Allowing users to grant managed apps' access to certificates without user interaction was not possible prior to Android Marshmallow, so now, a new callback has been added:
DeviceAdminReceiver.onChoosePrivateKeyAlias (Context context, Intent intent, int uid, Uri uri, String alias)
This callback will allow the device owner to provide the alias silently to the requesting application.