Menu

Certificate Enrollment Protocols (CEP)

The Certificate Enrollment Protocols (CEP) provision and support digital certificates for apps within Samsung devices. This feature is of great assistance to MDMs and third-parties vendors. Why? Because the CEP helps complete certificate enrollment without device user intervention, further solidifying the claim that Samsung Knox devices provide both world-class security as well as industry-leading manageability.

Enterprises can use CEP to:

  • Enroll, renew, or delete certificates
  • Check your deployment's certificate enrollment or renewal status

The CEP service is very robust, and supports the following enrollment protocols and standards:

  • Simple Certificate Enrollment Protocol (SCEP)
  • Certificate Management Protocol (CMP)
  • Certificate Management over Cryptographic Message Syntax, Enrollment Over Secure Transport (CMC-EST)

SCEP, CMP, and CMC are frequently used certificate enrollment protocols for provisioning digital certificates. For more information on these protocols, see Internet Engineering Task Force (IETF).

CEP asymmetric key acquisition

Apps use CEP to acquire the public part of an asymmetric key. Asymmetric keys have a public part and a private part. The private part never leaves the Keystore, but the public part is freely distributed. The key owner can use the Keystore to apply the private part of the asymmetric key to an encrypted message to decrypt it.

CEP operational environment

CEP functions within the scope of either the Work container or personal space, depending on where it is installed. If the deployment objective is to provision and manage certificates for apps inside the Work container only, then you must refer to your chosen MDM's documentation for instructions.

If the objective is to provision and manage certificates for apps in the personal space, then you can install the CEP services in the personal space to provision and manage certificates.

MDM agents can call the CEP services in either the personal space or Work container. MDM agents don't have access to a service created outside their scope.