[Feature Request] Add Certificate to both User and System Store on Android

[jerji]

While going down a rabbit hole, trying to diagnose why Firefox on Android kept throwing HSTS errors, I found that Firefox does not trust the system certificate store at all. For compatibility with DPI and other reasons an enterprise would have a CA, Firefox has an option to trust the certificates in the user store only.

Unfortunately, this is not simple to achieve with HTTP Toolkit because when you install a certificate in the System store, It cannot be duplicated in the user store. However, the opposite is not the case. The tactic would then be to install the certificate in the user store first, and then the system store.

The user store is situated at /data/misc/user/0/cacerts-added/

It would be pretty simple to add it to the user store first and then the system store.

Is this something that you are interested in implementing? It seems easy to add it here.

[pimterry]

Hmm, interesting! I'm open to it, though it'd need careful testing as I'm not sure if there are other consequences or side-effects here. PRs welcome.

As an alternative, you can just manually trust the CA in Firefox directly. There's instructions in the docs:

In Firefox specifically, you can trust your HTTP Toolkit's CA certificate by browsing to http://amiusing.httptoolkit.tech/certificate (note the http://, not https://) in Firefox whilst interception is active, and then accepting the prompt to trust the certificate that's downloaded