CA x.509 generated by bouncy castle is seen on Android as user certificate

Question

I am using following code to generate root CA:

public static X509Certificate buildRootCert(KeyPair keyPair)
throws Exception {
    X509v1CertificateBuilder certBldr = new JcaX509v1CertificateBuilder(
    new X500Name("CN=Root"),
    BigInteger.valueOf(1),
    new Date(System.currentTimeMillis()),
    new Date(System.currentTimeMillis() + 1000 * 3600 * 24),
    new X500Name("CN=Root"), keyPair.getPublic());

    ContentSigner signer = new JcaContentSignerBuilder("SHA1withRSA")
    .setProvider("BC").build(keyPair.getPrivate());

    return new JcaX509CertificateConverter().setProvider("BC")
    .getCertificate(certBldr.build(signer));
}

After that I need 2 more steps to have CA Cert

1. Print base64 code of cert with PEMWriter
2. Copy output to root.crt file.

Windows recognizes it as CA Certificate and shows warning ...this certifiacate is not trusted..., but when I am trying to install this cert to Android it shows

The package contains: one user certificate

Installation is proceeded but cert is not present in user trusted list

Is this correct way to generate self-signed CA?

Answer 1

I have added basic constraints and it started to recognize it as a CA.