How to install Fermilab CA certificates on mobile devices iOS & Android

Intended for:

Users who need to install Fermilab Certificate Authority (CA) certificates on their mobile devices. Both the Root CA and Fermi CA certificates will be required for VPN use. Other applications may require other Fermilab CA certificates.

Scenario/Use case:

User needs to install the Root CA and Fermi CA certificates so they can use VPN or other applications on their mobile device.

Instructions:

NOTE:

• You MUST have a PIN or password set to lock screen on your device before installing any certificates.
• This article provides only general guidelines on how to download and install the Fermilab CA certificates. The exact installation details for your device may vary.
• The Cisco AnyConnect VPN software requires the Fermilab Root CA certificate only. Other applications might also require the Fermilab Sub CA 01 and/or SERVICE Sub CA 01. The examples below show how to install only the Fermilab Root CA certificate. Other certificates can be installed following the same steps.
• We recommend DER format for mobile devices. If you have problems with this format, try the PEM format instead. Certificates can be download as individual files in each format or as a zipped archive with all Fermilab CA certificates.

General Instructions

NOTE: The VPN software requires both the Fermilab Root CA certificate and Fermi CA certificate. The examples below show how to install only the Root CA certificate. Other certificates can be installed following the same steps.

1. Download the Fermilab Root CA certificate in DER format from https://authentication.fnal.gov/certs/Fermilab_Root_CA.cer (the file name Fermilab_Root_CA.cer includes an underscore char ‘_’  between words). 
2. The installation process should begin automatically. Follow the instructions . For Android devices, the installation should be complete.
3. On iOS devices, navigate to Settings > General > About > Certificate Trust Settings. Click Enable Trust for the Fermilab Root CA.

Detailed Instructions

1. Download the Fermilab Root CA certificate in DER format from https://authentication.fnal.gov/certs/Fermilab_Root_CA.cer (the file name Fermilab_Root_CA.cer includes an underscore char ‘_’  between words). Certificates can be downloaded as single files, or as a zipped archive with all Fermilab CA certificates. (The Cisco AnyConnect VPN software requires the Fermilab Root CA certificate only.)
2. Install/copy the new certificate into the CA credentials storage on your device. Locate the file with the just-downloaded certificate and click it. You will be asked to type a PIN code. The certificate should be placed in the required CA storage automatically.
3. Configure the new certificate to be trusted. On some devices, like iPhones, this needs to specifically be configured. Typically, all certificate-related settings can be found in the security settings section. (There should be many already pre-installed CA certificates from well-known identity providers such as Entrust, DigiCert and others. Search for your new Fermilab CA certificate in that list or locate a separate store for custom CA certificates.) If the trust of certificates is configurable, make sure the new Fermilab Root CA certificate is trusted.
4. To test your certificate, open https://vpntest.fnal.gov. You should NOT see any prompt connecting to an untrusted site. If you do, it is likely that either the new certificate is not configured as trusted or is not in the right local store.

See Also:

Examples of installation on various devices and OSes available in this article.