Menu

What is the certificate length limit in the Knox CCM keystore?

[Environment]
Samsung Android devices being setup with Certificate based authentication (CBA)

[Issue]
The email client cannot activate CBA during enrollment. The same configuration works with Android Keystore.

[Cause]
The CCM - Client Certificate Manager keystore is divided into two separate parts:
  • TLC - Trustlet Communicator
  • TZ - Trust Zone.
Although we can store certificates larger than 8192 bytes in size, there is limitation while reading the certificates from CCM Keystore. TLC and TZ is expecting the certificates that do not exceed 8192 Bytes and truncate certificates read from CCM to this size.
 
Please note that certificates are encrypted prior to storing them in the CCM Keystore. This causes the certificate size to grow after encryption.

[Resolution]
As a workaround, we recommend using certificates with key size smaller than 8192 bytes.

Share it: