Load own root & intermediary certificate

dmircea · August 14, 2020, 8:56pm

Hi,

In my home all my devices have certificates which have been issued by my own certificate authority.

Up to date I was able to load the root and intermediary root certificate on all my devices: iPhones, Android phones, Windows computers.

Today I was trying to do the same thing on PPM because I cannot access my Home-assistant interface which is using a certificate signed by this authority.

Can you please advise what would be the best way to do that on PPM?
In a normal Android phone I would go to Settings -> Security -> Install from storage and select the pem files for the intermediary and the root certificates.

Thank you

dmircea · August 17, 2020, 5:07am

Hi @Philips_Support_P, Any clues how to do this?

dmircea · August 18, 2020, 12:29pm

@IvoGrijt sorry for tagging you here but I was wondering if you could suggest someone who might be able to help with my question?

Philips_Support_P · August 19, 2020, 12:14pm

Hi @dmircea I need to check with the SW team. In general we don’t have any UI for this. You may be able to do it via adb.

Apart from that, may I suggest using certificates signed by letsencrypt CA, which would avoid this hassle on all devices.

Rob123 · August 19, 2020, 12:42pm

You may be able to do it with ABD:

1. To install using the Android Debug Bridge (adb):

Note: USB debugging must be enabled.

1. Open the command line directory to the adb.exe file, for example, C:\Program Files\android-sdk-windows\tools, or C:\Program Files\android-sdk-windows\platform-tools*
1. Run the command: adb push %PathToCert%\MyCert.p12 /sdcard/MyCert.p12*

Why are you using a private PKI? a lot of Apps and tools are now written to not trust a private PKI.

Link: SyBooks Online

dmircea · August 19, 2020, 12:52pm

Appreciated!

I was using in the beginning LE but in my case there are issues that I cannot resolve with them (ie the 90 day renewal is really a pain and most importantly I cannot add IP addresses).

If it can be done through adb it would be great. Might need a bit of help with instructions but I guess I will figure it, if possible.

dmircea · August 20, 2020, 9:29am

Thanks @Rob123!

I will try that today. Seems that I need to convert the certificates (they are in PEM format).

I use this private CA because I wanted to trust devices in my network which are just on the private IP space. For those I can only add the IP address in the certificate and that is not possible with LetsEncrypt for example. Adding them in my DNS and exposing private IP addresses is not an option either. And generally, as a security principle, I do not want to have that kind of private information sitting anywhere outside the house.
Since all certificates are sitting inside the private space I do not want to make things more complicated than they are and I prefer just to trust this CA on the devices where I use a browser.
It is not a big deal if I cannot get it working on PPM since I use the browser there rarely and Opera allowed me to add an exception (could not get that done with Firefox though).

Thanks

Rob123 · August 20, 2020, 9:53am

You might not need to convert the .pem as it may be supported by AOSP 9. If it’s not you can used OpenSSL to convert the certificates to the required format: SSL - Convert PEM and private key to PKCS#12 - Mkyong.com

dmircea · August 20, 2020, 10:09am

Thanks for the link. My CA setup has openssl and conversion is not a problem.
Believe it or not right now the problem is getting the PPM moved because of the kids