Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Can't install CA certificate on Android 11

On preview version of Android 11 I got an error when trying to install CA certificate:

Intent intent = new Intent("android.credentials.INSTALL");
intent.putExtra("name", getCertName());
intent.putExtra("CERT", getCert());
startActivity(intent);

The error message is:

Can't install CA certificates

CA certificates can put your privacy at risk and must be installed in Settings.

enter image description here

I haven't found nothing on Android documentation about this change. Any ideas? Any workarounds (except to install it manually from settings)?

UPDATE (28/4):

Found a bug in issuetracker: https://issuetracker.google.com/issues/151858120

like image 575
zvi Avatar asked Apr 23 '20 11:04

zvi


2 Answers

I have also face same issue.

Please follow below steps in android 11 or 11+.

In Android 11, to install a CA certificate, users need to manually:

  1. Open Device settings
  2. Go to 'Security'
  3. Go to 'Encryption & Credentials'
  4. Go to 'Install from storage' or 'Install a certificate' (depend on devices)
  5. Select 'CA Certificate' from the list of types available
  6. Accept a warning alert.
  7. Browse to the certificate file on the device and open it
  8. Confirm the certificate install

On "modern" Samsung phones

it's hidden in Settings -> Biometrics and security -> Other security settings -> Install from device storage -> CA Certificate -> Install Anyway

like image 186
Yogendra Avatar answered Oct 23 '22 19:10

Yogendra


There's a tiny note about this in the Android 11 enterprise changelog here, which says:

Note: Apps installed on unmanaged devices or in a device's personal profile can no longer install CA certificates using createInstallIntent(). Instead, users must manually install CA certificates in Settings.

Sounds very much like this is intentional, and you won't be able to get around it on normal unmanaged devices. You'll either need to look into full Android device management, or provide instructions to your users on doing manual setup instead.

Note that registering your app as a normal device admin app is not sufficient either. To use the remaining DevicePolicyManager.installCaCert API your app must be the owner of the device or profile.

That means from Android 11+, you can do automatic setup for CA certs used only within separate & isolated work profiles on the device, or for fresh devices that you provision with your app pre-installed, and nothing else.

If you'd like this behaviour changed, there's an issue you can star & comment on in the Android tracker here: https://issuetracker.google.com/issues/168169729

like image 37
Tim Perry Avatar answered Oct 23 '22 18:10

Tim Perry