Prior to Android KitKat you have to root your device to install new certificates.
From Android KitKat (4.0) up to Nougat (7.0) it's possible and easy. I was able to install the Charles Web Debbuging Proxy cert on my un-rooted device and successfully sniff SSL traffic.
Extract from http://wiki.cacert.org/FAQ/ImportRootCert
Before Android version 4.0, with Android version Gingerbread & Froyo, there was a single read-only file ( /system/etc/security/cacerts.bks ) containing the trust store with all the CA ('system') certificates trusted by default on Android. Both system apps and all applications developed with the Android SDK use this. Use these instructions on installing CAcert certificates on Android Gingerbread, Froyo, ...
Starting from Android 4.0 (Android ICS/'Ice Cream Sandwich', Android 4.3 'Jelly Bean' & Android 4.4 'KitKat'), system trusted certificates are on the (read-only) system partition in the folder '/system/etc/security/' as individual files. However, users can now easily add their own 'user' certificates which will be stored in '/data/misc/keychain/certs-added'.
System-installed certificates can be managed on the Android device in the Settings -> Security -> Certificates -> 'System'-section, whereas the user trusted certificates are manged in the 'User'-section there. When using user trusted certificates, Android will force the user of the Android device to implement additional safety measures: the use of a PIN-code, a pattern-lock or a password to unlock the device are mandatory when user-supplied certificates are used.
Installing CAcert certificates as 'user trusted'-certificates is very easy. Installing new certificates as 'system trusted'-certificates requires more work (and requires root access), but it has the advantage of avoiding the Android lockscreen requirement.
From Android N onwards it gets a littler harder, see this extract from the Charles proxy website:
As of Android N, you need to add configuration to your app in order to
have it trust the SSL certificates generated by Charles SSL Proxying.
This means that you can only use SSL Proxying with apps that you
control.
In order to configure your app to trust Charles, you need to add a
Network Security Configuration File to your app. This file can
override the system default, enabling your app to trust user installed
CA certificates (e.g. the Charles Root Certificate). You can specify
that this only applies in debug builds of your application, so that
production builds use the default trust profile.
Add a file res/xml/network_security_config.xml to your app:
<network-security-config>
<debug-overrides>
<trust-anchors>
<!-- Trust user added CAs while debuggable only -->
<certificates src="user" />
</trust-anchors>
</debug-overrides>
</network-security-config>
Then add a reference to this file in your app's manifest, as follows:
<?xml version="1.0" encoding="utf-8"?>
<manifest>
<application android:networkSecurityConfig="@xml/network_security_config">
</application>
</manifest>
Python 2.7.9+ and 3.4+
Good news! Python 3.4 (released March 2014) and Python 2.7.9 (released December 2014) ship with Pip. This is the best feature of any Python release. It makes the community's wealth of libraries accessible to everyone. Newbies are no longer excluded from using community libraries by the prohibitive difficulty of setup. In shipping with a package manager, Python joins Ruby, Node.js, Haskell, Perl, Go—almost every other contemporary language with a majority open-source community. Thank you, Python.
If you do find that pip is not available when using Python 3.4+ or Python 2.7.9+, simply execute e.g.:
py -3 -m ensurepip
Of course, that doesn't mean Python packaging is problem solved. The experience remains frustrating. I discuss this in the Stack Overflow question Does Python have a package/module management system?.
And, alas for everyone using Python 2.7.8 or earlier (a sizable portion of the community). There's no plan to ship Pip to you. Manual instructions follow.
Python 2 ≤ 2.7.8 and Python 3 ≤ 3.3
Flying in the face of its 'batteries included' motto, Python ships without a package manager. To make matters worse, Pip was—until recently—ironically difficult to install.
Official instructions
Per https://pip.pypa.io/en/stable/installing/#do-i-need-to-install-pip:
Download get-pip.py
, being careful to save it as a .py
file rather than .txt
. Then, run it from the command prompt:
python get-pip.py
You possibly need an administrator command prompt to do this. Follow Start a Command Prompt as an Administrator (Microsoft TechNet).
This installs the pip package, which (in Windows) contains ...\Scripts\pip.exe that path must be in PATH environment variable to use pip from the command line (see the second part of 'Alternative Instructions' for adding it to your PATH,
Alternative instructions
The official documentation tells users to install Pip and each of its dependencies from source. That's tedious for the experienced and prohibitively difficult for newbies.
For our sake, Christoph Gohlke prepares Windows installers (.msi
) for popular Python packages. He builds installers for all Python versions, both 32 and 64 bit. You need to:
- Install setuptools
- Install pip
For me, this installed Pip at C:\Python27\Scripts\pip.exe
. Find pip.exe
on your computer, then add its folder (for example, C:\Python27\Scripts
) to your path (Start / Edit environment variables). Now you should be able to run pip
from the command line. Try installing a package:
pip install httpie
There you go (hopefully)! Solutions for common problems are given below:
Proxy problems
If you work in an office, you might be behind an HTTP proxy. If so, set the environment variables http_proxy
and https_proxy
. Most Python applications (and other free software) respect these. Example syntax:
http://proxy_url:port
http://username:password@proxy_url:port
If you're really unlucky, your proxy might be a Microsoft NTLM proxy. Free software can't cope. The only solution is to install a free software friendly proxy that forwards to the nasty proxy. http://cntlm.sourceforge.net/
Unable to find vcvarsall.bat
Python modules can be partly written in C or C++. Pip tries to compile from source. If you don't have a C/C++ compiler installed and configured, you'll see this cryptic error message.
Error: Unable to find vcvarsall.bat
You can fix that by installing a C++ compiler such as MinGW or Visual C++. Microsoft actually ships one specifically for use with Python. Or try Microsoft Visual C++ Compiler for Python 2.7.
Often though it's easier to check Christoph's site for your package.
Best Answer
Looking at certificate in the Windows Certificate Manager (certmgr.msc). Windows says it "does not have enough information to verify this certificate". When looking at the certificate path, the only certificate that is shown is the certificate itself (with a yellow exclamation mark), and the Certificate status indicates: "The issuer of this certificate could not be found".
I looked carefully at the details of the faulty certificate to find why is it different from other certificates. The issuer's name was clearly correct so this wasn't the problem. The field that drew my attention was "Authority Information Access" The reason was is that it contained extra data with a "URL=http:...name_of_domain.cer". This link is to the intranet the organization uses. I've downloaded the certificate on the intranet and installed it on the client. The certificate became valid, and now it shows two certificates in the "Certification Path"
Conclusions.. It turns out Windows XP is dumb for two reasons:
Hope this helps anyone who will encounter this in the future. (or not since Windows XP supported ended, as we all know:) )