Diy SSL CA + android
Creating a CA
You can create a CA and use it to sign certs for use by other services, so that you can add that CA to phone, laptop, etc and have them not complain about self-signed certs.
Generate the root CA key
openssl genrsa -out rootCA.key 4096 -aes-256-cbc
Generate the (self-signed) root CA cert: (-nodes means without password encryption, omit if this is not what you want)
openssl req -x509 -new -nodes -key rootCA.key -days 10240 -out rootCA.pem
Creating certs and keys for services
Create a signing request:
openssl req -new -key myserver.key -out myserver.csr
Use the root CA cert to sign the CSR and generate the server cert.
openssl x509 -req -in myserver.csr -CA ./rootCA.pem -CAkey ./rootCA.key -CAcreateserial -out myserver.crt -days 3650
Installing system-wide in rooted Android phones
get the hash of the root CA cert and append a ".0" - this is the filename the cert should be stored as.
openssl x509 -in rootCA.pem -subject_hash_old -noout
Copy rootCA.pem to this filename (eg, 87654321.0) and put it into /system/etc/security/cacerts/87654321.0 on the Android device.