[avian]

I run some services for my private use. It's crazy that I need to have them certified by some third-party over-seas CA since I can't get my own devices to trust my own certificates.

We're not at that point yet, but running your own trust root is getting quite annoying. For example, Android constantly nags about "network might be monitored" when custom certificates are installed.

[otterlicious]

Android constantly nags about "network might be monitored" when custom certificates are installed.

It won't if you add name constraints to your root certificate (because then it can't be used for blanket monitoring).

[bostik]

Does this actually work now? A name-constrained CA (or even its CSR) used to break things in absolutely hilarious ways.

[pritambaral]

> Android constantly nags about "network might be monitored" when custom certificates are installed.

This is why I baked my home network certificate into the system trust store when building the ROM.

[magic-chicken]

What tools / guide did you use to accomplish this (building the ROM AND adding your certificate) ?

[StillBored]

(maybe not what you were asking)

But for beginners there are some pretty nice LineageOs build guides floating around:

For specific pieces of hardware: https://wiki.lineageos.org/build_guides.html

Generic instructions: https://forum.xda-developers.com/chef-central/android/how-to...

As far as changing the certs, I know offhand to do it with a couple random linux distro's but i'm not 100% sure for android, you might just try searching the repo for the default certs then looking at how they are built into the image and tweaking that.