Back to top

App fails to retrieve the CCM certificate after an Android 12 OS upgrade


  • Knox SDK
  • Samsung devices upgraded from Android 11 to Android 12


Due to the changes to the keystore system in the Knox Workspace container, as explained in Deprecation of TIMA/CCM Keystore support, the certificate installed in the Client Certificate Manager (CCM) migrates to the Android Keystore after the device is upgraded to Android 12. From Android 12 onward, all certificate-related operations must follow the specifications of the Android keystore system. If auto-migration completes successfully, the app continues to load the Android Keystore instance.

When you upgrade Samsung devices enrolled with a work profile from Android 11 to Android 12, after the certificate keystore migration process, an app loses access to its certificates. Since there are no reliable software fixes to this unintended side effect, this article provides a manual workaround if the app fails to retrieve the certificate.

The resolution provided in this article doesn’t apply to EMMs using Android Management API.


Before the Android 12 upgrade:

  1. Call KeyChain.choosePrivateKeyAlias() to allow the user to select the alias for a private key and certificate pair for authentication.

  2. Call KeyChain.getPrivateKey() to get the private key.

After the Android 12 upgrade:

  1. Call DevicePolicyManager.grantKeyPairToApp() to gain access to your client certificates in the Android keystore system.

  2. Call KeyChain.getPrivateKey() to get the private key.

The authority information for the certificate is then generated and the app can access it.

Back to KBAs

Is this page helpful?