Certificates stored and managed by CCM

This topic explains how an MDM admin should configure a device so that the following functionality is enabled:

  • CCM stores and manages the certificate for APP1
  • CCM CSR generates the certificate, and a remote server handled by an enrollment procedure signs it

CCM Procedure:

  1. Get an instance of ClientCertificateManagerPolicy to use the CCM APIs:
EnterpriseKnoxManager ekm = EnterpriseKnoxManager.getInstance();
 KnoxContainerManager kcm = ekm.getKnoxContainerManager(Context, containerID);
 ClientCertificateManager clientCertificateManager = kcm.getClientCertificateManagerPolicy();
  1. Request a SmartCard token by using the setCCMProfile API.  This API allocates a SmartCard token in TrustZone for the caller. The input parameter CCMProfile has configuration fields:
    • An access control method
    • A package allowlist which can access the SmartCard token.

Note that the caller must have a Knox license and should be an admin.

boolean result = clientCertificateManager.setCCMProfile(CCMProfile profile);
  1. Set the CSR template used for generating a new CSR. Use the CSRProfile to specify the values for the CSR fields – Common Name, Domain Name, and so on.
boolean result = clientCertificateManager.setCSRProfile(CSRProfile);
  1. Generate the CSR using the template set in Step 3. Note that templateName is the name used to set the CSR profile (CSRProfilZ.templateName); csAlias is the certificate alias for the generated key pair; and challengePassword is required for protocols like SCEP.
byte[] csr = clientCertificateManager.generateCSRUsingTemplate("templateName", "csrAlias", "challengePassword");
  1. Enroll the certificate with the CA/Enrollment Server using the generated CSR.
  2. On receiving an enrolled certificate from the server, perform these steps:
    • A. Install the enrolled certificate in CCM using the installCertificate API. This is a generic API for installing a certificate.
    • B. Install the CSR response, by setting CertificateProfile.isCSRResponse to TRUE so that the CSR response is matched with the generated private key in TrustZone. Ensure that CertificateProfile.alias has the same value specified as when generating the CSR (see Step 4).
    • C. Specify the access control to the certificate being installed using CertificateProfile fields to add packages to the allowlist.

Note that privateKeyPassword is required only if you are installing a certificate with a private key and it is not required for CSR response.

boolean result = clientCertificateManager.installCertificate(CertificateProfile, certificateBuffer, "privateKeyPassword");