Add root certificate to Android system

Starting from Android 7 Nougat, applications must explicitly trust user-installed certificates for them to be effective. To bypass this, we can install our own root certificate in the system certificate store.

Requirements: the phone must be rooted.

Step 1: prepare the certificate

If the certificate is DER (e.g. exported from Fiddler), convert it to PEM. Its name can be generated with OpenSSL. Below is a PowerShell script that does all.

param(
    [Parameter(Mandatory=$true)]
    [string]$Path
)

$s = (&"D:\Tools\openssl\openssl.exe" x509 -inform DER -subject_hash_old -in $Path 2>$null)
$s = $s[0]
$name = "$s.0"
Write-Host $name
$fi = New-Object "System.IO.FileInfo" -ArgumentList $Path
$newName = "$($fi.Directory.FullName)\$name"
Write-Host $newName
$s = (&"D:\Tools\openssl\openssl.exe" x509 -inform DER -in $Path 2>$null)
[System.IO.File]::WriteAllLines($newName, $s)

Step 2: install the certificate

Connect the phone to host, then:

adb root
adb push e5c3944b.0 /sdcard/
adb shell

Now, in adb shell:

mount -o remount,rw /system
cd /system/etc/security/cacerts
mv /sdcard/e5c3944b.0 .
chown root:root e5c3944b.0
chmod 644 e5c3944b.0
mount -o remount,ro /system
exit

Reboot the phone, done.