Back to top
Home / Knox Platform for Enterprise / Knox Service Plugin / Configure advanced policies /

Certificate management policies

Last updated March 25th, 2024

Refer to the following certificate management policies to control certificate settings to disable and restrict certifications as needed for specific device deployments:

  • Set the Enable certificate management controls to True to enable specific certificate management controls for the workspace. Ensure this control is enabled before setting any certificate management settings. If disabled, certificate management policy updates are ignored.

  • Refer to the Certificate revocation value to set the revocation method best suited to your devices and deployment strategy. Options include:

    • Set the Enable revocation check value. For example, if you list com.samsung.email within an allow list, certificates used by this app for encryption or signing is first checked against a Certificate Revocation List (CRL) to verify they are still valid. Enter application package names as comma separated list of values. For example, com.xyz, or com.abc, etc. Options include:

      • Not enabled

      • Enabled for all apps

      • Enabled for specific apps only

    • Set the Enable OCSP check before CRL value to True to conduct a certificate revocation status validation using Online Certificate Status Protocol (OCSP) before checking a CRL. If the OCSP response is inconclusive, the device performs a CRL check.

    • Refer to the List of Apps to enable for validation setting and enter comma separated values <string> of application packages targeted for certificate revocation. For example, com.xyz, or com.abc, etc.

  • Refer to the Add trusted CA certificate setting and add the name of a Trusted CA Alias <string> already defined in the Certificate Alias. Enter values as a comma separated list of trusted CA aliases.

  • Set the Block User from removing certificate control to True to restrict the user from removing certificates from the keystore. By default, users are allowed to remove certificate from the keystore.

  • Refer to the Allow apps to read private keys without alerting user value to define a group of controls defining applications allowed to read private key configurations without device user knowledge or intervention. Enter the following values:

    • Enter the Package Name <string> of the application receiving this private key read permission.

    • Enter the Host <string> of the server host receiving this private key read permission.

    • Enter the Port <string> of the server port receiving this private key read permission.

    • Enter the Alias <string> of the private key alias granted to an application.

    • Enter the StorageName <string> of the credential storage private key name allowing an application to read private keys.

  • Refer to the Install Certificate in keystore(s) silently value and enter the name of the CA Alias <string> installed silently within the device keystore. Enter values as a comma separated list of trusted CA aliases.

Is this page helpful?