Carl Wallace
Oct 06, 2015
12:44 pm

Installing a CA certificate

The "To add certificates to government apps" section of the guide provides the following snip as an example of adding a certificate. However, the EnterpriseDeviceManager class does not have an addTrustedCaCertificateList (nor anything that resembles this). Can anyone point to the API that should be used to add a new CA or root certificate?

    EnterpriseDeviceManager edm = (EnterpriseDeviceManager) getSystemService( EnterpriseDeviceManager.ENTERPRISE_POLICY_SERVICE);

    CertificatePolicy mCertificatePolicy = edm.getCertificatePolicy();

    SecurityPolicy mSecurityPolicy = edm.getSecurityPolicy();

    List<X509Certificate> caList = new ArrayList<X509Certificate>();

    caList.add(certCA1);

    caList.add(certCA2);

    caList.add(certCA3);

    boolean retValue = mCertificatePolicy.addTrustedCaCertificateList(caList);

Similar topics

No similar topics found.
Kieran McCormick
Oct 06, 2015
5:32 pm

Hi Carl,

As per my first reponse, the CertificatePolicy class is only apart of the premium SDK, HERE is the method. 

So using the the EnterpriseDeviceManager object 'edm' will not allow you to use create this method, you will need to use the KnoxContainerManager class from the premium SDK...this would be the proper way of instantiating the object:

EnterpriseKnoxManager ekm = EnterpriseKnoxManager.getInstance();
KnoxContainerManager kmcm = ekm.getKnoxContainerManager(getBaseContext(), getContainerId()/*custom method to get container ID*/);
CertificatePolicy certificatePolicy = kmcm.getCertificatePolicy ();

If you need any help with how to use/get started with the premium SDK please let me know!

Comments

Thanks. You can understand the confusion given the sample code that has the getCertificatePolicy invocation on an EnterpriseDeviceManager reference.

Carl WallaceOct 06, 2015 at 5:38 pm
Kieran McCormick
Oct 06, 2015
5:44 pm

Hey Carl,

Can you please give me a link to/let me know where that code snipit is...If that is in our documentation I would like to have it fixed ASAP as it is incorrect.

Comments

If you go the "To add certificates to government apps" section of the premium SDK developers guide then click on the nearby link called "To get CertificatePolicy and SecurityPolicy objects on the device side" that shows how to set up the mCertificatePolicy object referenced in "To add certificates to government apps" sample you will see where edm.getCertificatePolicy is called. Here is a link:

https://goo.gl/LKf50I

Carl WallaceApr 01, 2016 at 5:55 pm
Carl Wallace
Oct 06, 2015
4:50 pm

For clarity, my aim is to silently install a trust anchor certificate so that it appears in the User list in the Trusted credentials view of the Settings app. I can achieve this with a user prompt using a KeyChain intent. I have also tried the SecurityPolicy class, a reference to which can be obtained from the EnterpriseDeviceManager class as shown in the sample. This call returns success but the certificate does not appear in the store. The CertificatePolicy class does not appear to the right mechanism for this. I was able to obtain a reference from the static CertificatePolicy.getInstance method and the call succeeds, but also does not place the certificate where I am aiming. Any guidance is welcome.

Carl Wallace
Oct 06, 2015
4:04 pm

Thanks, but oops on my part. I did not mean EnterpriseDeviceManager does not have addTrustedCaCertificateList, I meant is has no getCertificatePolicy(). How does one get the CertificatePolicy instance on which to invoke addTrustedCaCertificateList?

Kieran McCormick
Oct 06, 2015
6:00 pm

Thank you very much Carl. I have notified our documentation team and hope for this to be fixed shortly.

Did my code snippet solve the issue?

Please let me know if there is anything else I can help with.

Comments

No, but I pasted code that solved the issuer earlier today. I just marked it as the selected answer.

Carl WallaceOct 06, 2015 at 6:07 pm
Carl Wallace
Selected Answer
Oct 06, 2015
5:01 pm

The snip below works. Instead of looking for CertificatePolicy reference from EnterpriseDeviceManager, the SecurityPolicy class can be used.

EnterpriseDeviceManager edm = (EnterpriseDeviceManager) getSystemService( EnterpriseDeviceManager.ENTERPRISE_POLICY_SERVICE);

SecurityPolicy mSecurityPolicy = edm.getSecurityPolicy();

boolean retValue = mSecurityPolicy.installCertificateToKeystore(SecurityPolicy.TYPE_CERTIFICATE, data, "mycert", null, SecurityPolicy.KEYSTORE_DEFAULT | SecurityPolicy.KEYSTORE_FOR_VPN_AND_APPS | SecurityPolicy.KEYSTORE_FOR_WIFI);

Kieran McCormick
Oct 06, 2015
5:09 pm

Post Deleted

Our content monitors have determined that this post violated our terms of service.

Please ensure your posts comply with our forum guidelines. We are committed to providing helpful and professional information in this space.

Thank you,

The SEAP team

Deleted Oct 06, 2015 5:20 pm

Kieran McCormick
Oct 06, 2015
3:56 pm

Hi Carl,

You are right, the EnterpriseDeviceManager class does not have the addTrustedCaCertificateList() API that was called in the code you provided.

This method is in the premium CertificatePolicy class found here.

As seen in your provided code the method addTrustedCaCertificateList() is called on a CertificatePolicy object. This class is only apart of the KNOX Premium SDK.