# 📱 Installing a Certificate into Android's System Trust Store (Root Required) Are you trying to intercept HTTPS traffic on Android using tools like Burp Suite or Charles Proxy, but facing SSL certificate issues or pinning? Here's a simple guide to help you import and install a custom certificate (like Burp’s CA cert) into your Android system — **step by step**. ⚠️ **This requires root access** on the Android device and is intended for **testing purposes only**. Do this on a rooted test device or emulator. --- ## 🔧 Why Install a Certificate? By default, Android doesn't trust self-signed or custom certificates. To make the device trust your proxy tool (e.g., Burp Suite), you need to install its CA certificate into the **system trusted certificate store**, not just user-installed ones. That’s because many apps (especially those using SSL pinning) ignore user-installed certs. --- ## 🛠️ What You Need * A rooted Android device or emulator * A self-signed certificate (e.g., Burp’s `cacert.der`) * `adb` installed and configured * `openssl` installed (comes with most Linux/macOS; use Git Bash on Windows) --- ## ✅ Step-by-Step Guide ### Step 1: Convert the Certificate from DER to PEM ```bash openssl x509 -inform DER -in cacert.der -out cacert.pem ``` --- ### Step 2: Generate the Subject Hash ```bash openssl x509 -inform PEM -subject_hash_old -in cacert.pem | head -1 ``` Rename the PEM file using the hash: ```bash mv cacert.pem abcd1234.0 ``` --- ### Step 3: Push the Certificate to Your Android Device ```bash adb push abcd1234.0 /sdcard/ ``` --- ### Step 4: Remount the System Partition ```bash adb shell su mount -o rw,remount /system ``` --- ### Step 5: Move the Certificate to System CA Store ```bash cp /sdcard/abcd1234.0 /system/etc/security/cacerts/ ``` --- ### Step 6: Set Proper Permissions ```bash chmod 644 /system/etc/security/cacerts/abcd1234.0 reboot ``` --- ## 🎉 Done! Now Android trusts your custom certificate at the system level. You should be able to intercept HTTPS traffic from most apps using tools like **Burp Suite** or **Charles Proxy**. --- ### 🔑 **How SSL Certificate Trust Works on Android** 1. **System Certificate Store** When you install a certificate in `/system/etc/security/cacerts/` (i.e., system CA store), Android treats it as **trusted by the OS**. So any app that **relies on the system trust anchors** (i.e., does not do pinning) will trust it automatically. 2. **User Certificate Store** Certificates added via Settings → Security → Install from storage are added to the **user CA store**. Since **Android 7 (Nougat)**, apps **don’t trust user certificates by default** unless explicitly configured with ``. ### ✅ When SSL Pinning **Does Work Properly** If an app: * Uses libraries like **TrustKit**, **OkHttp with CertificatePinner**, or native code with `SSLContext` pinning. * Pins the **public key** or **certificate fingerprint** explicitly. * Validates certs inside the code logic and does not rely on Android’s default trust manager... ... then **your interception will fail**, even with a system-installed cert. You'll see SSL handshake failures or connection timeouts. ---