The solution is do not use .p12 , just navigate with Chrome (with configured proxy on wifi) to and install downloaded .pem file.

I had exactly the same problem on my Nexus 5X running Android 7.0. There was previously exported .p12 from Charles 3.11.5 (Help->SSL Proxying->Export Charles Root certificate and Private key). When I tried to install .p12 from phone (Settings->Security->Install from storage) it appears only under "User credentials" and never at "Trusted credentials", and of course SSL with Charles proxy did not work.

The total "how-to" for Android 7.0 would be like that:

  1. Configure WiFi + proxy (how Charles requires it). Connect it.
  2. On device, navigate with Chrome to, accept request for download .pem, then press "open", it launches "Certificate installer" app. Use it to install the certificate as "VPN and apps".
  3. Put the attribute android:networkSecurityConfig="@xml/network_security_config" to <application> at Manifest.xml
  4. Create res/xml/networksecurityconfig.xml with content from the first post (it is totally correct).
  5. Launch Charles and app and have fun.

P.S. Check date/time on the device. It should be correct.