Trying to use Self-Signed Certs for a Closed Network?

After engaged on few closed network design and deployments, it’s common for customer to use self-signed certificates versus public CAs. Customer’s environment are typically air-gapped and have no external connectivity. Hence, public SSL cert really serves no purposes and create issues with CRL checks.

Previoulsy, for Android Work Managed enrollment, public SSL (due to trust issues) were required in order to enroll the devces or the OEM would have to some how sideload the self-signed certificate to the device. With 22.01 Intelligent Hub, self-signed cert can be installed before the enrollment.

Using Self-Signed Certificate

The certificate provisioning DPC extra feature allows Android Entreprise Intelligent Hub to install a certificate before enrollment. 

If this DPC extra is included in the QR code, then Hub will automatically proceed as Device Owner (fully managed) mode, install the certificate, and then enroll.

Note if the console is configured for COPE mode, then enrollment will fail on Android 11+.

Follow these steps to obtain the encoded certificate data:

  1. Upload the certificate to an Android Credentials profile
  2. Save the profile.  Do not assign it to any devices
  3. Select the Profile and view the Profile XML.  The ‘CertificateData’ in the profile XML is what is used in the JSON below.

Add the following key to the Admin Extras Bundle in the QR Code provisioning JSON: “workManagedCertData”:”encoded certificate data”



{       "serverurl":"",       "gid":"",       "un":"",       "pw":"",      "workManagedCertData":"encoded certificate data"    }



Intelligent Hub 22.01


Leave a Comment