Home / Knox Manage / New Knox Manage console / How-to guides /

Manage certificate authorities (CA)

Last updated November 6th, 2025

This document is new for the Knox cloud services 25.11 UAT.

On this tab

Register the Certificate Authority (CA) to use the Knox Manage certificate services. You can add and manage certificate authorities on the Manage Certificate Authority (CA) page, accessed through the ACTIONS dropdown menu on the TEMPLATES AND CA tab of the Certificates page.

To learn how to upload new and manage already-issued external certificates, see Manage certificates.

Connect to a certificate authority

To connect to a new certificate authority:

  1. On the Certificates page, go to the TEMPLATES AND CA tab.

  2. Click ACTIONS > Manage Certificate Authority list. The Manage Certificate Authority (CA) page opens.

  3. Click CONNECT CA. The Connect CA page opens.

  4. Enter the following information:

    Field Description
    Certificate Authority (CA) name Assign a unique name for the certificate authority.
    Description Enter a description for the certificate authority (optional).
    CA type Select a CA type. The input information varies depending on the selected CA type.
    Host name Enter the CA server host URL address. For example: http(s)://emm.emmexample.com.
    Request method

    Select a method to send the certificate validity check request to the CA. This field is automatically entered based on the host name if CERTSRV is selected as the request method.

    • CERTSRV — Validity is checked with the CRL method when signing in to the user device.
    • URL — Validity is checked with the OCSP method when signing in to the user device
      • > CA cert chain URL — Enter the CA Cert Chain URL address.
    WSURL

    Enter the registered Certificate Enrollment Web Service (CES) address to provide web service with the CA.

    For more information on ADCS CA, refer to your CA vendor's documentation. When a CA of type ADCS uses WSURL, the URL may vary depending on the authentication method used.
    SCEP URL Enter the SCEP IP or URL to send the certificate validity check request to the CA. For example: http://emm.emmexample.com/certsrv/mscep/mscep.dll.
    RAMI URL Enter the RAMI IP address or URL to send the certificate validity check request to the CA. For example: http://emm.emmexample.com/certagentadmin/ca/rami.
    Port Enter the CA server host port number.
    CA label

    Enter the CA server label.

    Contact Samsung Knox technical support for the CA label.
    Key algorithm and length

    Select a key algorithm type between EC and RSA, and a key length.

    The key length varies depending on the selected key algorithm type.
    CA account Enter the CA account ID.
    Auth method Select an authentication method between User account and Certificate.
    Challenge type

    Select a challenge type to authenticate the selected CA type.

    • Dynamic — Enter the information used on the Knox Manage server for authentication configuration. This field only displays when the selected CA Type is NDES.
    • Static — Enter the challenge password.
    • No Challenge — If no challenge is selected the challenge password is not required.
    User ID

    Enter the CA user ID.

    This field appears only when Dynamic is selected as the challenge type.
    Password

    Enter the password for the user ID.

    This field appears only when Dynamic is selected as the challenge type.
    Workstation Enter the workstation information.
    Domain Enter the domain name that is used on Knox Manage.
    Certificate KeyStore

    Click Browse and select a certificate file in the CER, DER, PFX, or P12 format.

    This field appears only when Certificate is selected as the authentication method.
    KeyStore password

    Enter the password for the uploaded certificate KeyStore file.

    This field appears only when Certificate is selected as the authentication method.
    Challenge URL

    Enter the challenge URL address used on Knox Manage.

    This field appears only when Dynamic is selected as the challenge type.
    Retry count

    Select a maximum number of retry to issue certificates.

    Consider the following items:

    • The default value is set to 5.
    • The retry count value can be between 1-10 times.
    Connection type

    Select the type of cloud connection to use for CA.
    Managing CA

    Select a CA server name from the root CA list.

  5. Click CONNECT.

Manage a certificate authority

You can edit and delete certificate authorities from the Manage Certificate Authority (CA) page.

To edit or delete a certificate authority:

  1. On the Certificates page, go to the TEMPLATES AND CA tab.

  2. Click ACTIONS > Manage Certificate Authority list. The Manage Certificate Authority (CA) page opens.

  3. Click ACTIONS, then Edit Certificate Authority (CA) or Delete Certificate Authority (CA), depending on your intent.

    • If editing a certificate authority, the Edit Certificate Authority (CA) page displays. Edit the necessary details, then click SAVE.

    • If deleting a certificate authority, the Delete Certificate Authority (CA) dialog displays. To confirm your intent, click DELETE.

Is this page helpful?