What is the certificate length limit in the Knox CCM keystore?

Environment

Samsung Android devices being setup with Certificate based authentication (CBA)

Issue

The email client cannot activate CBA during enrollment. The same configuration works with Android Keystore.

Cause

The CCM - Client Certificate Manager keystore is divided into two separate parts:

• TLC - Trustlet Communicator
• TZ - Trust Zone

Although we can store certificates larger than 8192 bytes in size, there is limitation while reading the certificates from CCM Keystore. TLC and TZ is expecting the certificates that do not exceed 8192 Bytes and truncate certificates read from CCM to this size.

Please note that certificates are encrypted prior to storing them in the CCM Keystore. This causes the certificate size to grow after encryption.

Resolution

As a workaround, we recommend using certificates with key size smaller than 8192 bytes.