Cert-Fixer is a Magisk module that installs custom CA certificates to Android's system certificate store. This module is tested/known to work on Android 13, 14, and 15 (API 33, 34, and 35).
Tested on AVD Emulators Pixel 8 API 35 (Android 15) and Pixel 8 API 34 (Android 14).
Users have reported as working on Redme API 33 (Android 13).
- Root your Android device using rootAVD (rootAVD uses Magisk).
- Complete any pending updates for Magisk, and make sure you have the latest Magisk version.
- Install your custom CA certificate under user certificate store.
- Download
Cert-Fixer.zipand install Cert-Fixer module in Magisk. - Reboot.
Cert-Fixer will copy all your user certificates to system store at boot up. - Your user certificates should now be available in the system store!
- Cert-Fixer copies all the CA certificates from the user store to the system store. Make sure you do not have any untrusted certificates in the user store before reboot.
- If there are multiple versions of the same certificate (same hash, but different extensions), only the latest certificate will be copied.
Since Android 14 (API 34), it has become too hard to add custom certificates to the system store. This is because the system certificates are now stored in APEX (Android Pony EXpress) containers which are immutable. Now, /apex/com.android.conscrypt/cacerts is the file location for the system CA certificates.
Tim Perry has discussed the changes and motivation behind them in his blog post. AdguardTeam has done a nice implementation of this in their adguardcert Magisk module. Adguardcert module copies their CA certificate at boot time, right after /data is decrypted and mounted (Refer to Android initialization stages). Cert-Fixer is simply an adoption (minor modification) of the Adguardcert implementation. All credit to Tim and Adguard for finding the technique. Cert-Fixer copies all of the installed user certificates to the system store.