Firefox for Android: using a custom certificate authority
How to use your own, self-generated certificate authorities in Firefox for Android
Recent history
A while back, Mozilla rewrote Firefox to a new platform that is faster and more modern. In this proces, a number of features died that have yet to be resurrected, such as complete addon compatibility.
A lesser-known feature to be removed is that you used to be able to install certificate authorities into Firefox itself, separate from the system certificate store. This feature was removed, together with the ability to skip certificate errors (even mild ones).
Today, the most important features have been brought back into Firefox. Using your own certificate authority is still an obscure process for some reason though, and in this post I will show you how to do it. If you don't know what a certificate authority is or how to generate one, there are various tutorials available online.
Enabling the certificate in Firefox
Step 1: installing a certificate
To use your custom certificate in Firefox, you need to install your certificate into the Android user store first. You can do this as follows:
- Export your CA in PEM format
- Rename it to give it a .crt extension
- Send the certificate to your phone and open it in the file explorer
- If this fails, try going through the settings: Settings > Security > Advanced > Encryption & credentials > Install a certificate
Step 2: enabling the certificate in Firefox
Now comes the weird part.
- First, open Firefox and go to the settings.
- Go to "About Firefox"
- Tap the Firefox logo seven times
- Go back one level. You should have now have access to "Secret Settings", the second or third setting from the bottom
- Enable the tick "Use third party CA certificates".
- You may need to restart the app.
Firefox will now trust the user CA.
Downsides to the new approach
This approach has some downloads. If you've installed your CA as a system certificate authority, you'll need to install the CA again, with all the downsides that comes with (most notable, a constant notification that says "your network may be monitored").
As far as I know, using client certificates for two-way TLS handshakes/certificate authentication is still not supported. There's open questions all over Bugzilla and Github about this.
I've also run into trouble using my certificate authority for a HTTPS proxy; the certificate seems to be trusted by the browser for HTTPS connections, but not for trusting the proxy itself. This is a problem if you browse the web from behind a proxy that you always want to connect to through a secure connection.
Written by Jeroen on July 25, 2021