Can I create an RSA Key Pair on a Knox Platform for Enterprise device?

Environment

All Knox Devices.

Summary

Can I create an RSA Key Pair on a Knox Platform for Enterprise device?

Resolution

Yes. A Certificate Signing Request (CSR) provided by Client Certificate Manager (CCM) can be used to generate a RSA Key Pair of size 1024 or 2048 bits. Key Pairs generated by CCM are secured in TrustZone. The Private Key is never revealed and only handled while performing crypto operations. When CCM detects that device is compromised, it is locked and none of the keys can be used on a compromised device.

PKCS10 format CSRs generated in CCM can be used with Microsoft CA to issue certificate which can be installed in CCM. Certificates installed in CCM can be used by Email, Browser, VPN, WiFi, or any other 3rd party app.

Samsung has certificate enrollment protocols - SCEP, EST, CMP clients which can be used for certificate enrollment. These clients are integrated with CCM and can be used to enroll certificates either in CCM (TrustZone solution) or the default Android credential store.