wi fi – Android 11 does not trust a theroetically properly imported private CA for WiFi EAP-TLS

This question is similar, but unrelated to this one answered two days ago.

I have been using WiFi EAP-TLS at home, for nearly a full year, with multiple desktop operating systems and Android 10 with zero problem. Android 11 is a different story, Google changed EAP requirements so CAs must be validated. I have always imported the CA and selected options to verify CA on all my devices, the trust chain is important to me. Unfortunately, it’s not working on Android 11, the wifi bugcheck logs say, “Certificate verification failed, error 19 (self signed certificate in certificate chain),” and points to the private CA. As far as I am aware, root trust Certificate Authorities, whether public or private, are always self-signed.

Herein lies the problem. CAs must be self-signed, yet Android 11 does not trust self-signed certificates. I have the CA supposedly imported properly into the “User” CA store, it is displayed there, and the per-device client certificate is imported into the WiFi store.

I’ve also asked this question in two places on Reddit, where a couple educational network admins also have the same CA problem, but no answers have been discovered yet. I’m hoping someone on this forum knows what’s up. Any pointers will be much appreciated!

(I would have also added tags “eap-tls” and “certificate-authority” but I don’t have enough reputation yet)