Secure Wi-Fi Enterprise configuration
Stay organized with collections
Save and categorize content based on your preferences.
On Android 11 QPR1 and higher, the system mandates strict security
configurations for TLS-based Wi-Fi Enterprise configurations (like PEAP, TLS,
or TTLS). When adding a new Enterprise configuration using the methods
specified in the Wi-Fi infrastructure overview or using
addNetwork, the caller must configure both a
Root CA certificate, and either a domain suffix match or an alternate subject
match. If the new configuration isn't set up properly, the system rejects it
and it's not added or saved.
This security requirement uses the Root CA provided by the app to
cryptographically validate the authentication server's certificate and domain
name. This ensures that the user is connected to a trusted network.
An app that needs to create a secure Enterprise configuration must call either
setCaCertificate or setCaCertificates.
This sets a Root CA certificate or a
list of Root CA certificates. The app must then call either
setAltSubjectMatch or
setDomainSuffixMatch to set an alternate subject or a domain name suffix.
Content and code samples on this page are subject to the licenses described in the Content License. Java and OpenJDK are trademarks or registered trademarks of Oracle and/or its affiliates.
Last updated 2023-06-28 UTC.
[null,null,["Last updated 2023-06-28 UTC."],[],[],null,["# Secure Wi-Fi Enterprise configuration\n\nOn Android 11 QPR1 and higher, the system mandates strict security\nconfigurations for TLS-based Wi-Fi Enterprise configurations (like PEAP, TLS,\nor TTLS). When adding a new Enterprise configuration using the methods\nspecified in the [Wi-Fi infrastructure overview](/guide/topics/connectivity/wifi-infrastructure) or using\n[`addNetwork`](/reference/android/net/wifi/WifiManager#addNetwork(android.net.wifi.WifiConfiguration)), the caller must configure both a\nRoot CA certificate, and either a domain suffix match or an alternate subject\nmatch. If the new configuration isn't set up properly, the system rejects it\nand it's not added or saved.\n\nThis security requirement uses the Root CA provided by the app to\ncryptographically validate the authentication server's certificate and domain\nname. This ensures that the user is connected to a trusted network.\n\nAn app that needs to create a secure Enterprise configuration must call either\n[`setCaCertificate`](/reference/android/net/wifi/WifiEnterpriseConfig#setCaCertificate(java.security.cert.X509Certificate)) or [`setCaCertificates`](/reference/android/net/wifi/WifiEnterpriseConfig#setCaCertificates(java.security.cert.X509Certificate%5B%5D)).\nThis sets a Root CA certificate or a\nlist of Root CA certificates. The app must then call either\n[`setAltSubjectMatch`](/reference/android/net/wifi/WifiEnterpriseConfig#setAltSubjectMatch(java.lang.String)) or\n[`setDomainSuffixMatch`](/reference/android/net/wifi/WifiEnterpriseConfig#setDomainSuffixMatch(java.lang.String)) to set an alternate subject or a domain name suffix."]]
