Certificate revocation returns an SSL error

Environment

• Knox Service Plugin

Overview

If you previously set the Enable revocation check policy value to either Enable for all apps or Enable for specified apps only, you may encounter an issue where an SSL connection can’t be established, causing certain apps to fail.

Cause

The revocation check is primarily done using Certificate Revocation Lists (CRL) or the Online Certificate Status Protocol (OCSP). These processes may use a cleartext HTTP connection to retrieve relevant data necessary to perform the revocation check. From Android 9 onwards, all cleartext HTTP traffic is disabled by default. If an app doesn’t explicitly enable cleartext HTTP traffic, it may cause the app to fail.

Workaround

If you encounter an issue with third party apps after enabling the Enable revocation check policy, and wish to keep this policy enabled, contact the respective app developers and request for enabling cleartext HTTP support.

If the revocation check isn’t required for your enterprise, you can disable the Enable revocation check policy by doing the following:

1. On your EMM console, go to the Knox Service Plugin configuration.
2. Under Device-wide policies (if you have fully managed device) and Work profile policies (if you have devices with a work profile), go to Certificate management policies (Premium).
3. Under Certificate revocation > Enable revocation check, set the value to Not enabled.
4. Save the profile and assign the changes to your enrolled devices.

Additional Reading

For more information, see Android Network Security Configuration.