Home / Knox Manage / New Knox Manage console / How-to guides /

Manage certificate authorities (CA)

Last updated November 19th, 2025

A Certificate Authority (CA) is a trusted entity that issues digital certificates, which are used to verify the identity of users, devices, and more. You can add and manage certificate authorities in Knox Manage on the Manage Certificate Authority (CA) page.

To upload new, or manage already-issued external certificates, see Manage certificates.

Connect to a new Certificate Authority

To connect to a new CA:

  1. On the Certificates page, go to the TEMPLATES AND CA tab.

  2. Click ACTIONS > Manage Certificate Authority list. The Manage Certificate Authority (CA) page opens.

  3. Click CONNECT CA. The Connect CA page opens.

  4. Enter the following information:

    Field Description
    Certificate Authority (CA) name Assign a unique name for the certificate authority.
    Description Enter a description for the certificate authority (optional).
    CA type Select a CA type. The relevant fields vary depending on the selected CA type.
    Host name Enter the CA server host URL address. For example: http(s)://emm.emmexample.com.
    Request method

    Select a method to send the certificate validity check request to the CA. The field is automatically filled in with the host name if CERTSRV is selected as the request method.

    • CERTSRV — Device sign-ins are verified using the certificate revocation list (CRL) method.
    • URL — Device sign-ins are verified using the Online Certificate Status Protocol (OCSP) method.
      • > CA cert chain URL — Enter the CA Cert Chain URL address.
    WSURL

    Enter the registered Certificate Enrollment Web Service (CES) address to provide web service with the CA.

    For more information on Active Directory Certificate Services (ADCS) CA, refer to your CA vendor's documentation. When a SDCS type CA uses WSURL, the URL may vary depending on the authentication method used.
    SCEP URL Enter the Simple Certificate Enrollment Protocol (SCEP) IP or URL to send the certificate validity check request to the CA. For example: http://emm.emmexample.com/certsrv/mscep/mscep.dll.
    RAMI URL Enter the RAMI IP address or URL to send the certificate validity check request to the CA. For example: http://emm.emmexample.com/certagentadmin/ca/rami.
    Port Enter the CA server host port number.
    CA label

    Enter the CA server label.

    Contact Samsung Knox technical support for the CA label.
    Key algorithm and length

    Select a key algorithm type between Elliptic Curve Cryptography (ECC) and Rivest–Shamir–Adleman (RSA), and a key length.

    The key length varies depending on the selected key algorithm type.
    CA account Enter the CA account ID.
    Auth method Select an authentication method.
    • User account
    • Certificate
    Challenge type

    Select a challenge type to authenticate the selected CA type.

    • Dynamic — Enter the information used on the Knox Manage server for authentication configuration. This field only displays when the selected CA Type is NDES.
    • Static — Enter the challenge password.
    • No Challenge — If no challenge is selected the challenge password is not required.
    User ID

    Enter the CA user ID.

    This field appears only when Dynamic is selected as the challenge type.
    Password

    Enter the password for the user ID.

    This field appears only when Dynamic is selected as the challenge type.
    Workstation Enter the workstation name.
    Domain Enter the domain name that is used on Knox Manage.
    Certificate KeyStore

    Click Browse and select a certificate file in CER, DER, PFX, or P12 format.

    This field appears only when Certificate is selected as the authentication method.
    KeyStore password

    Enter the password for the uploaded certificate KeyStore file.

    This field appears only when Certificate is selected as the authentication method.
    Challenge URL

    Enter the challenge URL address used on Knox Manage.

    This field appears only when Dynamic is selected as the challenge type.
    Retry count

    Select a maximum number of retries to issue certificates.

    Consider the following items:

    • The default value is set to 5.
    • The retry count value can be between 1-10 times.
    Connection type

    Select the type of cloud connection to use for CA.
    Managing CA

    Select a CA server name from the root CA list.

  5. Click CONNECT.

Manage a certificate authority

Edit a certificate authority

You can edit certificate authorities from the Manage Certificate Authority (CA) page:

  1. On the Certificates page, go to the TEMPLATES AND CA tab.

  2. Click ACTIONS > Manage Certificate Authority list. The Manage Certificate Authority (CA) page opens.

  3. Click ACTIONS, then Edit Certificate Authority (CA). The Edit Certificate Authority (CA) page opens.

  4. Edit the necessary details, then click SAVE. Your edits display on the Manage Certificate Authority (CA) page.

Delete a certificate authority

You can delete certificate authorities from the Manage Certificate Authority (CA) page:

  1. On the Certificates page, go to the TEMPLATES AND CA tab.

  2. Click ACTIONS > Manage Certificate Authority list. The Manage Certificate Authority (CA) page opens.

  3. Click ACTIONS, then Delete Certificate Authority (CA). The Delete Certificate Authority (CA) dialog displays. To confirm your intent, click DELETE. Your Certificate Authority is removed from the Manage Certificate Authority (CA) page.

On this page

Is this page helpful?