What is the certificate length limit in the Knox CCM keystore?
Last updated July 26th, 2023
Categories:
Environment
Samsung Android devices being setup with Certificate based authentication (CBA)
Issue
The email client cannot activate CBA during enrollment. The same configuration works with Android Keystore.
Cause
The CCM - Client Certificate Manager keystore is divided into two separate parts:
- TLC - Trustlet Communicator
- TZ - Trust Zone
Although we can store certificates larger than 8192 bytes in size, there is limitation while reading the certificates from CCM Keystore. TLC and TZ is expecting the certificates that do not exceed 8192 Bytes and truncate certificates read from CCM to this size.
Please note that certificates are encrypted prior to storing them in the CCM Keystore. This causes the certificate size to grow after encryption.
Resolution
As a workaround, we recommend using certificates with key size smaller than 8192 bytes.
On this page
Is this page helpful?