Home / Knox Platform for Enterprise / Knox Service Plugin / Configure advanced policies /

Certificate management policies

Last updated September 2nd, 2025

Refer to the following certificate management policies to control certificate settings to disable and restrict certifications as needed for specific device deployments.

To use Certificate management policies, first set Enable certificate management controls to True. Ensure this control is enabled before setting any certificate management settings. If disabled, certificate management policy updates are ignored.

  • Choose the Certificate revocation method most appropriate for your devices.

    • Enable revocation check — If enabled, certificates used by apps for encryption and signing are first checked against a Certificate Revocation List (CRL) to verify that they are still valid. Note that the Enabled for all apps option is not supported on devices running Knox 3.12 and higher.

      • Not enabled

      • Enabled for all apps (Not supported on Knox 3.12 and higher)

      • Enabled for specific apps only

    • Enable OCSP check before CRL — Set True to conduct a certificate revocation status validation using Online Certificate Status Protocol (OCSP) before checking a CRL. If the OCSP response is inconclusive, the device performs a CRL check.

    • List of Apps to enable for validation — Enter comma separated values of app packages targeted for certificate revocation. For example, com.xyz,com.abc. Enter a wildcard * to target all apps.

  • Add trusted CA certificate — Add the name of a Trusted CA Alias already defined in the Certificate Alias. Enter values as a comma separated list of trusted CA aliases.

  • Block User from removing certificate — Set True to restrict the user from removing certificates from the keystore. By default, users are allowed to remove certificates from the keystore.

  • Allow apps to read private keys without alerting user — Set True, then go to Allowed apps for reading private keys Configurations (Premium) and add a configuration to let apps read private keys without device user knowledge or intervention. Enter the following for each configuration:

    • Package Name — The app receiving this private key read permission.
    • Host — The server host receiving this private key read permission.
    • Port — The server port receiving this private key read permission.
    • Alias — The private key alias granted to the app.
    • StorageName — The credential storage private key name allowing an app to read private keys.

  • Install Certificate in keystore(s) silently — Enter the name of the CA Alias installed silently within the device keystore. Enter values as a comma separated list of trusted CA aliases.

Is this page helpful?