How to add Root CA certificate in WiFiEnterpriseConfig in Android 11 For EAP based offload?

Question

I want to achieve EAP based offload for Android 11 devices. Adding WiFiNetworkSuggestion without root CA certificate is returning error code (STATUS_NETWORK_SUGGESTIONS_ERROR_ADD_NOT_ALLOWED). Also as per Android developer documentation

The framework enforces security requirements on TLS-based Enterprise suggestions (EAP-TLS, EAP-TTLS, and EAP-PEAP); suggestions to such networks must set a Root CA certificate and a server domain name.

Any further assistance would be appreciated.

Answer 1

I have tried self signed certificate. Android allows to add EAP-TLS based enterprise suggestions post provisioning certificate. Use below code to create x509Certificate which can be later set in WifiNetworkSuggestion.

private X509Certificate getCertificate() {
        try {
            CertificateFactory cf = CertificateFactory.getInstance("X.509");
            X509Certificate cert = (X509Certificate) cf.generateCertificate(context.getAssets().open("mycert.pem"));
            return cert;
        } catch (Exception e) {
            e.printStackTrace();
        }
        return null;
    }

Set Certificate in WifiNetworkSuggestion

WifiNetworkSuggestion.Builder wifiNetworkSuggestion = new WifiNetworkSuggestion.Builder();
            wifiNetworkSuggestion.setSsid("Ssid");

WifiEnterpriseConfig defaultWifiEnterpriseConfig = new WifiEnterpriseConfig();

                    if (android.os.Build.VERSION.SDK_INT >= android.os.Build.VERSION_CODES.R) {
                        defaultWifiEnterpriseConfig.setCaCertificate(getCertificate());
                        defaultWifiEnterpriseConfig.setDomainSuffixMatch("example.com");
                    }
                    wifiNetworkSuggestion.setWpa2EnterpriseConfig(defaultWifiEnterpriseConfig);

wifiNetworkSuggestion.build();