often use custom Android ROMs to build their products or power their IoT devices. These Custom ROMs almost always lack Google Mobile Services, so they don't have the Google Play Store available, although they do tend to have root access. When taking care of bigger fleets of devices, the manual effort to update all the certificates is tremendous.
Updating these certificates remotely would be ideal but is not available due to the missing GMS Certification.
How to remove root certificates on Android
It's not possible to delete system root certificates, but you can disable them in Settings -> Encryption and Credentials -> CA Certificates. Just toggle the On/Off switch to Off for Android to stop trusting that CA certificate.
How root certificates work with emteria
Emteria.OS provides a simple way to install, update, or delete root certificates remotely.
For devices running emteria.OS, an enterprise-ready version of Android, fleet managers can update root certificates using emteria's Device Hub. The Device Hub is a browser-based Android device manager that lets you remotely update IoT devices and also to fully manage root certificates.
Installing root certificates on Android through the emteria Device Hub means that you don't need to send personnel out to manually update devices. Fleet managers can update devices using simple commands through the browser-based Device Hub interface.
Contact us today to learn more about how emteria enables enterprises to easily manage remote devices.
Frequently asked questions
How do I install a root certificate?
To install root certificates on Android, visit Settings and click on "Encryption and Credentials." Once there, you can install certificates to the user store. You can also install certificates remotely if you use emteria.OS, an enterprise version of Android.
Where to download root certificates?
Root certificates from known Certificate Authorities come preinstalled on your device. To install a company-specific certificate, you would typically create a self-signed certificate using a self-signing tool you're familiar with and then copy it to the device you want to install it on.
How do I manually install a certificate?
If you use emteria.OS, you can install root certificates on Android through emteria's browser-based Device Hub. To install root certificates on other non-rooted devices, you need to manually go through Settings and then click Encryption and Credentials. Then click "Install a certificate."
How to install a root certificate in an Android emulator?
Installing root certificates on Android emulators follows the same procedure as installing a root certificate on a physical Android device. Navigate to Settings -> Encryption and Credentials -> Install a Certificate, accept any warnings, then install your certificate by navigating to where the certificate is located.
A guide to debugging your devices
Your complete guide from setup to safe usage: Explore ADB Android's power with a step-by-step installation tutorial and a list of useful adb commands.