App fails to retrieve CCM certificate after Android 12 OS upgrade


  • Knox SDK


Due to the changes of Keystore in the Knox container as explained in the Deprecation of TIMA/CCM Keystore support the certificate installed in CCM is migrated into Android Keystore after applying Android 12 OS upgrade. From Android 12, all certificate-related operations should follow Google's  Android Keystore. If auto-migration is done successfully, the app continues to load AndroidKeyStore instant. If the app fails to retrieve the certificate, please apply one of the following solutions to resolve the issue.

Solution 1

Using Device Policy Manager API grantKeyPairToApp, set proper parameters and call it. Refer to the following example code. The authority information for the certificate is generated and the app can access it.

import android.content.ComponentName;
import com.afwsamples.testdpc.DeviceAdminReceiver;
private ComponentName mAdminComponentName;
private DevicePolicyManager mDevicePolicyManager;
mAdminComponentName = DeviceAdminReceiver.getComponentName(this);

final String aliasName = GET_YOUR_CERTIFICATE_ALIAS;
final String packageName = GET_YOUR_APP_PACKAGENAME;

boolean result = mDevicePolicyManager.grantKeyPairToApp
					aliasName, packageName );

Solution 2

Reset certificate setting after Android 12 upgrade.