Back to top

Certificates stored and managed by CCM


This feature was deprecated in API level 33 with Knox SDK v3.7. For more information, see Deprecation of TIMA/CCM Keystore support.

This topic explains how an MDM admin should configure a device so that the following functionality is enabled:

  • CCM stores and manages the certificate for APP1
  • CCM CSR generates the certificate, and a remote server handled by an enrollment procedure signs it

CCM Procedure:

  1. Get an instance of ClientCertificateManagerPolicy to use the CCM APIs:

    EnterpriseKnoxManager ekm = EnterpriseKnoxManager.getInstance();
    KnoxContainerManager kcm = ekm.getKnoxContainerManager(Context, containerID);
    ClientCertificateManager clientCertificateManager = kcm.getClientCertificateManagerPolicy();
  2. Request a SmartCard token by using the setCCMProfile API.  This API allocates a SmartCard token in TrustZone for the caller. The input parameter CCMProfile has configuration fields:

    • An access control method
    • A package allowlist which can access the SmartCard token.

    Note that the caller must have a Knox license and should be an admin.

    boolean result = clientCertificateManager.setCCMProfile(CCMProfile profile);
  3. Set the CSR template used for generating a new CSR. Use the `SRProfile to specify the values for the CSR fields – Common Name, Domain Name, and so on.

    boolean result = clientCertificateManager.setCSRProfile(CSRProfile);
  4. Generate the CSR using the template set in Step 3. Note that templateName is the name used to set the CSR profile (CSRProfilZ.templateName); csAlias is the certificate alias for the generated key pair; and challengePassword is required for protocols like SCEP.

    byte[] csr = clientCertificateManager.generateCSRUsingTemplate("templateName", "csrAlias", "challengePassword");
  5. Enroll the certificate with the CA/Enrollment Server using the generated CSR.

  6. On receiving an enrolled certificate from the server, perform these steps:

    • A. Install the enrolled certificate in CCM using the installCertificate API. This is a generic API for installing a certificate.
    • B. Install the CSR response, by setting CertificateProfile.isCSRResponse to TRUE so that the CSR response is matched with the generated private key in TrustZone. Ensure that CertificateProfile.alias has the same value specified as when generating the CSR (see Step 4).
    • C. Specify the access control to the certificate being installed using CertificateProfile fields to add packages to the allowlist.

Note that privateKeyPassword is required only if you are installing a certificate with a private key and it is not required for CSR response.

boolean result = clientCertificateManager.installCertificate(CertificateProfile, certificateBuffer, "privateKeyPassword");

On this page

Is this page helpful?