Firefox Mobile for Android CAs

I’ve been using Firefox Mobile on Android for a while (thanks to the fact that it means I can use Firefox Sync between my laptop and mobile to share data). Overall it’s pretty good and the last few releases have fixed up a lot of the past stability issues and UI problems, it’s in a pretty decent state now.

One of the unfortunate problems I’ve had with it until recently is that the application was refusing to import custom certificate authorities. Whilst Android has it’s own CA store, add on browsers (inc Firefox Mobile) can have their own CA stores and the manageability of these can vary a lot.

In the case of Firefox Mobile, the ability to manage certificates was not ported across from the desktop version, meaning that none of my web applications would validate against my custom CA.

However as a passable solution, it’s now possible to import the CA file by downloading a PEM version of the CA certificate in the browser. Just upload a copy of the PEM formatted certificate to a webserver and download the file with the browser to install.

Installing CAs into Firefox Mobile (PEM formatted file).

Installing CAs into Firefox Mobile (PEM formatted file).

Now the biggest problem left is sites and applications that have poorly written user agent detection and assume that the only mobile devices that possibly exist are devices that have the iPhone or stock Android user agent. :-( *glares at Atlassian in particular*

This entry was posted in Uncategorized and tagged , , , , . Bookmark the permalink.

5 Responses to Firefox Mobile for Android CAs

  1. mic says:

    Hi,
    I wonder if this still works on recent releases… using Firefox 27 on Android 4.4 and I can not get this to work :(

  2. md says:

    I also did not get it to work with the latest firefox beta as of now. One can easily import the root certificates and it will not complain or refuse to install them. But when opening my websites, which use certificates signed by the imported root-certificate it comes up with the “unknown issuer” error message. The desktop-firefox (and all other browsers) seem not to have any problems. i also checked the firefox mobile for SNI-support, which it apparently has. So this sucks a little bit… my opinion.

  3. BAReFOOt says:

    Well, I did import the CA certificate, including the intermediate CA one, yet FF still complains. Stupid broken fucking shit!

  4. MterSch says:

    Hi Jethro,

    Another (late) reply with an extra tip (at least for Android 4.4.4 / Firefox 36):
    when you put the certificate on a webserver, make sure it is served with MIME type application/x-x509-ca-cert (or application/x-x509-user-cert for client certificates).

    Without this, Firefox will not install the certificate, but download it instead.

    Regards,
    Martijn

  5. Robin Bankhead says:

    Hi Jethro,

    Many thanks for looking into this – and thanks Martijn (previous comment) for the MIME-type tip. My Apache-2.4 server doesn’t serve files with the .PEM extension as application/x-x509-ca-cert by default, so I used this quickie PHP script to serve it with the right header:

    Just to complicate matters further, note that Firefox Sync on mobile actually does use the Android CA store (via the Android sync provider API), so if you are self-hosting your own Firefox Accounts sync server, you’ll need to install the CA cert into the Android store as well.

    Regards,
    Robin Bankhead

Leave a Reply