Back to top

Android Keystores

This feature was deprecated in API level 33 with Knox SDK v3.7. For more information, see Deprecation of TIMA/CCM Keystore support.

This topic describes how to access Android keystores.

Access the Android Keystore

In this scenario, a customer has deployed a Knox Workspace on enterprise devices. The enterprise wants apps that require certificates, such as a secure browser, VPN, or email, to run inside the Workspace. Apps that don’t require a certificate to run, such as Wi-Fi will run outside of the Workspace. They also want to push certificates, specifically, cert_browser, cert_VPN, cert_email, and cert_Wi-Fi to each device, and then verify that these certificates are stored in the Android Keystore.

  1. Install a certificate into Wi-Fi Keystore.

    boolean result = false;
    String Wi-FiAlias = "cert_Wi-Fi";
    
            // installing into Android Wi-Fi keystore
            result = mSecurityPolicy.installCertificateToKeystore
            (SecurityPolicy.TYPE_PKCS12, cert_Wi-Fi, Wi-FiAlias, "123456",
                SecurityPolicy.KEYSTORE_FOR_WI-FI);
    
        if (result) {
            Log.d(TAG, "Certificate successfully installed!");
        }
    

    The first parameter of this API can also be SecurityPolicy.TYPE_CERTIFICATE if the customer needs to install a CERT — with the extensions types .crt and .cer — certificate. In such cases, there is no need to insert a password, passed in the fourth parameter of the API. A certificate installed into Wi-Fi Keystore is visible in both device owner and Knox Workspace.

  2. Verify certificate is stored into Wi-Fi Keystore.

    // retrieving all certificates from Wi-Fi keystore
    List certList = mSecurityPolicy
        .getCertificatesFromKeystore(Security.KEYSTORE_FOR_WI-FI);
    
    if (certList != null && !certList.isEmpty()) {
        X509Certificate cert;
        String certAlias;
        int certKeystore;
    
    // iterate over all certificates stored into Wi-Fi keystore
    
    for(CertificateInfo certInfo : certList) {
        cert = (X509Certificate) certInfo.getCertificate();
        certAlias = certInfo.getAlias();
        certKeystore = certInfo.getKeystore();
        }
        }
    
  3. Install certificates for the secure Browser, VPN, and Email apps inside the Workspace.

    boolean installedBrowser = installedVPN = installedEmail = false;
    
    String browserAlias = "browserCert";
    String vpnAlias = "vpnCert";
    String emailAlias = "emailCert";
    
    // installing cert_browser into Android VPN and Apps keystore
    installedBrowser = mKnoxSecurityPolicy.installCertificateToUserKeystore
        (SecurityPolicy.TYPE_PKCS12, cert_browser, browserAlias, "123456",
        SecurityPolicy. KEYSTORE_FOR_VPN_AND_APPS);
    
    // installing cert_browser into Android Default keystore
    installedBrowser &= mSecurityPolicy.installCertificateToKeystore
        (SecurityPolicy.TYPE_PKCS12, cert_browser, browserAlias, "123456",
        SecurityPolicy. KEYSTORE_DEFAULT);
    
    // installing cert_VPN into Android VPN and Apps keystore
    installedVPN = mKnoxSecurityPolicy.installCertificateToUserKeystore
        (SecurityPolicy.TYPE_PKCS12, cert_VPN, vpnAlias, "123456",
        SecurityPolicy. KEYSTORE_FOR_VPN_AND_APPS);
    
    // installing cert_Email into Android VPN and Apps keystore
    installedEmail = mKnoxSecurityPolicy.installCertificateToUserKeystore
        (SecurityPolicy.TYPE_PKCS12, cert_email, emailAlias, "123456",
        SecurityPolicy. KEYSTORE_FOR_VPN_AND_APPS);
    
    // installing cert_Email into Android Default keystore
    installedEmail &= mSecurityPolicy.installCertificateToKeystore
        (SecurityPolicy.TYPE_PKCS12, cert_email, emailAlias, "123456",
        SecurityPolicy. KEYSTORE_DEFAULT);
    

    In the case of using a CA certificate to validate an SSL connection in a browser, install it to SecurityPolicy.KEYSTORE_DEFAULT. If a user installed PKCS 12 on Default, VPN, and Apps Keystores, the CA certificate is stored into the Default and uses it to create a connection while it stores the USER certificate and the PK in VPN and Apps for authentication matters. Verify installed certificates in VPN and apps and default Keystores.

    // retrieving certificates from VPN and Apps keystore
    List vpnList = mKnoxSecurityPolicy
    .getCertificatesFromUserKeystore(SecurityPolicy.KEYSTORE_FOR_VPN_AND_APPS);
    
    // retrieving certificates from Default keystore
    List defaultList = mSecurityPolicy
        .getCertificatesFromKeystore(SecurityPolicy.KEYSTORE_DEFAULT);
    
    // put the retrieved list all together
    List certList = new ArrayList();
    certList.addAll(vpnList);
    certList.addAll(defaultList);
    
    if (certList != null && !certList.isEmpty()) {
    X509Certificate cert;
    String certAlias;
    int certKeystore;
    
    // iterate over all certificates stored into VPN and Apps and
    // Default keystore
    for(CertificateInfo certInfo : certList) {
        cert = (X509Certificate) certInfo.getCertificate();
        certAlias = certInfo.getAlias();
        certKeystore = certInfo.getKeystore();
    }
    }
    

Is this page helpful?