android devices not working with Root CA

4o4rh

I got Squid and Squidguard working in either caching or filtering mode.

i've installed the root certificate on both linux and windows clients and they all work like a charm.

I installed the Root CA on a number of Android devices via the settings, security tab, but neither firefox or chrome seem to use it.

In other words, i can't use any android devices on my network when config required a CA.

kiokoman

Use the native Android Browser.
There are also workaround if you search with google
Like putting the crt to a web server and load it on firefox.
It's not a pfsense problem anyway

dragoangel

@gwaitsi many most android apps have not trust users CA (and even use certificate pining inside), so forget about it, unfortunately. Or you will end with not working internet for Android.
P.s. google chrome is trust user installed CA. And Firefox use "own" trust store so it must be installed from firefox additionaly.
My recommendation is to use separated SSID and vlan for mobile phones and not do MITM there and Limit by firewall all not needed ports.

4o4rh

@dragoangel yeh, just discovered that chrome was working but haven't figured out how to add to firefox for android yet.
recommendation is not an option, as the whole reason for this exercise is to make kid safe ;-)

dragoangel

@gwaitsi simply open crt file with your CA in firefox browser and it will propose to you install it

4o4rh

@dragoangel how? there is no file open in firefox, and if i go to file manager and try open with, it only offers archive

dragoangel

@gwaitsi you need host in somewhere over http as file

4o4rh

@dragoangel set it up to serve from the wpad server.
on linux, firefox downloads the file and recognizes it is a crt.

On Android, it downloads the file on opens the cert installer, but fails.
if you go into the downloads folder of firefox, and click on the file it says "extraction error" please check the files

if i goto the Downloads directory, i can see the 2 firefox downloaded ones, and the one i manually copied. clicking on the firefox downloaded one, opens the installer and it installs. so the issues seems within firefox.

• From the firefox certificate installer, "couldn't install because the certificate file couldn't be read"

• added to the mime.types
  application/x-x509-user-cert crt;
  Now i get the "this personal certificate can't be installed because you do not own the corresponding private key which was create when the certificate was requested"

sure is a lot of d.cking around to get firefox to work. easier to scrap it and just use google, except i have an aversion to anything from them

dragoangel

@gwaitsi Unfortunately I doesn't know, something wrong maybe with you CA. I done this before without any issue. It must process with success by cert install. No download needed. Can you try create new CA over Cert Manager and try again?