Install CA on Android

Android handles user-installed CAs very differently from iOS. The certificate format is different (DER, not PEM), the trust store is split into a user store and a system store, and — most importantly — since Android 7 (Nougat), apps opt out of trusting user-installed CAs by default.

That last point is what trips up most people. You can install the CA, see it listed in Settings, and still not be able to inspect any third-party app’s traffic. Read the User store vs system store section below before you commit to a path.

The phone must be on the same Wi-Fi as the host running Probe, and Probe must be running.

Install into the user store

This is the path available on every Android device, no root required.

1. On the phone, open Chrome (the system download flow handles Chrome cleanly; some other browsers also work, but Chrome is the path of least resistance).

2. Visit Probe’s CA download URL:

   http://<probe-host>:9098/download/android

   That endpoint serves a DER-encoded .cer, which is the format the Android certificate installer expects. PEM downloads from /download/cert.pem will not be accepted.

3. Chrome downloads probe_ca.cer. Tap the download notification, or open it from Files.

4. Some Android versions hand the file to the certificate installer directly. If yours doesn’t, open Settings and navigate to:

   • Settings → Security → Encryption & credentials → Install a certificate → CA certificate, or on some OEM skins
   • Settings → Security & privacy → More security settings → Encryption & credentials → Install a certificate → CA certificate.

5. Android shows a warning screen titled “Your data won’t be private”. This is the standard CA-install warning. Tap Install anyway.

6. The system file picker opens. Select the probe_ca.cer file from your Downloads folder.

7. The phone confirms “CA certificate installed”. The CA is now in the user trust store.

You can confirm it’s there at any time under Settings → Security → Encryption & credentials → Trusted credentials → User.

User store vs system store

The Network Security Config gotcha

On Android 7 (API 24) and later, every app ships with a default policy that says “trust system CAs only, ignore user-installed CAs.” This is enforced by the OS, not by individual apps. A CA in the user store is genuinely trusted by Chrome and a few other apps that explicitly opt in — but the typical native app you want to debug will simply ignore it.

Symptom: the phone’s browser works fine through Probe, but your app shows certificate errors or fails network calls silently.

You have three options. Pick based on what you control.

Option 1: User store + Network Security Config (development build)

If you’re debugging an app you build yourself, add a network_security_config.xml to the project that opts the app into trusting user-installed CAs:

res/xml/network_security_config.xml

<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
  <debug-overrides>
    <trust-anchors>
      <certificates src="system" />
      <certificates src="user" />
    </trust-anchors>
  </debug-overrides>
</network-security-config>

Reference it from AndroidManifest.xml:

<application
    android:networkSecurityConfig="@xml/network_security_config"
    ... >

<debug-overrides> only takes effect in debug builds (android:debuggable="true"), so this can’t accidentally weaken your release APK. Rebuild, install the debug APK, and the app will now trust the Probe CA from the user store.

For release-build debugging without root, use a <base-config> block instead — but be sure to remove it before shipping.

Option 2: System store (rooted or userdebug device)

CAs in the system store are trusted by every app on the device, no network_security_config.xml required. The catch is that the system store lives on a read-only partition; you can only write to it on a rooted phone or an Android emulator running a userdebug/-writable system image.

Magisk module

The cleanest path on a rooted device is the Move Certificates Magisk module (or equivalent), which copies user CAs into the system store on boot. Install the CA into the user store as above, then enable the module and reboot.

Emulator (writable system)

On Android Studio’s emulator, start the emulator with a writable system image, then push the cert to the right path. The system store expects the PEM form, not the DER .cer you downloaded for the user-store install — grab it from /download/cert.pem or convert with openssl x509 -inform DER -in probe_ca.cer -out probe_ca.pem.

# Start the emulator with -writable-system
emulator -avd Pixel_API_34 -writable-system

# Compute the cert hash filename Android expects
HASH=$(openssl x509 -inform PEM -subject_hash_old -in probe_ca.pem | head -1)

# Push it into the system trust store
adb root
adb remount
adb push probe_ca.pem /system/etc/security/cacerts/$HASH.0
adb shell chmod 644 /system/etc/security/cacerts/$HASH.0
adb reboot

After reboot, the cert appears under Settings → Security → Trusted credentials → System, and every app trusts it.

Root and userdebug only

You cannot push to /system/etc/security/cacerts/ on a stock retail device. Attempts to do so via adb push will fail with a read-only filesystem error. Don’t waste time looking for a workaround that doesn’t involve root or a custom system image — there isn’t one.

Option 3: Use a debug-only build flag

Some apps already include a network config that trusts user CAs in debug builds. Check the project’s network_security_config.xml before assuming you need to add one. If your team already has a debug variant configured for proxy debugging, install your debug APK on the device and skip the work above.

Verify it works

1. Make sure the phone’s Wi-Fi proxy points at Probe — see Mobile Setup.

2. In Probe, click Start.

3. On the phone, open Chrome and visit:

   https://example.com

4. In Probe, the request should appear with full headers and HTML body. If Chrome works but your app doesn’t, the CA install is fine — it’s the Network Security Config issue described above.

Troubleshooting

The certificate installer says “this certificate cannot be installed”. You downloaded the PEM version. Re-download from /download/android to get the DER format Android requires.

Chrome works, but my app shows TLS errors. Network Security Config. The app does not trust user-installed CAs. Either ship a debug build with the override XML above, or move the CA into the system store on a rooted device.

The CA installed but doesn’t appear under Trusted credentials. Check both User and System tabs at Settings → Security → Encryption & credentials → Trusted credentials. If it’s truly missing, re-run the install and watch for any error toast.

Settings location is different on my OEM skin. Samsung One UI, MIUI, ColorOS, and OxygenOS all move the CA install option around. Use the system search in Settings: search for “CA certificate” or “Install a certificate” and the right entry surfaces.

Removing the CA. Settings → Security → Encryption & credentials → User credentials, tap the entry, and remove. Or Clear credentials in the same screen wipes every user-installed CA at once.

Next steps

Mobile Setup Configure the Android Wi-Fi proxy.

Capture your first request Verify traffic flows end-to-end.