Secure Wi-Fi Enterprise configuration

On Android 11 QPR1 and higher, the system mandates strict security configurations for TLS-based Wi-Fi Enterprise configurations (like PEAP, TLS, or TTLS). When adding a new Enterprise configuration using the methods specified in the Wi-Fi infrastructure overview or using addNetwork, the caller must configure both a Root CA certificate, and either a domain suffix match or an alternate subject match. If the new configuration isn't set up properly, the system rejects it and it's not added or saved.

This security requirement uses the Root CA provided by the app to cryptographically validate the authentication server's certificate and domain name. This ensures that the user is connected to a trusted network.

An app that needs to create a secure Enterprise configuration must call either setCaCertificate or setCaCertificates. This sets a Root CA certificate or a list of Root CA certificates. The app must then call either setAltSubjectMatch or setDomainSuffixMatch to set an alternate subject or a domain name suffix.