Certificate provisioning configurations

You can configure certificate provisioning protocols, such as Simple Certificate Enrollment Protocol (SCEP), for your fleet of devices in Knox Service Plugin. SCEP automates certificate enrollment for your managed devices, and helps streamline the process by reducing manual interaction from device users.

Currently, SCEP is supported on fully managed devices running Android 14 and higher, and only supports one certificate per profile.

To configure certificate provisioning:

1. Go to Certificate provisioning configurations, and click Configure.
2. On the Protocol dropdown, select SCEP.
3. Enter the information required for certificate provisioning.
   • Provision type — Specify the type of certificate provision.
   • Key Provider — Specify the type of certificate key provider.
   • Key Owner — Specify the type of certificate key owner.
   • Key Alias — Enter the alias that identifies the certificate.
   • Subject — Enter the subject of the X.509 certificate, which includes information about the owner of the certificate.
   • Server Host — Enter the host IP of the certificate provision server you want to specify authentication information for.
   • Server Port — Enter the port number of the certificate provision server host.
   • Server Path — Enter the path of the certificate provision server.
   • Subject Alternative Name — Enter the Subject Alternative Name in the X.509 certificate that provides extra identities for validation, including additional domain names, IPs, emails, or URIs.
   • Extended Purposes — Specify extended purposes, which explicitly indicate the variety of purposes this certificate can be used for.
   • Challenge Password — Enter the challenge password that the client provides during enrollment to authenticate itself to the Certificate Authority (CA).
   • System Key Type — Specify the type of the system key.
   • System Key Purposes — Specify what the purpose of the system key is.
   • System Key Size — Enter the system key size. The default is 2048.