April 16, 2019

Knox Deep Dive: Certification Enrollment Protocols

Josh Fernandez

What are Certificate Enrollment Protocols (CEPs)?

Mobile apps such as email, browser, Wi-Fi, and VPN use digital certificates for authentication, digital signatures, and encryption.

CEPs provision and support digital certificates for apps within Samsung devices. This feature enables EMMs and third-party vendors to provide complete certificate enrollment without manual user intervention. Enterprises benefit as IT admins don’t need to issue certificates manually for each device and device users don’t need to authenticate themselves manually.

Enterprises can use CEP to:

  • Enroll, renew, or delete certificates, and
  • Check your deployment’s certificate enrollment or renewal status


What protocols and standards does CEP support?

KPE extends AE's certificate management APIs by providing this certificate enrollment service API that closely follows the latest security protocols. Therefore, there is no reason to enroll certificates insecurely or implement your own protocols.

The CEP service is very robust, and supports the following frequently used enrollment protocols for provisioning digital certificates:

  • Simple Certificate Enrollment Protocol (SCEP): an Internet Engineering Task Force (IETF) draft used to securely issue certificates to large numbers of network devices using an automatic enrollment technique
  • Certificate Management Protocol (CMP): an internet protocol used to manage X.509 digital certificates within a Public Key Infrastructure (PKI)
  • Certificate Management over Cryptographic Message Syntax, Enrollment Over Secure Transport (CMC-EST): describes a simple, yet functional, certificate management protocol targeting PPKI clients that need to acquire client certificates and associated Certification Authority (CA) certificates

You can enable certificate enrollment in the Knox platform using SCEP, CMP, and CMC-EST. For more information on these protocols, see the following resources:


How does the CEP service asymmetric key cryptography?

Asymmetric key cryptography uses public and private keys to encrypt and decrypt data. The public key is available to all users that use this cryptographic method. The other key—the private key—is a secret key that never leaves the device’s keystore.

An app uses the Samsung Knox CEP service to acquire the public part of the asymmetric key, encrypt a message, and then send the encrypted data to whoever issued the public key. The key owner then applies the private key using the Keystore and decrypts the encrypted information.


How do I install and access the CEP service?

CEP functions within the scope of either the Knox Workspace or personal space, depending on where it is installed.

If the deployment objective is to provision and manage certificates for apps inside the Knox Workspace only, then you must install the CEP services within the Knox Workspace. You can install CEP services within the Knox Workspace as follows:


Knox CEP in the Knox Workspace


On the other hand, if the objective is to provision and manage certificates for apps in the personal space, then you can install the CEP services in the personal space.

Flexible and secure, Knox CEP services enable enterprises to configure and automate certificate provisioning to meet their unique needs. The end result? A secure ecosystem allowing only trusted devices to exchange encrypted data, and the protection of corporate assets as well as personal data.


Next steps

To learn more about:


[Icon] close

Get the right solution for your business

Join 25,000+ organizations around the world.

[Icon] suitcase
Are you a reseller or solution partner?

Get access to the Knox Partner Program for helpful partner tools, such as the Knox Deployment Program portal, Knox MSP portal, partner SDKs, and more.

[Icon] info
Unified Endpoint Management
Knox Suite
Rebranding and customization
Knox Configure
Fraud and theft protection
Knox Guard
Device protection plan
Samsung Care + for Business
Other products & services

Get started with

[Image] Knox Suite

All-in-one solution bundle for enterprise mobility.

[Icon] Check mark

Join us and get a 90-day free trial for Knox Suite and other Knox products. *Approval required

[Icon] Check mark

A complete set of tools to secure, deploy, manage, and analyze your enterprise's corporate mobile devices.

[Icon] Check mark

Try powerful features bundled with Knox Suite, such as Knox Remote Support.

Knox Suite include:

[Icon] Knox Platform for Enterprise Knox Platform for Enterprise
[Icon] Knox E-FOTA Knox E-FOTA
[Icon] Knox Mobile Enrollment Knox Mobile Enrollment
[Icon] Knox Asset Intelligence Knox Asset Intelligence
[Icon] knox manage Knox Manage
[Icon] knox capture Knox Capture

Get started with

[Image] Knox Configure Logo

Remotely configure Samsung devices in bulk and tailor them to specific needs, right out of the box.

[Icon] Check mark

After approval, you can try both the:

  • Setup edition — designed for a one-time deployment
  • Dynamic edition — deploy and update policies as many times without a factory reset.
[Icon] Check mark

Try either the Setup edition or Dynamic edition of Knox Configure on up to 30 devices.

[Icon] Check mark

Get a free Knox Suite trial upon approval to try our UEM.

Get started with

[Icon] Knox Guard Logo

Remotely control Samsung devices to reduce financial risks and protect assets.

[Icon] Check mark

After you get approved, generate your free trial license for 90 days.


Try all the features of Knox Guard on up to 30 devices, including SIM control and device locking.

[Icon] Check mark

Get a free Knox Suite trial upon approval to try our UEM.

Get started with

[Image] Samsung Care Plus For Business Logo

Protect your business devices against accidental damage and mechanical breakdowns.

[Icon] Check mark

Are you already a Samsung Care+ for Business customer? Create an account and access the Samsung Care+ for Business console.

[Icon] Check mark

Contact the Samsung sales team and get peace of mind for your devices.

Other products & services

[Image] Others logo
[Icon] Check mark

Samsung offers additional solutions to serve the unique needs of your business. Talk to a Samsung expert today.

Back to top