you can still use a user-provided root-ca, but depending on API level an app targets, the App needs to opt-in to trust user-supplied root-CAs on the device
https://android-developers.googleblog.com/2016/07/changes-to-trusted-certificate.html
User-added CAs
[…]. Android Nougat changes how applications interact with user- and admin-supplied CAs. By default, apps that target API level 24 will—by design—not honor such CAs unless the app explicitly opts in. […]
this is achirved with a network-security-config of the App as in https://developer.android.com/training/articles/security-config
- Custom trust anchors: Customize which Certificate Authorities (CA) are trusted for an app’s secure connections. For example, trusting particular self-signed certificates or restricting the set of public CAs that the app trusts.
I gave this a try, it’s a bit cumbersome but Firefox has a hidden option for this, and accepted a certificate signed by my own root-ca-cert.
Firefox added it within https://github.com/mozilla-mobile/fenix/issues/3728
(enable secret menu via logo touch incantation → secret settings → enable user trust-ca)
Bromite added this in https://github.com/bromite/bromite/pull/1110
(goto chrome://flags → search for “allow”, enable “allow-user-certificates”