Basics
About Knox
Knox licenses
Knox white paper
- Introduction
  - The Samsung Knox Platform
  - Feature Summary
- Core Platform Security
- Network Security
  - Virtual Private Networks
  - Network Platform Analytics
- Certificate Management
- Device Management
- User Authentication
  - Biometric Authentication
- App and Data Protection
- Appendix
Sign up for Samsung Knox
- Samsung Account
- Single sign-on
Latest release notes
General Knox FAQ
General Knox KBAs
Submit a support ticket
User Acceptance Testing
- Introduction
- Get started with UAT
- Report issues
- UAT limitations
- FAQ
- UAT 23.03 release notes
For IT admins
Knox Admin Portal
- Overview
- What's new
- Get started
- How-to guides
- Knox Remote Support
- Release notes
Knox Suite
- Introduction
- How-to videos
- Get started
- Learn more about Knox Suite
- Enterprise Edition devices
- FAQ
- KBAs
Knox Platform for Enterprise
- Introduction
- How-to videos
- Before you begin
- Get started with UEMs
- Knox Service Plugin
- Release notes
- Migrate to Android 11
  - Device management modes
  - Prepare Knox for Android 11
- FAQs
- Troubleshoot
  - Get device logs
- KBAs
Knox Mobile Enrollment
- Introduction
- Get started
- Features
- Advanced profiles
- Release notes
- FAQ
- Troubleshoot
  - Get support
- KBAs
- On-Premise
Knox Configure
- Mobile
- Wearables
- Shared Device
- FAQ
- KBAs
Knox Capture
- Introduction
- How it works
- How-to videos
- IT admins: Get started
- End users: Get started
  - Getting started with Knox Capture
- Features
- Release notes
- FAQ
- KBAs
- Troubleshoot
Knox Asset Intelligence
- Introduction
- Get started
- Set up reported device data
- Features
- Troubleshoot
  - Device-side errors
  - Portal-side errors
- Real-time location service
- Release notes
- FAQ
- KBAs
Knox Manage
- Introduction
- How-to videos
- Get started
- Configure
- Monitor
- Kiosk devices
- Knox Remote Support
- Active Directory
- Microsoft Exchange
- Mobile Admin
- Appendix
- Release notes
- Features
- FAQ
- KBAs
Knox E-FOTA
- Introduction
- How-to videos
- Get started
- Features
- EMM integration
- Appendix
  - Install an app to devices through an EMM
  - EMM compatibility matrix
- Release notes
- FAQ
- KBAs
- Troubleshoot
- Knox E-FOTA On-Premises
- Legacy Knox E-FOTA products
  - Knox E-FOTA Advanced
  - Knox E-FOTA on MDM
Knox Guard
- Introduction
- How-to video
- Get started
- Using Knox Guard
- Release notes
- FAQ
- KBAs
- Support
- Open API reference
Samsung Care+ for Business
- Introduction
- Get started
- Submit claim
- Features
- Release notes
- FAQ
- KBAs
For Knox Partners
Knox Deployment Program
Knox MSP Program

Certificate authority (CA)

Register the Certificate Authority (hereinafter CA) to use the Knox Manage certificate services. Before adding the CA, first download the CA root certificate from a SCEP-supported CA server. This also enables you to issue device certificates and external certificates. The Cloud Connector is provided between the CA server and the Knox Manage server for secure data transmission. For more information about the Cloud Connector, see the Cloud Connector overview.

Add a certificate authority (CA)

To add a CA, complete the following steps:

Navigate to Advanced > Certificate > Certificate Authority (CA).
On the Certificate Authority (CA) page, click Add.

On the Add Certificate Authority page, enter the following CA information.

CA Name—Assign a unique name for each CA.
Description—Enter a description for the CA.

CA Type—Select a CA type. The input information varies depending on the selected CA type.

When the CA type is ADCS:

Item	Description
Host Name	Enter the CA server host URL address. For example: http://emm.smartemm.com/
Request Method	Select a method to send the certificate validity check request to the CA. CERTSRV: Validity is checked with the CRL method when logging into the user device. URL: Validity is checked with the OCSP method when logging into the user device.
CA Cert Chain URL	Enter the CA Cert Chain URL address. NOTE—This field is automatically entered based on the host name if the CERTSRV is selected as the request method.
WSURL	Enter the registered Certificate Enrollment Web Service (CES) address to provide web service with the CA.
Key Algorithm	Select a key algorithm type between EC and RSA.
Key Length	Select a key length. NOTE—The key length varies depending on the selected key algorithm type.
Auth Method	Select an authentication method between User account and Certificate.
User ID	Enter the Knox Manage user ID.
Password	Enter the password for the user ID.
Workstation	Enter the workstation information.
Domain	Enter the domain name that is used on Knox Manage.
Certificate Type	Select a certificate type. NOTE—This field appears only when Certificate is selected as the authentication method.
Certificate KeyStore	Click Browse and select a certificate file in the CER, DER, PFX, or P12 format. NOTE—This field appears only when Certificate is selected as the authentication method.
KeyStore Password	Enter the password for the uploaded certificate KeyStore file. NOTE—This field appears only when Certificate is selected as the authentication method.

When the CA type is Generic SCEP or NDES:

Item	Description
SCEP URL	Enter the SCEP IP or URL to send the certificate validity check request to the CA. For example, http://emm.smartemm.com/certsrv/mscep/mscep.dll
Key Algorithm	Only RSA is supported when Generic SCEP and NDES CA types are selected.
Key Length	Select a key length from among 2048, 3072, or 4096.
Challenge Type	Select a challenge type to authenticate the selected CA type. Dynamic: Enter the information used on the Knox Manage server for authentication configuration. Static: Enter the challenge password. No Challenge: If no challenge is selected the challenge password is not required. NOTE—The Dynamic field is enabled only when the NDES type CA is selected.
User ID	Enter the Knox Manage user ID. NOTE—This field appears only when Dynamic is selected as the challenge type.
Password	Enter the password for the user ID. NOTE—This field appears only when Dynamic is selected as the challenge type.
Domain	Enter the domain name that is used on Knox Manage. NOTE—This field appears only when Dynamic is selected as the challenge type.
Challenge URL	Enter the challenge URL address used on Knox Manage.
Challenge Password	Enter the same password used for the authentication password. NOTE—This field appears only when Static is selected as the challenge type.
Retry Count	Select a maximum number of retry to issue certificates. NOTE—Consider the following items: The default value is set to 5. The retry count value can be between 1 – 10 times.

When the CA type is CertAgent:

Item	Description
RAMI URL	Enter the RAMI IP address or URL to send the certificate validity check request to the CA. For example, http://emm.smartemm.com/certagentadmin/ca/rami
Key Algorithm	Select a key algorithm type between EC and RSA.
Key Length	Select a key length. NOTE—The key length varies depending on the selected key algorithm type.
CA Account	Enter the CA account ID.
Certificate KeyStore	Click Browse and select a certificate file in the CER, DER, PFX or P12 format.
KeyStore Password	Enter the password for the uploaded certificate KeyStore file.

When CA type is EST:

Item	Description
Host Name	Enter the CA server host URL address.
Port	Enter the CA server host port number.
Use proxy	Click the Use proxy check box to enable proxy use for the CA server.
CA Label	Enter the CA server label. NOTE—Contact Knox Manage Technical Support for the CA label.
Key Algorithm	Select a key algorithm type between EC and RSA.
Key Length	Select a key length. NOTE—The key length varies depending on the selected key algorithm type.
Challenge Password	Enter the password for the CA server authentication.
Auth Method	Select an authentication method between User account and Certificate.
User ID	Enter the Knox Manage user ID.
Password	Enter the password for the user ID.
Certificate KeyStore	Click Browse and select a certificate file in the CER, DER, PFX or P12 format. NOTE—This field appears only when Certificate is selected as the authentication method.
KeyStore Password	Enter the password for the uploaded certificate KeyStore file. NOTE—This field appears only when Certificate is selected as the authentication method.

Test Connection—Click to check if the entered CA information connects to the CA server successfully.

NOTE—To add a CA, you must pass the connection test.
Managing CA—Select a CA server name from the root CA list.

Click Save.

View a certificate authority (CA)

Navigate to Advanced > Certificate > Certificate Authority (CA) to view all the CA information on the Certificate Authority (CA) page.

To view the detailed information of a specific CA, click the CA name of a specific CA on the list.

Modify a certificate authority (CA)

To modify a CA, complete the following steps:

Navigate to Advanced > Certificate > Certificate Authority (CA).
On the Certificate Authority (CA) page, click the check box for the CA you want to modify, and the click Modify.
On the Modify Certificate Authority page, modify the CA information. The information varies depending on the selected CA type.

NOTE—You can register a new root certificate when modifying the CA.
Click Save.

Delete a certificate authority (CA)

To delete a CA, complete the following steps:

Navigate to Advanced > Certificate > Certificate Authority (CA).
On the Certificate Authority (CA) page, click the check box for the CA you want to delete, and the click Delete.
In the Delete Certificate Authority window, click OK.

NOTE— You can delete the CA only when there is no template in use.