Can't install CA certificate on Android 11

Question

On preview version of Android 11 I got an error when trying to install CA certificate:

Intent intent = new Intent("android.credentials.INSTALL");
intent.putExtra("name", getCertName());
intent.putExtra("CERT", getCert());
startActivity(intent);

The error message is:

Can't install CA certificates

CA certificates can put your privacy at risk and must be installed in Settings.

I haven't found nothing on Android documentation about this change. Any ideas? Any workarounds (except to install it manually from settings)?

UPDATE (28/4):

Found a bug in issuetracker: https://issuetracker.google.com/issues/151858120

Answer 1

I have also face same issue.

Please follow below steps in android 11 or 11+.

In Android 11, to install a CA certificate, users need to manually:

1. Open Device settings
2. Go to 'Security'
3. Go to 'Encryption & Credentials'
4. Go to 'Install from storage' or 'Install a certificate' (depend on devices)
5. Select 'CA Certificate' from the list of types available
6. Accept a warning alert.
7. Browse to the certificate file on the device and open it
8. Confirm the certificate install

On "modern" Samsung phones

it's hidden in Settings -> Biometrics and security -> Other security settings -> Install from device storage -> CA Certificate -> Install Anyway

Answer 2

There's a tiny note about this in the Android 11 enterprise changelog here, which says:

Note: Apps installed on unmanaged devices or in a device's personal profile can no longer install CA certificates using createInstallIntent(). Instead, users must manually install CA certificates in Settings.

Sounds very much like this is intentional, and you won't be able to get around it on normal unmanaged devices. You'll either need to look into full Android device management, or provide instructions to your users on doing manual setup instead.

Note that registering your app as a normal device admin app is not sufficient either. To use the remaining DevicePolicyManager.installCaCert API your app must be the owner of the device or profile.

That means from Android 11+, you can do automatic setup for CA certs used only within separate & isolated work profiles on the device, or for fresh devices that you provision with your app pre-installed, and nothing else.

If you'd like this behaviour changed, there's an issue you can star & comment on in the Android tracker here: https://issuetracker.google.com/issues/168169729