**Home Assistant version:**
- not applicable/relevant
**Last working Home Assistant release (if known):**
- not applicable/relevant
**Description of problem, include YAML if issue is related to notifications:**
- not applicable/relevant
**Companion App Logs:**
- not applicable/relevant -> "known issue"
**Screenshot or video of problem:**
- not applicable/relevant
$~$
Issue Description
This bug is the result of a missing possibility in Wear OS 3.x to install private CA certificates to the android keystore
Wear OS has no settings app to install private certificates
In Wear OS 2.x (Android 9/10) it is possible to install private CA certificates using adb commands
In Wear OS 3.x (Due to a change in Android 11 [read more]) only the settings app and OEM-Apps are allowed to save certificates in the keystore - the adb solution is not supported anymore, there is still no certificate settings app for Wear OS
Justification
This is not considered a feature request since:
Private CAs have always been supported by HA (supported everywhere else)
For Wear OS 2.x it is working with private CAs
A workaround/fix of a problem is not a feature
Private CAs are required since:
A public certificate is not always an option, since it always requires an exposure to the internet
E.g. even the "let's encrypt DNS01 challenge" requires a one-time internet connection every 90 days (since its certificates are only valid 90 days)
Solution options
There are plenty of options how to fix / workaround the incompatibilities of Wear OS 3 / Android 11.
Most solutions end up saving the CA file in the app's secure storage. Then validating against the local, securely stored, CA file. For ease of implementation this should happen at first setup of the Wear OS Companion app.
This could be accomplished by
Have a file picker to choose a local CA file which is then loaded to the app's secure storage
Show the certificate fingerprint of the chosen HA instance/IP with an "accept" button, which downloads the certificate to the app's secure storage
Since the phone Companion app is required for first setup, why not transfer the certificate used by the phone, or let the user decided/choose on the phone
Of course there are many more, feel free to suggest.
Intention/Next Step
At first, it should be accepted as "problem"
Next, documented as known incompatibility/issue so no-one looses time on troubleshooting
Last, it needs to be discussed whether and subsequent how it should be addressed
I would love to see this implemented. My current hack is to terminate the SSL connection at a proxy and serve cleartext to the watch. It is pretty ugly.
Home Assistant Android app version(s):
Android version(s):
Device model(s):
$~$
Issue Description
Justification
Solution options
There are plenty of options how to fix / workaround the incompatibilities of Wear OS 3 / Android 11.
Most solutions end up saving the CA file in the app's secure storage. Then validating against the local, securely stored, CA file. For ease of implementation this should happen at first setup of the Wear OS Companion app. This could be accomplished by
Of course there are many more, feel free to suggest.
Intention/Next Step
best regards Markus