Add a CA manually to Android devices

Users can add the certificate authority (CA) XG Firewall uses for HTTPS scanning to their Android devices.

Introduction

When XG Firewall scans HTTPS traffic, Android devices show a warning message or block traffic if the CA used in HTTPS scanning isn't known to them.

XG Firewall ships with a CA certificate, which it uses for the DPI engine (SSL/TLS inspection) and web proxy-based HTTPS scanning.

This example shows how users can install the CA in their Android devices manually to allow HTTPS scanning.

The configuration steps are as follows:

  • Download the CA and send it to users.
  • Specify the CA for SSL/TLS inspection and decryption when using the DPI engine.
  • Specify the CA for HTTPS decryption and scanning when using XG Firewall as a web proxy.
  • Users must add the CA to their Android devices.

Apply root CA for HTTPS decryption and download CA

Use the CA shipped with XG Firewall for HTTPS decryption.

You must select the CA for SSL/TLS inspection, which uses the DPI engine. You must select the CA for HTTPS decryption, which uses web proxy filtering. You must download the CA.

  1. Go to Certificates > Certificate authorities and click download next to SecurityAppliance_SSL_CA.

    Alternatively, you can specify the settings of the Default CA, which is the self-signed CA shipped with XG Firewall, and download it. You can also import an external CA.

    Here's an example:


    Download Security Appliance CA
  2. Optional If you want users to add the CA manually, email the CA certificate to them.

    Alternatively, upload the CA to a server from which users can download the certificate to their mobile devices.

  3. To configure the CA for SSL/TLS inspection, which uses the DPI engine, do as follows:
    1. Go to Rules and policies > SSL/TLS inspection rules and select SSL/TLS inspection settings.
    2. Under Re-signing certificate authorities, select SecurityAppliance_SSL_CA (RSA) for Re-sign RSA with.

      Here's an example:


      Apply CA to SSL/TLS inspection settings
    3. Click Apply.
  4. To configure the CA for HTTPS decryption, which uses web proxy, go to Web > General settings. Under HTTPS decryption and scanning, select SecurityAppliance_SSL_CA for HTTPS scanning certificate authority (CA).

    Here's an example:


    Apply CA to HTTPS decryption with web proxy filtering

Add the CA to an Android device

To be able to install certificates, you must set a PIN, pattern, or password for your mobile device.

The following steps are for a Pixel Android device. For details of other Android devices, see support.google.com.

  1. On the Android device, open the Settings app.
  2. Tap Security & location > Advanced > Encryption & credentials.
  3. Under Credential storage, tap Install from storage or Install from SD card.

    Open storage for Android
  4. In the upper-left corner, tap the menu button Menu button.
  5. Under Open from, tap the location where you saved the certificate.

    Open storage for Android
  6. Tap the file.
  7. Enter your PIN for the device.
  8. Enter a name for the certificate.
  9. Select VPN and apps or Wi-Fi from the list, and tap OK.

    Enter the certificate name