App fails to retrieve the CCM certificate after an Android 12 OS upgrade
Environment
- Knox SDK
- Samsung devices upgraded from Android 11 to Android 12
Overview
Due to the changes to the keystore system in the Knox Workspace container, as explained in Deprecation of TIMA/CCM Keystore support, the certificate installed in the Client Certificate Manager (CCM) migrates to the Android Keystore after the device is upgraded to Android 12. From Android 12 onward, all certificate-related operations must follow the specifications of the Android keystore system. If auto-migration completes successfully, the app continues to load the Android Keystore instance.
When you upgrade Samsung devices enrolled with a work profile from Android 11 to Android 12, after the certificate keystore migration process, an app loses access to its certificates. Since there are no reliable software fixes to this unintended side effect, this article provides a manual workaround if the app fails to retrieve the certificate.
The resolution provided in this article doesn’t apply to EMMs using Android Management API.
Resolution
Before the Android 12 upgrade:
-
Call
KeyChain.choosePrivateKeyAlias()
to allow the user to select the alias for a private key and certificate pair for authentication. -
Call
KeyChain.getPrivateKey()
to get the private key.
After the Android 12 upgrade:
-
Call
DevicePolicyManager.grantKeyPairToApp()
to gain access to your client certificates in the Android keystore system. -
Call
KeyChain.getPrivateKey()
to get the private key.
The authority information for the certificate is then generated and the app can access it.
Back to KBAsOn this page
Is this page helpful?