Implementing Explicit SSL Trust in Android with TrustManagerFactory

Written by emSign Editorial | Dec 28, 2023 11:48:00 AM


SSL Trust implementation in android helps in supporting root certificates which are not distributed in outdated OS versions, which may not have updates from OEM.

There are several ways in which it can be achieved. Here is a general overview of the complete implement process.

In Android app development, secure communication with servers is crucial to protect sensitive data. SSL/TLS certificates play a vital role in ensuring the security of the communication channel. However, there may be scenarios there is a need to implement custom trust for the certificate issued by Certificate Authorities (CAs) that are not distributed in older Android system.

The code snippet makes use of widely used OkHttp and Retrofit library for the implementation. The code below implements custom trust for the devices running Android 10 and below.


  1. SSL certificate issued CA (.crt or .cer).

Steps to implement SSL Trust using TrustManager

1. Add our Public Key file into our project as a raw resource.

We can go to our project directory and create it raw folder inside the app/src/main/res and then paste our file.

2. Create a method that returns OkHttp Client with Custom TrustManager.

This method returns the OkHttp client with Custom TrustmManager. The methods check for Android SDK version and calls the addCustomTrustManager method mentioned the Step 3. In our case addCustomTrustManager is called only incase the SDK is less than equal to 10.

4. Create a method that returns Retrofit Client for making the API call.

This method returns the Retrofit client with OkHttp Builder configured. You can use the below method to instantiate Retrofit client and make the API calls.

public static Retrofit createRetrofitClient(Context context) throws Exception

    OkHttpClient client = getOkHttpClient(context);
    return new Retrofit.Builder()

Sample Code

package com.emudhra.customtrustmanager;

import android.content.Context;
import android.os.Build;

import java.util.concurrent.TimeUnit;


import okhttp3.OkHttpClient;
import retrofit2.Retrofit;
import retrofit2.converter.gson.GsonConverterFactory;

public class APIUtils


    public static final String BASE_URL = "<Base URL of API>";

    public static ApiService getApiService(Context context) throws Exception{
        return createRetrofitClient(context).create(ApiService.class);

    /* Below method creates an Retrofit Client for making the API Call using OkHttp Client */
    public static Retrofit createRetrofitClient(Context context) throws Exception

        OkHttpClient client = getOkHttpClient(context);
        return new Retrofit.Builder()

    /* Below method creates an OkHttp Client with basic configuration and also adds CustomTrustManager for Android OS 10 and below.   */
    public static OkHttpClient getOkHttpClient(Context context) throws KeyStoreException, CertificateException, IOException, 
        NoSuchAlgorithmException, KeyManagementException 


        OkHttpClient.Builder builder = new OkHttpClient.Builder()
                .readTimeout(60, TimeUnit.SECONDS)
                .connectTimeout(60, TimeUnit.SECONDS);

        // Add custom trust manager for Android 10 and below.
        if (Build.VERSION.SDK_INT <= Build.VERSION_CODES.Q){
            addCustomTrustManager(context, builder);

    /* Below method create CustomTrustManager by verifing the certificate.   */
    public static void addCustomTrustManager(Context context, OkHttpClient.Builder builder) throws KeyStoreException, CertificateException, 
        IOException, NoSuchAlgorithmException, KeyManagementException 
        InputStream caFileInputStream = context

        CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
        X509Certificate yourCertificate = (X509Certificate) certificateFactory.generateCertificate(caFileInputStream);

        KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
        keyStore.load(null, null);
        keyStore.setCertificateEntry("certificate_name", yourCertificate);

        // Create a TrustManager that trusts the server certificate
        TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
        TrustManager[] trustManagers = new TrustManager[] {
                new X509TrustManager() {
                    public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException {
                        // No client verification needed

                    public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException {
                        // Check if the server's certificate matches your trusted certificate
                        for (X509Certificate cert : chain) {
                            if (cert.equals(yourCertificate)) {
                                return; // The certificate is trusted
                        throw new CertificateException("Server certificate does not match the expected certificate.");

                    public X509Certificate[] getAcceptedIssuers() {
                        return new X509Certificate[0];

        SSLContext sslContext = SSLContext.getInstance("TLS");
        sslContext.init(null, trustManagers, null);
        SSLSocketFactory sslSocketFactory = sslContext.getSocketFactory();

        builder.sslSocketFactory(sslSocketFactory, (X509TrustManager) trustManagers[0]);


Explicit Trusting of SSL certificates in Android will be essential in certain scenarios like outdated Android version or those devices which may not get OEM updates. By implementing a custom TrustManager with Retrofit and OkHttp, it can ensure secure communication with servers. You can use the Step 3 code with any other networking libraries like Volley etc. or use it with default HttpURLConnection to the same.