The Certificate Manager (CertMgr) manages certificates and the Android Keystore on a device. The CertMgr can initialize the Android Keystore, install or uninstall CA Certificates to the Trusted Store and Android Keystore, and install or uninstall CA and/or Client Certificates to the Android Keystore.

Main Functionality

• Initialize Android Keystore
• Install or uninstall CA Certificates
• Install or uninstall Client Certificates

A Digital Certificate is an electronic document that can be used to prove an asserted identity. By possessing a valid Public Certificate and its matching Private Key, an entity can assert an identity, and through Certificate Validation prove to other entities that it is entitled to assert that identity. Certificate Validation is based on verification that an entity has the Private Key associated with the valid Public Certificate for the asserted identity, and that it was issued by a trusted Certificate Authority (CA).

To acquire a Public Certificate, an entity first generates a Public/Private Key pair. The entity then submits the Public Key along with identity information to a Certificate Authority (CA). The CA verifies the identity information provided by the requester, issues a Public Certificate that contains the submitted Public Key and identity information, and signs the Public Certificate using its own Private Key. By signing a Public Certificate with its own Private Key, the CA enables other entities that trust that CA to trust the Public Certificate once they verify that it was signed by that CA. Signing also enables entities to verify that the Public Certificate is genuine and has not been modified since it was signed by the CA.

Digital Certificates are issued for a specific duration, commonly called the Validity Window. A Certificate is not generally considered valid unless the current date is within the Validity Window for that Certificate. This requirement has two key implications. First, it means that entities that use Digital Certificates--especially those that perform Certificate Validation--need to know the correct date. Second, it means that entities that use Digital Certificates must periodically refresh them by replacing a soon-to-expire Certificate (in which the current date is near the end of its Validity Window) with a newer, but compatible Certificate (in which the identity information is the same but the current date is further from the end of its Validity Window).

Digital Certificates are most commonly used by Android in two ways:

• A Public Certificate can be used to establish trust by a device or some other entity, such as a server. The most common use of Public Certificates alone is to establish trust of a CA and hence of all Certificates issued by that CA. Such a Public Certificate is generally referred to as a CA Certificate. In addition, a Public Certificate could be used to verify that an application to be run on the device came from a trusted developer or to verify that a Server being accessed by the device is authentic.
• Second, a Public Certificate can be paired with a Private Key to allow the device to assert and prove an identity to another entity. Such a pairing of a Public Certificate with a Private Key is often referred to as a Client Certificate because it is commonly used by a Client on device to prove an identity that it asserts to a Server. A Client Certificate might be used to authenticate the device to a Wireless Local Area Network (e.g. EAP-TLS) or to a Web Server (e.g. HTTPS).

Zebra Android devices can store Digital Certificates in two primary areas:

• The Trusted Store is a protected area of the device that can only hold CA Certificates. The Trusted Store is present in the device by default and contains CA Certificates for many well-known and universally trusted CAs. The Trusted Store allows various system applications to establish trust of CAs that issue other Certificates.

• The Android Keystore is a protected area of the device that can hold both CA Certificates and Client Certificates. The Android Keystore must be initialized before it can be used and starts out empty. By adding CA Certificates to the Android Keystore, trust of additional CAs and Servers is established. By adding Client Certificates to the Android Keystore, the device can be provided with the ability to assert and prove various identities. The Android Keystore can be initialized only once; re-initialization requires an Enterprise Reset.

Digital Certificates are commonly acquired in the form of Certificate Files of various formats. Distinguished Encoding Rules (DER) is a standard scheme used to encode Digital Certificates. DER can be used directly to encode a Certificate as a binary Certificate File, which will usually have a file extension of .CER, but variations include .CRT and .DER. DER also can be used in conjunction with Base64 encoding to produce a text Certificate File according to the Privacy-enhanced Electronic Mail (PEM) standard. Certificate Files only encode Public Certificates, never Private Keys.

Private Keys are commonly generated or acquired in the form of a text Key File encoded according to the PEM standard. A common practice for Client Certificates is to combine a Public Certificate and a matching Private Key into a Container File using the Public-Key Cryptography Standards (PKCS) standard PKCS12. PKCS12 is an archive file format for storing multiple cryptography objects as a single binary file, usually with a file extension of .PKCS12, .P12, or .PFX. Container Files constructed according to the PKCS12 standard are typically encrypted based on a password to protect the Private Key contained therein. Encrypted Container Files require the original password to be supplied before they can be processed.