From 0c790e9fe481ba61c7782e5a59e522f5b23d7188 Mon Sep 17 00:00:00 2001 From: ss-orlova <95080242+ss-orlova@users.noreply.github.com> Date: Thu, 5 Oct 2023 17:50:15 +0300 Subject: [PATCH 1/2] Update info about moving the ceritficate to the system store --- .../https-certificate-for-rooted.md | 61 ++++++------------- 1 file changed, 18 insertions(+), 43 deletions(-) diff --git a/docs/adguard-for-android/solving-problems/https-certificate-for-rooted.md b/docs/adguard-for-android/solving-problems/https-certificate-for-rooted.md index 92b636cc455..aff3170aadf 100644 --- a/docs/adguard-for-android/solving-problems/https-certificate-for-rooted.md +++ b/docs/adguard-for-android/solving-problems/https-certificate-for-rooted.md @@ -1,5 +1,5 @@ --- -title: Moving CA certificate to System store on rooted devices +title: Moving the CA certificate to the system store on rooted devices sidebar_position: 14 --- @@ -9,69 +9,44 @@ This article covers AdGuard for Android, a multifunctional ad blocker that prote ::: -AdGuard for Android provides a feature called [HTTPS filtering](../../overview#https-filtering) that makes it possible to [filter encrypted HTTPS traffic](/general/https-filtering/what-is-https-filtering) on your Android device. This feature requires adding the AdGuard's CA certificate to the list of trusted certificates. +AdGuard for Android can [filter encrypted HTTPS traffic](/general/https-filtering/what-is-https-filtering), thus blocking most ads and trackers on websites. On rooted devices, AdGuard also allows you to filter HTTPS traffic in apps. HTTPS filtering requires adding the AdGuard's CA certificate to the list of trusted certificates. -On non-rooted devices CA certificates can be installed to the **User store**. Only a limited subset of apps (mostly browsers) trust CA certificates installed to the User store, meaning HTTPS filtering will work only for such apps. +On non-rooted devices, CA certificates can be installed to the **user store**. Only a limited subset of apps (mostly browsers) trust CA certificates installed to the user store, meaning HTTPS filtering will work only for such apps. -However, on rooted devices, you can install the certificate to the **System store** and allow HTTPS filtering of other apps' traffic too. +On rooted devices, you can install a certificate to the **system store**. That will allow AdGuard to filer HTTPS traffic in other apps as well. Here's how to do that. -## How to install AdGuard's Certificate to System store (on a rooted device) +## How to install AdGuard's certificate to the system store -1. Enable HTTPS filtering in AdGuard for Android and save AdGuard's certificate to the User store (use [this instruction](../../overview#https-filtering) if needed) +1. Open *AdGuard → Settings → Filtering → Network → HTTPS filtering → Security certificates*. - From AdGuard for Android v4.1 and after users can install two certificates to the User store, which will help to filter websites in Chrome browser. +1. If you don't have any certificate yet, **install the AdGuard Personal CA into the user store**. This will allow AdGuard to filter HTTPS traffic in browsers. -1. Go to **AdGuard app** → **Menu** (≡) → **Settings** → **Network** → **HTTPS filtering** → **Security certificate** → tap “**Copy to the system store**” +1. **Install the AdGuard Intermediate CA into the user store**. You'll need it to run the adguardcert Magisk module that allows you to move certificates to the system store. - That is enough for older versions of Magisk. + ![Install the certificate *mobile_border](https://cdn.adtidy.org/blog/new/asx1xksecurity_certificates.png) - However, if you have a newer version, you will get this message: +1. Install the [latest release of the **adguardcert** Magisk module](https://github.com/AdguardTeam/adguardcert/releases/latest/). - > Unable to copy the certificate to the system store. Try using “AdGuard Certificate” module. - - In that case, proceed to steps below: - -1. Go to **Magisk** → **Settings** - - ![Open Magisk settings *mobile](https://cdn.adtidy.org/content/kb/ad_blocker/android/solving_problems/https-certificate-for-rooted/magisk-module-1.png) - -1. Enable **Zygisk** - - ![Enable Zygisk *mobile](https://cdn.adtidy.org/content/kb/ad_blocker/android/solving_problems/https-certificate-for-rooted/magisk-module-2.png) - - ![Go back to Magisk main screen *mobile](https://cdn.adtidy.org/content/kb/ad_blocker/android/solving_problems/https-certificate-for-rooted/magisk-module-3.png) - -1. Download the `.zip` file (of “AdGuard Certificate” module) from the [latest release on GitHub](https://github.com/AdguardTeam/adguardcert/releases/latest/) - -1. Go to **Magisk** → **Modules** → **Install from storage** and select the downloaded `.zip` file +1. Open *Magisk → Modules → Install from storage* and select the downloaded **adguardcert** file. This will move the AdGuard Personal CA from the user store to the system store. ![Open Magisk modules *mobile](https://cdn.adtidy.org/content/kb/ad_blocker/android/solving_problems/https-certificate-for-rooted/magisk-module-4.png) ![Install from storage *mobile](https://cdn.adtidy.org/content/kb/ad_blocker/android/solving_problems/https-certificate-for-rooted/magisk-module-5.png) - ![Select AdGuard certificate module *mobile](https://cdn.adtidy.org/content/kb/ad_blocker/android/solving_problems/https-certificate-for-rooted/magisk-module-6.png) + ![Select adguardcert *mobile](https://cdn.adtidy.org/content/kb/ad_blocker/android/solving_problems/https-certificate-for-rooted/magisk-module-6.png) -1. Reboot +1. Tap **Reboot**. ![Reboot the device *mobile](https://cdn.adtidy.org/content/kb/ad_blocker/android/solving_problems/https-certificate-for-rooted/magisk-module-7.png) -If a new version of "AdGuard certificate" module comes out, repeat steps 3-7 to update the module. +After the transfer, the **AdGuard Personal CA** in the system store will allow you to filter HTTPS traffic in apps, while the **AdGuard Intermediate CA** in the user store will allow you to filter HTTPS traffic in Chromium-based browsers (see below why). -The module does its work during the system boot. If your AdGuard certificate changes, you'll have to reboot the device for the new certificate to be copied to the system store. +## Known issues with Chrome and Chromium-based browsers -### Bromite browser - -:::note +Chrome and other Chromium-based browsers require Certificate Transparency (CT) logs for certificates located in the system store. CT logs don't contain information about certificates issued by HTTPS-filtering apps. Therefore, AdGuard requires an additional certificate in the user store to filter HTTPS traffic in these browsers. -In order for the **Bromite** browser to work properly, in addition to the steps mentioned above, you need to set "Allow user certificates" in `chrome://flags` to "Enabled" state. - -::: - -### Chrome and Chromium-based browsers - -Long story short, you will have no problems with HTTPS filtering in Chrome and Chromium-based browsers on rooted devices, if you use "AdGuard Certificate" module. +### Bromite browser -Here is a bit more detailed explanation: Chrome (and subsequently many other Chromium-based browsers) has recently started requiring CT logs for CA certs found in the **System store**. "AdGuard Certificate" module copies AdGuard's CA certificate from the **User store** to the **System store**. It also contains a Zygisk module that reverts any modifications done by Magisk for [certain browsers](https://github.com/AdguardTeam/adguardcert/blob/master/zygisk_module/jni/browsers.inc). -This way the browsers only find AdGuard’s certificate in the User store and don’t complain about the missing CT log, while other apps continue to use the same certificate from the System store. +In addition to the above issue, Bromite doesn't trust certificates in the user store by default. To filter HTTPS traffic there, open Bromite, go to `chrome://flags`, and set *Allow user certificates* to *Enabled*. **This applies to both rooted and non-rooted devices**. From 0dba7c0a91868313ab73158034094164ee0f8266 Mon Sep 17 00:00:00 2001 From: ss-orlova <95080242+ss-orlova@users.noreply.github.com> Date: Mon, 9 Oct 2023 16:40:43 +0300 Subject: [PATCH 2/2] Small fix --- .../solving-problems/https-certificate-for-rooted.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/adguard-for-android/solving-problems/https-certificate-for-rooted.md b/docs/adguard-for-android/solving-problems/https-certificate-for-rooted.md index aff3170aadf..8da303dbc5b 100644 --- a/docs/adguard-for-android/solving-problems/https-certificate-for-rooted.md +++ b/docs/adguard-for-android/solving-problems/https-certificate-for-rooted.md @@ -9,7 +9,7 @@ This article covers AdGuard for Android, a multifunctional ad blocker that prote ::: -AdGuard for Android can [filter encrypted HTTPS traffic](/general/https-filtering/what-is-https-filtering), thus blocking most ads and trackers on websites. On rooted devices, AdGuard also allows you to filter HTTPS traffic in apps. HTTPS filtering requires adding the AdGuard's CA certificate to the list of trusted certificates. +AdGuard for Android can [filter encrypted HTTPS traffic](/general/https-filtering/what-is-https-filtering), thus blocking most ads and trackers on websites. On rooted devices, AdGuard also allows you to filter HTTPS traffic in apps. HTTPS filtering requires adding AdGuard's CA certificate to the list of trusted certificates. On non-rooted devices, CA certificates can be installed to the **user store**. Only a limited subset of apps (mostly browsers) trust CA certificates installed to the user store, meaning HTTPS filtering will work only for such apps.