So in my last post, we went over creating the SSL cert creation for your internal web servers. It was a nice, wildcard cert that was able to be made once and installed on many making it easier on us. Now we’ll go over making the CA certs for Android and Windows clients that will do away with that annoying Chrome nag screen about security and whatnot when accessing them and instead appear as a nice and secure website to the browser!

Crafting the Simple Configuration for Android

It’s necessary for a simple configuration for Android to have the certificate to be a CA cert. So this part establishes the part where we define that for a later step in the process.

[ req ]
distinguished_name = req_distinguished_name
req_extensions     = req_ext
prompt             = no

[ req_distinguished_name ]
commonName = *.yourinternaldomain.local

[ req_ext ]
subjectAltName = @alt_names
basicConstraints=CA:TRUE

[alt_names]
DNS.1 = yourinternaldomain.local
DNS.2 = *.yourinternaldomain.local

Save it as openssl.cnf. So, this is basically exactly like the server cnf file except for one thing and that is the line where it says basicConstraints=CA:TRUE. That makes it so that you don’t get an error on importing it into Android and it will work correctly!

You do NOT need this cnf file for the Windows cert, just skip ahead!

Generating the Signing Key for Android/Windows

So, this is for both Android and Windows, it’s basically the same but with different extensions.

Android:

openssl genrsa -out privkey.pem 2048

Windows:

openssl genrsa -out privkey.key 2048

I use the different extensions here just to keep things straight in my head when working with creating these certificates because we create a .pem for Android and a .crt for Windows.

Creating the Certificate Signing Request for Android/Windows

Like in the server post is basically the same, just with a tweak to differentiate the Windows command signature some.

Android:

openssl req -new -key privkey.pem -out csr.pem -config openssl.cnf

Windows:

openssl req -new -key privkey.key -out cert.csr

So, on Android, you see that you reference the cnf file. Remember, if you are doing this on Windows, you must specify the complete DOS path to the cnf file in the command statement.

Generate the Certificate

So now we have that we can generate the two different types of certificates for Android and Windows.

Android:

openssl x509 -req -days 365 -in csr.pem -signkey privkey.pem -out cert.pem -extensions req_ext -extfile openssl.cnf

Windows:

openssl x509 -req -days 365 -in cert.csr -signkey privkey.key -out cert.crt
OR (Easier way, skip all the previous Windows steps and follow the Android steps and after generating the Android Cert just do this!)
openssl x509 -outform der -in cert.pem -out cert.crt

And there you go, certificates made, one last thing for those special devices that require attention.

Craft a Full Chain pem

Here’s how to create a quick Full Chain pem file.

cat cert.pem privkey.pem > fullchain.pem

Installing the Certs

On Windows, you want to install the cert into your Trusted Root Certificates store. I had to restart Chrome and refresh my servers (that were already running their brand new internal certs) to get the Good To Go widget in the address bar. I haven’t tested with Edge, but I assume being chromium-based it probably uses the Windows Certificate Store as well. No idea about Firefox, never had the urge to use it.

On Android 13, based on your specific device look up how to install a custom certificate on it and it should see cert.pem (which you should have emailed to yourself already) in your storage somewhere. I’ve read you’re supposed to be able to just tap the pem file and it will auto-install but that did not work on a Pixel or a Samsung device. I had to go into Settings and do it through the menu.

If you are on a Pixel that is running Android 14 like me then when you get the option from settings to select the cert, it will not show any pem files. I am not sure why, but I found a workaround. After you download it, open the Files app and delete it. Sounds crazy but stay with me. Then go into settings and go through the certificate settings to the point of picking the certificate. This should launch a Files-like window to select it, tap the 3 dots in the upper right and select Show Hidden Files. Then there you go, the deleted cert.pem file will be there and just tap it and it will be installed. Crazy I know but that worked on my Pixel 8 Pro.

That should be it for Android, just kill and relaunch Chrome and it should be like on your desktop and with no nag screen.

I generally hope this helps anyone who could use the help. I know it has reduced the years of numerous clicking and tapping to get passed the security alerts over the years.

John