Skip to main content

Moving CA certificate to System store on rooted devices


이 문서는 시스템 수준에서 기기를 보호하는 다기능 광고 차단기인 Android용 AdGuard에 대해 다룹니다. To see how it works, download the AdGuard app

AdGuard for Android provides a feature called HTTPS filtering that makes it possible to filter encrypted HTTPS traffic on your Android device. This feature requires adding the AdGuard's CA certificate to the list of trusted certificates.

On non-rooted devices CA certificates can be installed to the User store. Only a limited subset of apps (mostly browsers) trust CA certificates installed to the User store, meaning HTTPS filtering will work only for such apps.

However, on rooted devices, you can install the certificate to the System store and allow HTTPS filtering of other apps' traffic too.

Here's how to do that.

How to install AdGuard's Certificate to System store (on a rooted device)

  1. Enable HTTPS filtering in AdGuard for Android and save AdGuard's certificate to the User store (use this instruction if needed)

    From AdGuard for Android v4.1 and after users can install two certificates to the User store, which will help to filter websites in Chrome browser.

  2. Go to AdGuard appMenu (≡) → SettingsNetworkHTTPS filteringSecurity certificate → tap “Copy to the system store

    That is enough for older versions of Magisk.

    However, if you have a newer version, you will get this message:

    Unable to copy the certificate to the system store. Try using “AdGuard Certificate” module.

    In that case, proceed to steps below:

  3. Go to MagiskSettings

    Open Magisk settings *mobile

  4. Enable Zygisk

    Enable Zygisk *mobile

    Go back to Magisk main screen *mobile

  5. Download the .zip file (of “AdGuard Certificate” module) from the latest release on GitHub

  6. Go to MagiskModulesInstall from storage and select the downloaded .zip file

    Open Magisk modules *mobile

    Install from storage *mobile

    Select AdGuard certificate module *mobile

  7. Reboot

    Reboot the device *mobile

If a new version of "AdGuard certificate" module comes out, repeat steps 3-7 to update the module.

The module does its work during the system boot. If your AdGuard certificate changes, you'll have to reboot the device for the new certificate to be copied to the system store.

Bromite browser


In order for the Bromite browser to work properly, in addition to the steps mentioned above, you need to set "Allow user certificates" in chrome://flags to "Enabled" state.

Chrome and Chromium-based browsers

Long story short, you will have no problems with HTTPS filtering in Chrome and Chromium-based browsers on rooted devices, if you use "AdGuard Certificate" module.

Here is a bit more detailed explanation: Chrome (and subsequently many other Chromium-based browsers) has recently started requiring CT logs for CA certs found in the System store. "AdGuard Certificate" module copies AdGuard's CA certificate from the User store to the System store. It also contains a Zygisk module that reverts any modifications done by Magisk for certain browsers. This way the browsers only find AdGuard’s certificate in the User store and don’t complain about the missing CT log, while other apps continue to use the same certificate from the System store.