Menu

Android Keystores

This topic describes how to access Android keystores.

Access the Android Keystore

In this scenario, a customer has deployed a Knox Workspace on enterprise devices. The enterprise wants apps that require certificates, such as a secure browser, VPN, or email, to run inside the Workspace. Apps that don't require a certificate to run, such as Wi-Fi will run outside of the Workspace. They also want to push certificates, specifically, cert_browser, cert_VPN, cert_email, and cert_Wi-Fi to each device, and then verify that these certificates are stored in the Android Keystore.

  1. Install a certificate into Wi-Fi Keystore.

boolean result = false; String Wi-FiAlias = "cert_Wi-Fi"; // installing into Android Wi-Fi keystore result = mSecurityPolicy.installCertificateToKeystore (SecurityPolicy.TYPE_PKCS12, cert_Wi-Fi, Wi-FiAlias, "123456", SecurityPolicy.KEYSTORE_FOR_WI-FI); if (result) { Log.d(TAG, "Certificate successfully installed!"); }

Note: The first parameter of this API can also be SecurityPolicy.TYPE_CERTIFICATE if the customer needs to install a CERT—with the extensions types .crtand .cer—certificate. In such cases, there is no need to insert a password, passed in the fourth parameter of the API. A certificate installed into Wi-Fi Keystore is visible in both device owner and Knox Workspace.

  1. Verify certificate is stored into Wi-Fi Keystore.

// retrieving all certificates from Wi-Fi keystore List<CertificateInfo> certList = mSecurityPolicy .getCertificatesFromKeystore(Security.KEYSTORE_FOR_WI-FI); if (certList != null && !certList.isEmpty()) { X509Certificate cert; String certAlias; int certKeystore; // iterate over all certificates stored into Wi-Fi keystore for(CertificateInfo certInfo : certList) { cert = (X509Certificate) certInfo.getCertificate(); certAlias = certInfo.getAlias(); certKeystore = certInfo.getKeystore(); } }

  1. Install certificates for the secure Browser, VPN, and Email apps inside the Workspace.

boolean installedBrowser = installedVPN = installedEmail = false; String browserAlias = "browserCert"; String vpnAlias = "vpnCert"; String emailAlias = "emailCert"; // installing cert_browser into Android VPN and Apps keystore installedBrowser = mKnoxSecurityPolicy.installCertificateToUserKeystore (SecurityPolicy.TYPE_PKCS12, cert_browser, browserAlias, "123456", SecurityPolicy. KEYSTORE_FOR_VPN_AND_APPS); // installing cert_browser into Android Default keystore installedBrowser &= mSecurityPolicy.installCertificateToKeystore (SecurityPolicy.TYPE_PKCS12, cert_browser, browserAlias, "123456", SecurityPolicy. KEYSTORE_DEFAULT); // installing cert_VPN into Android VPN and Apps keystore installedVPN = mKnoxSecurityPolicy.installCertificateToUserKeystore (SecurityPolicy.TYPE_PKCS12, cert_VPN, vpnAlias, "123456", SecurityPolicy. KEYSTORE_FOR_VPN_AND_APPS); // installing cert_Email into Android VPN and Apps keystore installedEmail = mKnoxSecurityPolicy.installCertificateToUserKeystore (SecurityPolicy.TYPE_PKCS12, cert_email, emailAlias, "123456", SecurityPolicy. KEYSTORE_FOR_VPN_AND_APPS); // installing cert_Email into Android Default keystore installedEmail &= mSecurityPolicy.installCertificateToKeystore (SecurityPolicy.TYPE_PKCS12, cert_email, emailAlias, "123456", SecurityPolicy. KEYSTORE_DEFAULT);

Note: In the case of using a CA certificate to validate an SSL connection in a browser, install it to SecurityPolicy.KEYSTORE_DEFAULT. If a user installed PKCS #12 on Default, VPN, and Apps Keystores, the CA certificate is stored into the Default and uses it to create a connection while it stores the USER certificate and the PK in VPN and Apps for authentication matters.. Verify installed certificates in VPN and apps and default Keystores.

// retrieving certificates from VPN and Apps keystore List<CertificateInfo> vpnList = mKnoxSecurityPolicy .getCertificatesFromUserKeystore(SecurityPolicy.KEYSTORE_FOR_VPN_AND_APPS); // retrieving certificates from Default keystore List<CertificateInfo> defaultList = mSecurityPolicy .getCertificatesFromKeystore(SecurityPolicy.KEYSTORE_DEFAULT); // put the retrieved list all together List<CertificateInfo> certList = new ArrayList<CertificateInfo>(); certList.addAll(vpnList); certList.addAll(defaultList); if (certList != null && !certList.isEmpty()) { X509Certificate cert; String certAlias; int certKeystore; // iterate over all certificates stored into VPN and Apps and // Default keystore for(CertificateInfo certInfo : certList) { cert = (X509Certificate) certInfo.getCertificate(); certAlias = certInfo.getAlias(); certKeystore = certInfo.getKeystore(); } }

Share it: