[gh02t]

Same for me, but don't a lot of corporate IT policies deploy root certificates to devices too? You'd think there has to be a way to do it.

[jeroenhd]

User certificates still work fine. Apps have to opt into the user CA store (many of them don't) but any app deployed by IT should be fine. Chrome works, Firefox can be made to work, and I believe the Gmail app also works with user CA certificates.

[gh02t]

Thanks for the clarification, I was pretty confused by the article on this detail myself. Per app opt seems like a reasonable compromise for my use as long as the browser recognizes my CA, as that's the one I care about.

[jeroenhd]

The biggest issue is that the developer needs to opt in, the user can't decide "my email client should trust this certificate".