Work With Certificates

You can use digital certificates to identify your device for a variety of purposes, including VPN or Wi-Fi network access as well as authentication to servers by apps such as Email or Browser. To use a certificate to identify your device, you must obtain it with help from your system administrator, and install it in your device's trusted credential storage .

Android supports DER-encoded X.509 certificates, saved in files with a .crt or .cer file extension. If your certificate file has a .der or other extension, you must change it to .crt or .cer or you won't be able to install it.

Android also supports X.509 certificates saved in PKCS#12 key store files with a .p12 or .pfx extension. If your key store has some other extension, you much change it to .p12 or .pfx or you won't be able to install it. When you install a certificate from a PKCS#12 key store, Android also installs any accompanying private key or certificate authority certificates.

Install client and CA certificates

To install a certificate from your phone's internal storage:

  • Copy the certificate or key store from your computer to the root of your device's internal storage (that is, not in a folder).
  • From a Home or All Apps screen, touch the Settings icon .
  • Go to Personal > Security > Credential storage > Install from storage.
  • Touch the filename of the certificate or keystore to install. Only certificates that you haven't already installed are displayed.
  • If prompted, enter the key store password and touch OK.
  • Enter a name for the certificate and touch OK.

Typically, a CA certificate included with a client certificate is installed at the same time. You can also install separate CA certificates using the same steps.

If you have not already set a pattern, PIN, or password for your device, you're prompted to set one up. The type of lock that's acceptable may be predetermined by your system administrator.

You can now use the certificate that you installed when connecting to a secure network or for client authentication with Email, Browser, and third-party apps. After a certificate is installed successfully, the copy in storage is deleted.

Work with CA certificates

If a certificate authority (CA) certificate gets compromised, or for some other reason your organization doesn't want to trust it, you can disable or remove it. To do so, follow these steps:

  • From a Home or All Apps screen, touch the Settings icon .
  • Go to Personal > Security > Credential storage >Trusted credentials. The trusted credentials screen has two tabs:
    • System displays certificate authority (CA) certificates that are permanently installed in the ROM of your phone.
    • User displays any CA certificates that you have installed yourself, for example in the process of installing a client certificate.
  • To examine the details of CA certificate, touch its name. A scrolling screen displays the details.
  • To remove or disable a CA certificate, scroll down to the bottom of the details screen and touch either Disable for system certificates or Remove for user certificates. When you disable a system CA certificate, the button at the bottom of its details screen changes to Enable, so you can enable the certificate again if necessary. When you remove a user-installed CA certificate, it is gone permanently and must be re-installed if you want it back.
  • In the confirmation dialog that appears, click OK.

Previous page
« Encrypt Your Phone