Installing the root CA on Android

The root CA must be installed on the client device to ensure that the client trusts server certificates that are signed by your private CAs.

About this task

To establish trust for your server certificate, you must install the trust anchor certificate (root CA) on the client device.

Note: Only the root CA certificate (trust anchor) must be installed. You do not need to install any other certificates, such as intermediaries, on the device.


  1. Ensure that the root CA is in PEM or DER file format and has a .crt file extension. Convert as needed.
  2. Run the following command to view the certificate details.
    openssl x509 -in certificate.crt -text -noout
  3. Ensure that the certificate is of version X.509 v3. The certificate details must show Version 3.
    Note: The following openssl flag generates X.509 v3 certificates:
    -reqexts v3_req
  4. Ensure that the certificate is a certificate authority. The certificate details must show X509v3 Basic Constraints: CA:TRUE
    Note: The following openssl flag generates the CA extension:
    -extensions v3_ca
  5. To download the certificate file on the device, send it as an email attachment or host it on a secure website.
    Note: Do not install the server certificate by accessing the protected resource directly from your browser. This action imports the certificate only into the browser space and not into the device system truststore.
  6. After you have the file on the device, click the file to allow the Android system to install the certificate.
  7. Provide an alias name for the certificate when you are prompted.
    Android certificate name
  8. Check that the certificate was properly installed under Settings > Security > Trusted Credentials > User.
    Android User