CODEWITHSUNDEEP
androidcertificateandroid-11
zvi
zvi

Reputation: 4706

Can't install CA certificate on Android 11

On preview version of Android 11 I got an error when trying to install CA certificate:

Intent intent = new Intent("android.credentials.INSTALL");
intent.putExtra("name", getCertName());
intent.putExtra("CERT", getCert());
startActivity(intent);

The error message is:

Can't install CA certificates

CA certificates can put your privacy at risk and must be installed in Settings.

enter image description here

I haven't found nothing on Android documentation about this change. Any ideas? Any workarounds (except to install it manually from settings)?

UPDATE (28/4):

Found a bug in issuetracker: https://issuetracker.google.com/issues/151858120

Upvotes: 22

Views: 79649

Answers (2)

Yogendra
Yogendra

Reputation: 5258

I have also face same issue.

Please follow below steps in android 11 or 11+.

In Android 11, to install a CA certificate, users need to manually:

  1. Open Device settings
  2. Go to 'Security'
  3. Go to 'Encryption & Credentials'
  4. Go to 'Install from storage' or 'Install a certificate' (depend on devices)
  5. Select 'CA Certificate' from the list of types available
  6. Accept a warning alert.
  7. Browse to the certificate file on the device and open it
  8. Confirm the certificate install

Pixel 6 - Android 14

  1. Open Device settings
  2. Go to Security and privacy
  3. Go to More security and privacy (scroll to the bottom)
  4. Go to 'Encryption & Credentials'
  5. Go to 'Install from storage' or 'Install a certificate' (depending on the devices)
  6. Select 'CA Certificate'
  7. tap on 'Install anyway' and verify security (thumb or PIN etc)
  8. Select your downloaded certificate (it could be available in the downloaded folder)
  9. can see a toast message 'CA certificate installed'. Certificate installed in your device now.

On "modern" Samsung phones

it's hidden in Settings -> Biometrics and security -> Other security settings -> Install from device storage -> CA Certificate -> Install Anyway

Upvotes: 62

Tim Perry
Tim Perry

Reputation: 13216

There's a tiny note about this in the Android 11 enterprise changelog here, which says:

Note: Apps installed on unmanaged devices or in a device's personal profile can no longer install CA certificates using createInstallIntent(). Instead, users must manually install CA certificates in Settings.

Sounds very much like this is intentional, and you won't be able to get around it on normal unmanaged devices. You'll either need to look into full Android device management, or provide instructions to your users on doing manual setup instead.

Note that registering your app as a normal device admin app is not sufficient either. To use the remaining DevicePolicyManager.installCaCert API your app must be the owner of the device or profile.

That means from Android 11+, you can do automatic setup for CA certs used only within separate & isolated work profiles on the device, or for fresh devices that you provision with your app pre-installed, and nothing else.

If you'd like this behaviour changed, there's an issue you can star & comment on in the Android tracker here: https://issuetracker.google.com/issues/168169729

Upvotes: 8

Related Questions