Google’s phones have always supported the full spec. OnePlus used to also do that, but quietly removed support for it. OnePlus 8T on Android 11 (last OxygenOS version) you could, but when they switched it to Oppo’s ColorOS that got removed, that’d be 2021-2022 ish so that fits your experience.
For Samsungs, I don’t know. They let you relock the bootloader with a custom ROM on it, not just after flashing back a stock image? And it does the whole verified boot dance, TPM works and everything?
The key feature here is relocking with your own keys and retain all the security features as if it was a manufacturer’s build. Rollback protection and everything.
Did you install the certificates at all the appropriate locations?
No certs like that will ever be recognized by browsers by default. You need to add your CA to your browser, and also every other applicable certificate stores. Usually that’d be
/usr/share/ca-certificates
or command line flags to explicitly define the chain of trust (for example,curl --cacert
), or sometimes environment variables likeSSL_CERT_FILE
.Also if you have an intermediate CA and only trust the root CA, the intermediate certificate needs to be bundled with the server’s certificate so the browser can trace the chain of trust all the way to something it already trusts (ie. your root CA).
That’s kind of a rabbit hole on its own since it varies from software to software how it’s done, and also OS to OS. On Mac for example, that’s managed through Keychain.