Official List of Trusted Root Certificates on Android

April 19, 2018 Vincent Lynch

Similar to other platforms like Windows and macOS, Android maintains a system root store that is used to determine if a certificate issued by a particular Certificate Authority (CA) is trusted. As a developer, you may want to know what certificates are trusted on Android for compatibility, testing, and device security.

Google maintains a list of the trusted CA certificates on the Android source code website—available here. This list is the actual directory of certificates that’s shipped with Android devices. This list will only be accurate for the current version of Android, and is updated when a new version of Android is released.

Each root certificate is stored in an individual file. Each file contains the certificate in the PEM format, one of the most common formats for SSL certificates which is book-ended by two tags, —–BEGIN CERTIFICATE—– and —–END CERTIFICATE—–, and encoded in base64. The certificate is also included in X.509 format. Currently, 135 roots are trusted in Android Oreo (8.1) as of April 2018.

Note that manufacturers may decide to modify the root store that they ship so you cannot guarantee these will be the roots present on every current Android device. If there is a specific device you need compatibility with and have reason to believe it may differ from the stock list, you’ll want to perform tests directly on that device. The following instructions tell you how to retrieve the trusted root list for a particular Android device.

How to View Trusted Root Certificates on an Android Device

If you want to check the list of trusted roots on a particular Android device, you can do this through the Settings app. This allows you to verify the specific roots trusted for that device.

In Android Oreo (8.0), follow these steps:

  1. Open Settings
  2. Tap “Security & location”
  3. Tap “Encryption & credentials”
  4. Tap “Trusted credentials.” This will display a list of all trusted certs on the device.

You can also install, remove, or disable trusted certificates from the “Encryption & credentials” page.

Previous Article
Scaling CT Logs: Temporal Sharding
Scaling CT Logs: Temporal Sharding

Our industry is moving toward universal support for Certificate Transparency (CT), one of the largest impro...

Next Article
Getting Ahead of Chrome 70 Distrust of Symantec-Issued Certificates
Getting Ahead of Chrome 70 Distrust of Symantec-Issued Certificates

Today marks the planned release of Google Chrome 66 stable version and the culmination of the first major d...