Back to top

Certificates for government apps

This feature was deprecated in API level 33 with Knox SDK v3.7. For more information, see Deprecation of TIMA/CCM Keystore support.

In this scenario, a customer has a number of government apps that need certificates. They want to make a configuration to manage certificates as follows.

Certificate procedure

  1. Place CA1, CA2, and CA3 in the trusted CA restriction list.

    List caList = new ArrayList();
    boolean retValue = mCertificatePolicy.addTrustedCaCertificateList(caList);
  2. Place CA7, CA8, and CA9 in the untrusted certificate relist.

    List caList = new ArrayList();
    boolean retValue = mCertificatePolicy.addUntrustedCertificateList(caList);
  3. Validate a new certificate CA10; if it is valid, include it in the trusted CA restriction list — boolean retValue = mCertificatePolicy

    boolean retValue = mCertificatePolicy.enableCertificateValidationAtInstall(true);
    // tries to install into an Android keystore (in this case, Wi-Fi keystore)
    // the operation will fail in case of an invalid certificate
    boolean installResult = mSecurityPolicy.installCertificateToKeystore
    (SecurityPolicy.TYPE_PKCS12, certCA10_byteArray, "certCA10Alias",
        "123456", SecurityPolicy. KEYSTORE_FOR_WI-FI);
    // if it is a valid certificate, then we include it to the trusted CA list
    if(installResult) {
    List caList = new ArrayList();
        boolean retValue = mCertificatePolicy.addTrustedCaCertificateList(caList);
  4. Revoke CA1.

    Points to consider:

    • A CA certificate is not revocable. To revoke a user certificate, it is necessary to talk to its root CA. The root CA then revokes the user certificate. In order to check for revoked certificates, enable the revocation check policy. For more information, see Step 5.
    • An alternative for this requirement is to insert the CA1 to the untrusted CA certificate list. For more details on how to do this, see Step 2.
  5. Enable revocation check.

    String pkgName = "_";
    // enables revocation check (using CRL) for all apps
    mCertificatePolicy.enableRevocationCheck(pkgName, true);
    // enables revocation check (using OCSP) for all apps
    mCertificatePolicy.enableOcspCheck(pkgName, true);
  6. Check revocation status.

    String pkgName = "_";
    // checks if revocation check (using CRL) is enabled for all apps
    boolean retValue = mCertificatePolicy.isRevocationCheckEnabled(pkgName);
    // checks if revocation check (using OCSP) is enabled for all apps
    Boolean retValue2 = mCertificatePolicy.isOcspCheckEnabled(pkgName);
  7. Notify the MDM regarding certification failure status.

    // Declare the BroadcastReceiver in AndroidManifest.xml client app
    <receiver android:name="com.enterprise.test.CertificateReceiver">
    // Creates the BroadcastReceiver class
    public class CertificateReceiver extends BroadcastReceiver {
            public void onReceive(Context context, Intent intent) {
            final String action = intent.getAction();
            Log.d(TAG, "received intent action =" + action);
            if (action.equals(CertificatePolicy.ACTION_CERTIFICATE_FAILURE)) {
                String module = intent.getStringExtra
                String msg = intent.getStringExtra
    Log.d(TAG, "Digital signature failure occurred in: " + module
                    + " - " + msg);
  8. Notify end-user regarding certification failure status.

    boolean retValue = mCertificatePolicy.enableCertificateFailureNotification(true);
  9. Display the identity of the entity that signed an app per user request to the user.

    boolean retValue = mCertificatePolicy.enableSignatureIdentityInformation(true);

If the policy is enabled, the user can check any signature identity. This identity displays in the App Info screen that you can access using the App Manager and during app installation.

On this page

Is this page helpful?