Back to top
Home / Samsung Knox / Samsung Knox white papers / Samsung Knox Mobile Security / Certificate Security /

Automated Certificate Management Environment (ACME) protocol

Last updated March 7th, 2025

ACME features are delivered through the Knox Zero Trust Framework, and are only available for devices managed by an EMM or UEM.

ACME is a protocol that automates the creation, distribution, and installation of certificates without user interaction. ACME certificates are a core part of Samsung Knox’s capabilities, as they can be used to securely authenticate mobile devices to servers, ensuring that only authorized devices can access restricted resources or perform privileged actions.

ACME certificates can be easily issued by IT Admins in a simple and scalable manner, and provide the following benefits:

  • Minimal User Friction: Users can authenticate to enterprise apps via certificates, eliminating the need for users to repeatedly enter lengthy passwords during app usage.

  • Silent Installation: ACME Certificates can be automatically provisioned and silently installed on devices, facilitating high volume deployments.

  • HW-Backed Security: When a Knox device generates a Certificate Signing Request (CSR), a hardware-backed key is bound to the device and cannot leave its secure environment. When the ACME Server wishes to validate a certificate request, the server can leverage Knox Device Health Attestation information to ensure the device is in a secure state upon provisioning.

How It Works

The following diagram provides an overview of how ACME certificates are issued to managed devices.

ACME protocol

Every ACME client is expected to support key pair generation, device identity attestation, and Certificate Signing Request (CSR) by a private key. The Knox Zero Trust Framework provides all ACME client capabilities for designated enterprise apps configured by the EMM.

Enterprise apps that have permission to access a specific ACME certificate can make a request the Knox Zero Trust Framework API to perform certificate provisioning operations. These operations can be found in our SDK documentation.

Certificate requests can be initiated by the EMM agent, however, there is no way to expose the issued ACME certificate in Android Keystore to other enterprise apps, since the private key generated in Android Keystore is only accessible by the application owner. Due to this limitation, the Knox Zero Trust Framework serves as the ACME client, where it registers the issued ACME certificate and the corresponding private key to Android Keychain. This allows the installed ACME client certificates to be viewed and selected by explicitly defined enterprise apps.

Specifically, the Knox Zero Trust Framework:

  • Installs the ACME certificate to Keystore by generating a hardware-backed key for the ACME server.
  • Stores the ACME certificate in Keystore, by replacing the device attestation certificate with the ACME certificate.
  • Registers the key and ACME certificate to Keychain to be visible by other enterprise apps.

On this page

Is this page helpful?