I unfortunately am spread pretty thin at the moment but I'll try to share a few helpful ideas.
First, did you consider using a public CA? I shared some resources at Selfsign certificate with latest Central - #5 by LN with various approaches. In particular, https://security.stackexchange.com/a/174743 is where I'd start if I had your requirements. I also have read that CAs have official internal solutions but I haven't looked into what that entails.
It would be helpful to know more about Chrome's rationale for allowing user-specified CAs. Maybe if you really think a public CA won't work in your case, you could take a quick look to see if anything comes up? Collect can be used for quite sensitive data so it makes me uncomfortable to stray from Android defaults. I think we'd either want a strong explanation of why it's ok to accept any user-specified CA from another project such as Chrome or advice from a security professional. We really need to make sure that defaults are secure because running on an internal network is very rare.