-
Notifications
You must be signed in to change notification settings - Fork 0
Quest Cert Install
Installing your mkcert root CA on a Meta Quest 3 / 3S so Quest Browser trusts your LAN HTTPS. The painful step of Cordless Setup mkcert HTTPS — painful because Meta's Horizon OS consumer shell hides the standard Android cert-install UI.
The Settings panel you see when you tap the gear icon in VR is Meta's Horizon Settings, not AOSP Settings. The cert-install option is in AOSP Settings, which is still installed underneath but not surfaced in the Horizon UI. To get to it, you launch the AOSP Settings activity directly via ADB.
adb push "$env:LOCALAPPDATA\mkcert\rootCA.pem" /sdcard/Download/openmuscle-vr-rootCA.pemShould print something like 1 file pushed, 0 skipped. 7.3 MB/s (1805 bytes in 0.000s).
adb shell 'am start -n com.android.settings/.Settings\$SecurityDashboardActivity'The $ MUST be backslash-escaped through both PowerShell single-quotes AND the Android shell. Without the escape, $ gets eaten as a variable expansion and the activity name truncates to just .Settings which is not exported (Permission Denial).
Should print: Starting: Intent { cmp=com.android.settings/.Settings$SecurityDashboardActivity }.
The 2D Settings panel may not appear immediately in your view. Horizon shell aggressively suppresses unfamiliar 2D activities. Press the Meta button on your right controller, look for "Settings" (or similar) in the universal-menu app switcher, and click to bring it forward.
In the AOSP Security dashboard:
- Trusted credentials section
- Encryption sub-section
- Install a certificate
- CA certificate
Quest pops a generic Android warning: "Your data won't be private" → tap Install anyway. Your own root CA, the warning is Android boilerplate that doesn't know the cert isn't malicious.
If you don't already have a PIN/pattern/password set on the headset, Quest refuses the cert install and prompts you to set one. Set any PIN, then go back to step 4 and re-do it.
The file picker defaults to "Recent" view which is empty on a fresh install. You have to navigate manually:
- Tap the hamburger menu (≡) at the top of the picker
- Navigate to Internal Storage → Download
- Tap openmuscle-vr-rootCA.pem
Success message: "CA certificate installed" or similar.
You only do this once per headset. The CA stays trusted across Horizon OS updates.
Open Quest Browser and navigate to https://<your-LAN-ip>:8000/vr. If the address bar shows a 🔒 lock icon and the page loads without a cert warning, the install worked.
The three-checkmark preflight on the landing page also confirms HTTPS is satisfying WebXR's secure-context requirement.
Two options:
- Use the USB tethered path (Quick Start) — works perfectly without any certs. Slower for field-capture sessions (cable in the way) but fine for development iteration.
- Meta Quest Developer Hub (MQDH) has an admin-level cert install UI that Horizon shell doesn't suppress. If you've installed MQDH for development, check Settings → Device → Certificates within MQDH. May be easier than the ADB dance for some users.
In case you need to launch other AOSP Settings screens via ADB for future Quest debugging, these are the activities I've confirmed work on Horizon OS:
| Activity | Purpose |
|---|---|
com.android.settings/.Settings$SecurityDashboardActivity |
Security menu (the one used above) |
com.android.settings/.Settings$TrustedCredentialsSettingsActivity |
View installed certs (good for verifying yours is there after install) |
com.android.settings/.security.CredentialStorage |
Direct cert-install activity (Horizon often suppresses its panel — use the Dashboard one instead) |
com.android.settings/.Settings$NetworkDashboardActivity |
Network settings |
com.android.settings/.Settings$DevelopmentSettingsDashboardActivity |
Developer options |
These don't exist on current Horizon OS (Error type 3, don't try):
-
com.android.settings/.Settings$SecuritySettingsActivity— older Android name, removed -
com.android.settings/.Settings$EncryptionAndCredentialActivity— renamed
These exist but are not exported (Permission Denial from ADB):
-
com.android.settings/.Settings— the bare main activity
Enumerated via adb shell dumpsys package com.android.settings | grep com.android.settings/. The list isn't stable across Horizon OS versions — if a future version breaks the procedure, re-enumerate and update Troubleshooting.