Last updated: February 2021
Similar to other platforms like Windows and macOS, Android maintains a system root store that is used to determine if a certificate issued by a particular Certificate Authority (CA) is trusted. As a developer, you may want to know what certificates are trusted on Android for compatibility, testing, and device security.
Google maintains a list of the trusted CA certificates on the Android source code website—available here. This list is the actual directory of certificates that's shipped with Android devices. This list will only be accurate for the current version of Android and is updated when a new version of Android is released.
Each root certificate is stored in an individual file. Each file contains the certificate in the PEM format, one of the most common formats for TLS/SSL certificates which is book-ended by two tags, -----BEGIN CERTIFICATE—– and —–END CERTIFICATE—–, and encoded in base64. The certificate is also included in X.509 format.
Note that manufacturers may decide to modify the root store that they ship so you cannot guarantee these will be the roots present on every current Android device. If there is a specific device you need compatibility with and have reason to believe it may differ from the stock list, you'll want to perform tests directly on that device. The following instructions tell you how to retrieve the trusted root list for a particular Android device.
If you want to check the list of trusted roots on a particular Android device, you can do this through the Settings app. This allows you to verify the specific roots trusted for that device.
In Android (version 11), follow these steps:
You can also install, remove, or disable trusted certificates from the “Encryption & credentials” page.