Home / Knox Manage / New Knox Manage console / Manage certificates /

Manage certificate authorities (CA)

Last updated April 28th, 2026

A Certificate Authority (CA) is a trusted entity that issues digital certificates, which are used to verify the identity of users and devices.

Before you can register a certificate authority with Knox Manage, you must download the CA root certificate from a Simple Certificate Enrollment Protocol (SCEP) supported CA server.

Knox Manage supports two types of cloud connection to register a CA: direct connection through a public network or connection through the Samsung Cloud Connector (SCC). SCC creates a secure channel for data transfers from your existing enterprise active directory (AD) and CA servers. For more information on installing SCC, see Set up Samsung Cloud Connector.

To upload or manage external certificates, see Manage certificates.

Connect a CA

To connect a CA:

  1. Go to the Certificates page, then click the TEMPLATES AND CA tab.

  2. If you have previously created a template in Knox Manage, click ACTIONS > Manage Certificate Authority list. The Manage Certificate Authority (CA) page opens. Click CONNECT CA.

  3. If you haven’t created a template before, go to the TEMPLATES AND CA tab, then click ADD TEMPLATE. Next to the CA name field, click CONNECT CA.

  4. The Connect CA page opens. Enter the following information:

    • Certificate Authority (CA) name — Assign a unique name for the CA. Only alphanumeric characters are accepted. The maximum number of characters allowed is 100.
    • Description — Enter a description for the CA (optional). The maximum number of characters allowed is 100.
    • CA type — Select a CA type: ADCS, Generic SCEP or NDES, CertAgent, or EST. The fields vary depending on the CA type that you select. Refer to the sections below for more information.

  5. Click CONNECT.

Once you connect to a CA, you can add templates to manage certificates. See Manage certificate templates for more information.

ADCS

Knox Manage doesn’t support the Active Directory Certificate Services (ADCS) CA type in the following cases:

  • If the CA’s IP address and Web Host are configured in Site Binding in the Internet Information Services (IIS) web server.
  • If the IIS web server is configured for virtual hosting.
Field Description
Host name Enter the CA server host URL address. For example: http(s)://emm.emmexample.com.
Request method

Select a method to send the certificate validity check request.

  • CERTSRV — Device sign-ins are verified using the certificate revocation list (CRL) method.
  • URL — Device sign-ins are verified using the Online Certificate Status Protocol (OCSP) method.

> CA cert chain URL — Enter the CA cert chain URL address. This is available if URL is selected as the request method.

WSURL Enter the registered Certificate Enrollment Web Service (CES) address. For more information, refer to your CA vendor's documentation. When an ADCS type CA uses WSURL, the URL may vary depending on the authentication method used.
Key algorithm and length

Select a key algorithm type between Elliptic Curve Cryptography (EC) and Rivest–Shamir–Adleman (RSA), then select a key length. The key length varies depending on the selected key algorithm type.

  • RSA
    • 2048
    • 3072
    • 4096
  • EC
    • secp256r1
    • secp384r1
Auth method

Select an authentication method.

  • User Account
  • Certificate

User ID

Enter the CA user ID.
Password Enter the password for the CA user ID.
Workstation Enter the workstation name.
Domain Enter the domain name that is used in Knox Manage.
Certificate KeyStore Click Browse and select a certificate file in P12 format. This field appears only when Certificate is selected as the authentication method.
KeyStore password Enter the password for the uploaded certificate KeyStore file. This field appears only when Certificate is selected as the authentication method.

Generic SCEP or NDES

Knox Manage doesn’t support NDES CA type in the following two cases:

  • If the CA’s IP address and Web Host are configured in Site Binding.
  • If the IIS web server is configured as virtual hosting.
Field Description
SCEP URL Enter the SCEP IP or URL to send the certificate validity check request. For example, http://emm.emmexample.com/certsrv/mscep/mscep.dll.
Key Algorithm and length RSA is automatically selected as a key algorithm type. Select a key length from the following options: 2048, 3072, or 4096.
Challenge type

Select a challenge type to authenticate the selected CA type.

  • Dynamic — Enter the information below used on the Knox Manage server for authentication configuration. This field only displays when the selected CA Type is NDES.
    • User ID — Enter the CA user ID.
    • Password — Enter the password for the CA user ID.
    • Domain — Enter the domain name that is used in Knox Manage.
    • Challenge URL — Enter the challenge URL address used on Knox Manage.
  • Static — Enter the challenge password.
  • No Challenge
Retry Count Set the maximum number of retries to issue certificates. Select a number between one and ten.

CertAgent

Field Description
RAMI URL Enter the RAMI IP address or URL to send the certificate validity check request to the CA.For example, http://emm.emmexample.com/certagentadmin/ca/rami.
Key algorithm and length

Select a key algorithm type between EC and RSA then select a key length. The key length varies depending on the selected key algorithm type.

  • RSA
    • 2048
    • 3072
    • 4096
  • EC
    • secp256r1
    • secp384r1
CA account Enter the ID for the CA account.
Certificate KeyStore Click Browse and select a certificate file in P12 format.
KeyStore password Enter the password for the uploaded certificate KeyStore file.

EST

Field Description
Host name Enter the CA server host URL address.
Port Enter the CA server host port number.
CA label Enter the CA server label. Contact Knox Manage Technical Support for the CA label. To learn more about Knox Manage technical support, see Configure general settings.
Key algorithm and length

Select a key algorithm type between EC and RSA then select a key length. The key length varies depending on the selected key algorithm type.

  • RSA
    • 2048
    • 3072
    • 4096
  • EC
    • secp256r1
    • secp384r1
Auth Method

Select an authentication method.

  • User account
    • User ID — Enter the CA user ID.
    • Password — Enter the password.
  • Certificate
    • Certificate KeyStore — Click Browse and select a certificate file in P12 format.
    • KeyStore password — Enter the password for the uploaded certificate KeyStore file.

Manage a CA

You can view certificate authorities on the Manage Certificate Authority (CA) page. From the search bar, you can search for a particular CA by its name.

The CA table is organized into the following columns. Click the CA name to open a sliding panel of additional details.

  • CA NAME
  • TYPE
  • URL
  • AUTHENTICATION METHOD
  • MANAGING CA

From this page, you can also edit and delete certificate authorities.

Edit a CA

To edit a CA:

  1. Select a CA.
  2. Click ACTIONS, then Edit Certificate Authority (CA).

Alternatively, you can also click a CA name and on the sliding details panel that opens, click EDIT CA.

  1. The Edit Certificate Authority (CA) page opens. Edit the necessary details, then click SAVE.

Your edits display on the Manage Certificate Authority (CA) page.

Delete a certificate authority

Before you can delete a CA from Knox Manage, you must make sure that it’s removed from all certificate templates. To delete a CA:

  1. Select a CA from the table.
  2. Click ACTIONS, then Delete Certificate Authority (CA). Alternatively, you can also click a CA name and on the sliding details panel that opens, click , then click DELETE CA.
  3. The Delete Certificate Authority (CA) dialog displays. To confirm your intent, click DELETE.

Your CA is removed from the Manage Certificate Authority (CA) page.

On this page

Is this page helpful?