Trusted credentials

This setting lists the certificate authority (CA) companies that this device regards as "trusted" for purposes of verifying the identity of a server over a secure connection such as HTTPS or TLS, and allows you to mark one or more authorities as not trusted.

On some devices this menu item may be called "View security certificates" instead.

Background information

Certificate authorities are companies that issue secure certificates verifying the identity of web servers and other servers (such as mail servers).

When accessing a web server or mail server over a secure connection such as HTTPS (note the "S") not only does all communication need to be encrypted, but the identify of the server needs to be verified by checking that the site has a certificate provided by a trustworthy certificate authority. The certificate shows that the certificate authority has verified the authenticity of the server. For example, if the server claims to be "example.com", the certificate authority may issue a certificate assuring that they have checked that the certificate holder is the genuine owner of the domain "example.com". For secure connections, this prevents that name being able to be hijacked by a rogue server posing as the genuine server.

Advertisements

Certificates are generated and verified using a cryptographic process which makes it possible for the server to prove its identity without revealing the secret key used to create this proof of identity. This prevents other servers being able to provide the same proof.

What the list of trusted credentials is for

Devices and browsers contain a pre-defined set of trusted certificate authorities, along with the public keys required to verify each company's certificates. Upon encountering a certificate signed by a certificate authority in its trusted list, your device will trust that certificate.

If your device encounters a certificate signed by an untrusted company, you will be alerted with a warning. The warning means that the site's identity could not be properly verified by a trusted authority, and therefore that you can't be confident that it is not a rogue site impersonating the genuine site.

In cases where a certificate authority is later found to be untrustworthy or its systems have been broken into, you may remove it from this list.

When these settings would need to be modified

You should not normally have reason to modify this list yourself.

If a certificate authority is ever revealed to be untrustworthy or has their systems compromised, it tends to become fairly big news; these are the trusted companies that the internet relies upon for the basis of verifying authentication and any loss of trust in these companies is fairly important news for browser makers. Your browsers and devices may receive security updates to remove those companies from their trusted credentials list. If not, or you don't want to wait, or you have personal reasons not to trust a particular company, you can remove them yourself.

What the sections mean

System

The system tab contains the list of trusted certificate authorities that came with your device.

User

The user tab contains the list of trusted certificate authorities that you, or an app you have been using, has installed on your device. Often, this list will be empty if you have had no reason to install an additional CA certificate on your device that wasn't originally provided with the device.

User-installed certificate authorities may be used if, for example, you need to make a secure connection to a corporate server and you need to verify its authenticity with a certificate signed by a server within your company.

Your corporate network may direct you to manually install them as a trusted certificate authority, or they may give you an app to add this automatically.

Security implications

Adding a new certificate to your list of trusted credentials potentially gives the owner of that certificate the ability to impersonate any secure server such as a secure website or email server, defeating the verification mechanism of SSL. Only install new credentials from sources that you trust.